import { describe, expect, it } from "vitest"; import { collectDockerAttestationErrors, imageRefForDigest, parsePlatform, } from "../../scripts/verify-docker-attestations.mjs"; const imageDigest = "sha256:1111111111111111111111111111111111111111111111111111111111111111"; const attestationDigest = "sha256:2222222222222222222222222222222222222222222222222222222222222222"; function createIndex() { return { schemaVersion: 2, mediaType: "application/vnd.oci.image.index.v1+json", manifests: [ { mediaType: "application/vnd.oci.image.manifest.v1+json", digest: imageDigest, size: 482, platform: { architecture: "amd64", os: "linux" }, }, { mediaType: "application/vnd.oci.image.manifest.v1+json", digest: attestationDigest, size: 1110, annotations: { "vnd.docker.reference.digest": imageDigest, "vnd.docker.reference.type": "attestation-manifest", }, platform: { architecture: "unknown", os: "unknown" }, }, ], }; } function createAttestation( predicates = ["https://spdx.dev/Document", "https://slsa.dev/provenance/v1"], ) { return { schemaVersion: 2, mediaType: "application/vnd.oci.image.manifest.v1+json", artifactType: "application/vnd.docker.attestation.manifest.v1+json", layers: predicates.map((predicate) => ({ mediaType: "application/vnd.in-toto+json", digest: imageDigest, size: 1, annotations: { "in-toto.io/predicate-type": predicate, }, })), }; } describe("verify-docker-attestations", () => { it("resolves digest refs from tagged image refs", () => { expect(imageRefForDigest("ghcr.io/openclaw/openclaw:2026.4.26", imageDigest)).toBe( `ghcr.io/openclaw/openclaw@${imageDigest}`, ); expect(imageRefForDigest("localhost:5000/openclaw:main", imageDigest)).toBe( `localhost:5000/openclaw@${imageDigest}`, ); }); it("accepts an image index with SBOM and provenance predicates", () => { const errors = collectDockerAttestationErrors({ imageRef: "ghcr.io/openclaw/openclaw:test", index: createIndex(), requiredPlatforms: [parsePlatform("linux/amd64")], inspectAttestation: () => createAttestation(), }); expect(errors).toEqual([]); }); it("accepts attestation manifests with omitted artifactType", () => { const errors = collectDockerAttestationErrors({ imageRef: "ghcr.io/openclaw/openclaw:test", index: createIndex(), requiredPlatforms: [parsePlatform("linux/amd64")], inspectAttestation: () => { const attestation: Record = createAttestation(); delete attestation.artifactType; return attestation; }, }); expect(errors).toEqual([]); }); it("reports unexpected attestation artifact types", () => { const errors = collectDockerAttestationErrors({ imageRef: "ghcr.io/openclaw/openclaw:test", index: createIndex(), requiredPlatforms: [parsePlatform("linux/amd64")], inspectAttestation: () => ({ ...createAttestation(), artifactType: "application/vnd.unknown", }), }); expect(errors).toEqual([ `ghcr.io/openclaw/openclaw:test: linux/amd64 attestation ${attestationDigest} has unexpected artifactType "application/vnd.unknown"`, ]); }); it("reports missing attestation manifests", () => { const index = createIndex(); index.manifests = index.manifests.slice(0, 1); const errors = collectDockerAttestationErrors({ imageRef: "ghcr.io/openclaw/openclaw:test", index, requiredPlatforms: [parsePlatform("linux/amd64")], inspectAttestation: () => createAttestation(), }); expect(errors).toEqual([ "ghcr.io/openclaw/openclaw:test: missing attestation manifest for linux/amd64", ]); }); it("reports missing SBOM or provenance predicates", () => { const errors = collectDockerAttestationErrors({ imageRef: "ghcr.io/openclaw/openclaw:test", index: createIndex(), requiredPlatforms: [parsePlatform("linux/amd64")], inspectAttestation: () => createAttestation(["https://spdx.dev/Document"]), }); expect(errors).toEqual([ "ghcr.io/openclaw/openclaw:test: linux/amd64 missing predicate https://slsa.dev/provenance/v1", ]); }); });