From d5779cfec8026685d81a912c83b626001ea29d6a Mon Sep 17 00:00:00 2001
From: Ramkumar Chinchani <45800463+rchincha@users.noreply.github.com>
Date: Fri, 3 Oct 2025 11:51:12 -0700
Subject: [PATCH] ci: move workflow to oci runner (#3426)

* ci: move workflow to oci runner

Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com>

* fix: some changes on top

Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com>

---------

Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com>
---
 .github/workflows/ecosystem-tools.yaml |  2 +-
 Makefile                               |  1 +
 test/blackbox/annotations.bats         | 27 +++++++++++++-------------
 test/blackbox/sync.bats                | 11 ++++++-----
 test/blackbox/sync_cloud.bats          | 12 ++++++------
 5 files changed, 28 insertions(+), 25 deletions(-)

diff --git a/.github/workflows/ecosystem-tools.yaml b/.github/workflows/ecosystem-tools.yaml
index fb8cd2fc..ed70ab4a 100644
--- a/.github/workflows/ecosystem-tools.yaml
+++ b/.github/workflows/ecosystem-tools.yaml
@@ -14,7 +14,7 @@ permissions: read-all
 jobs:
   client-tools:
     name: Check client tools
-    runs-on: ubuntu-latest-16-cores
+    runs-on: oracle-vm-16cpu-64gb-x86-64
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v6
diff --git a/Makefile b/Makefile
index bff3d8a5..4a5a6515 100644
--- a/Makefile
+++ b/Makefile
@@ -1,4 +1,5 @@
 export GO111MODULE=on
+SHELL := /bin/bash
 TOP_LEVEL=$(shell git rev-parse --show-toplevel)
 COMMIT_HASH=$(shell git describe --always --tags --long)
 RELEASE_TAG=$(shell git describe --tags --abbrev=0)
diff --git a/test/blackbox/annotations.bats b/test/blackbox/annotations.bats
index 0cbcf2d5..be9242f0 100644
--- a/test/blackbox/annotations.bats
+++ b/test/blackbox/annotations.bats
@@ -230,9 +230,9 @@ function teardown_file() {
     run notation cert generate-test "notation-sign-test"
     [ "$status" -eq 0 ]
 
-    local trust_policy_file=${HOME}/.config/notation/trustpolicy.json
+    local trust_policy_file=/tmp/trustpolicy.json
 
-    cat >${trust_policy_file} <<EOF
+    cat <<EOF >"${trust_policy_file}"
 {
     "version": "1.0",
     "trustPolicies": [
@@ -250,16 +250,17 @@ function teardown_file() {
     ]
 }
 EOF
-
-    run notation sign --key "notation-sign-test" --insecure-registry localhost:${zot_port}/annotations:latest
+    run notation policy import --force "${trust_policy_file}"
     [ "$status" -eq 0 ]
-    run notation verify --insecure-registry localhost:${zot_port}/annotations:latest
+    run notation sign --debug --verbose --force-referrers-tag=true --key "notation-sign-test" --insecure-registry localhost:${zot_port}/annotations:latest
+    [ "$status" -eq 0 ]
+    run notation verify --debug --verbose --insecure-registry localhost:${zot_port}/annotations:latest
     [ "$status" -eq 0 ]
     run notation list --insecure-registry localhost:${zot_port}/annotations:latest
     [ "$status" -eq 0 ]
 }
 
-@test "sign/verify with notation( NOTATION_EXPERIMENTAL=1 and --allow-referrers-api )" {
+@test "sign/verify with notation using referrers api" {
     zot_port=`cat ${BATS_FILE_TMPDIR}/zot.port`
     run curl -X POST -H "Content-Type: application/json" --data '{ "query": "{ ImageList(repo: \"annotations\") { Results { RepoName Tag Manifests {Digest ConfigDigest Size Layers { Size Digest }} Vendor Licenses }}}"}' http://localhost:${zot_port}/v2/_zot/ext/search
     [ "$status" -eq 0 ]
@@ -269,9 +270,9 @@ EOF
     run notation cert generate-test "notation-sign-test-experimental"
     [ "$status" -eq 0 ]
 
-    local trust_policy_file=${HOME}/.config/notation/trustpolicy.json
+    local trust_policy_file=/tmp/trustpolicy.json
 
-    cat >${trust_policy_file} <<EOF
+    cat <<EOF >"${trust_policy_file}"
 {
     "version": "1.0",
     "trustPolicies": [
@@ -290,12 +291,12 @@ EOF
 }
 EOF
 
-    export NOTATION_EXPERIMENTAL=1
-    run notation sign --allow-referrers-api --key "notation-sign-test-experimental" --insecure-registry localhost:${zot_port}/annotations:latest
+    run notation policy import --force "${trust_policy_file}"
     [ "$status" -eq 0 ]
-    run notation verify --allow-referrers-api --insecure-registry localhost:${zot_port}/annotations:latest
+    run notation sign --debug --verbose --force-referrers-tag=false --key "notation-sign-test-experimental" --insecure-registry localhost:${zot_port}/annotations:latest
     [ "$status" -eq 0 ]
-    run notation list --allow-referrers-api --insecure-registry localhost:${zot_port}/annotations:latest
+    run notation verify --debug --verbose --insecure-registry localhost:${zot_port}/annotations:latest
+    [ "$status" -eq 0 ]
+    run notation list --insecure-registry localhost:${zot_port}/annotations:latest
     [ "$status" -eq 0 ]
-    unset NOTATION_EXPERIMENTAL
 }
diff --git a/test/blackbox/sync.bats b/test/blackbox/sync.bats
index 87647aa9..1f773fe6 100644
--- a/test/blackbox/sync.bats
+++ b/test/blackbox/sync.bats
@@ -286,9 +286,9 @@ function teardown_file() {
     run notation cert generate-test "notation-sign-sync-test"
     [ "$status" -eq 0 ]
 
-    local trust_policy_file=${HOME}/.config/notation/trustpolicy.json
+    local trust_policy_file=/tmp/trustpolicy.json
 
-    cat >${trust_policy_file} <<EOF
+    cat <<EOF >"${trust_policy_file}"
 {
     "version": "1.0",
     "trustPolicies": [
@@ -306,10 +306,11 @@ function teardown_file() {
     ]
 }
 EOF
-
-    run notation sign --key "notation-sign-sync-test" --insecure-registry localhost:${zot_port3}/golang:1.20
+    run notation policy import --force "${trust_policy_file}"
     [ "$status" -eq 0 ]
-    run notation verify --insecure-registry localhost:${zot_port3}/golang:1.20
+    run notation sign --debug --verbose --key "notation-sign-sync-test" --insecure-registry localhost:${zot_port3}/golang:1.20
+    [ "$status" -eq 0 ]
+    run notation verify --debug --verbose --insecure-registry localhost:${zot_port3}/golang:1.20
     [ "$status" -eq 0 ]
     run notation list --insecure-registry localhost:${zot_port3}/golang:1.20
     [ "$status" -eq 0 ]
diff --git a/test/blackbox/sync_cloud.bats b/test/blackbox/sync_cloud.bats
index 622058d4..375aed44 100644
--- a/test/blackbox/sync_cloud.bats
+++ b/test/blackbox/sync_cloud.bats
@@ -310,12 +310,10 @@ function teardown_file() {
 
 @test "sign/verify with notation" {
     zot_port3=`cat ${BATS_FILE_TMPDIR}/zot.port3`
-    run notation cert generate-test "notation-sign-sync-test"
-    [ "$status" -eq 0 ]
 
-    local trust_policy_file=${HOME}/.config/notation/trustpolicy.json
+    local trust_policy_file=/tmp/trustpolicy.json
 
-    cat >${trust_policy_file} <<EOF
+    cat <<EOF >"${trust_policy_file}"
 {
     "version": "1.0",
     "trustPolicies": [
@@ -334,9 +332,11 @@ function teardown_file() {
 }
 EOF
 
-    run notation sign --key "notation-sign-sync-test" --insecure-registry localhost:${zot_port3}/golang:1.20
+    run notation policy import --force "${trust_policy_file}"
     [ "$status" -eq 0 ]
-    run notation verify --insecure-registry localhost:${zot_port3}/golang:1.20
+    run notation sign --debug --verbose --key "notation-sign-sync-test" --insecure-registry localhost:${zot_port3}/golang:1.20
+    [ "$status" -eq 0 ]
+    run notation verify --debug --verbose --insecure-registry localhost:${zot_port3}/golang:1.20
     [ "$status" -eq 0 ]
     run notation list --insecure-registry localhost:${zot_port3}/golang:1.20
     [ "$status" -eq 0 ]