Assert digest prefix in release verify no-attestation tests

bdehamer · Copilot · bdehamer · commit d9eb0627dcee · 2026-05-15T07:57:58.000-07:00
Address PR review feedback:
- Rename SHA1 tests to make the algorithm explicit
- Assert the sha1:/sha256: prefix appears in the error
- Use a capturing MockClient so we verify the actual digest sent to
  GetByDigest, not just the wrapped error message

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/pkg/cmd/release/verify-asset/verify_asset_test.go b/pkg/cmd/release/verify-asset/verify_asset_test.go
@@ -166,7 +166,7 @@ func Test_verifyAssetRun_SuccessNoTagArg(t *testing.T) {
 	require.NoError(t, err)
 }
 
-func Test_verifyAssetRun_FailedNoAttestations(t *testing.T) {
+func Test_verifyAssetRun_FailedNoAttestations_SHA1(t *testing.T) {
 	ios, _, _, _ := iostreams.Test()
 	tagName := "v1"
 
@@ -180,6 +180,14 @@ func Test_verifyAssetRun_FailedNoAttestations(t *testing.T) {
 
 	releaseAssetPath := test.NormalizeRelativePath("../../attestation/test/data/github_release_artifact.zip")
 
+	var capturedParams api.FetchParams
+	attClient := &api.MockClient{
+		OnGetByDigest: func(params api.FetchParams) ([]*api.Attestation, error) {
+			capturedParams = params
+			return api.OnGetByDigestFailure(params)
+		},
+	}
+
 	cfg := &VerifyAssetConfig{
 		Opts: &VerifyAssetOptions{
 			AssetFilePath: releaseAssetPath,
@@ -189,12 +197,14 @@ func Test_verifyAssetRun_FailedNoAttestations(t *testing.T) {
 		},
 		IO:          ios,
 		HttpClient:  &http.Client{Transport: fakeHTTP},
-		AttClient:   api.NewFailTestClient(),
+		AttClient:   attClient,
 		AttVerifier: nil,
 	}
 
 	err = verifyAssetRun(cfg)
 	require.ErrorContains(t, err, "no attestations found for tag v1")
+	require.ErrorContains(t, err, "sha1:"+fakeSHA)
+	require.Equal(t, "sha1:"+fakeSHA, capturedParams.Digest)
 }
 
 func Test_verifyAssetRun_FailedNoAttestations_SHA256(t *testing.T) {
@@ -211,6 +221,14 @@ func Test_verifyAssetRun_FailedNoAttestations_SHA256(t *testing.T) {
 
 	releaseAssetPath := test.NormalizeRelativePath("../../attestation/test/data/github_release_artifact.zip")
 
+	var capturedParams api.FetchParams
+	attClient := &api.MockClient{
+		OnGetByDigest: func(params api.FetchParams) ([]*api.Attestation, error) {
+			capturedParams = params
+			return api.OnGetByDigestFailure(params)
+		},
+	}
+
 	cfg := &VerifyAssetConfig{
 		Opts: &VerifyAssetOptions{
 			AssetFilePath: releaseAssetPath,
@@ -220,13 +238,14 @@ func Test_verifyAssetRun_FailedNoAttestations_SHA256(t *testing.T) {
 		},
 		IO:          ios,
 		HttpClient:  &http.Client{Transport: fakeHTTP},
-		AttClient:   api.NewFailTestClient(),
+		AttClient:   attClient,
 		AttVerifier: nil,
 	}
 
 	err = verifyAssetRun(cfg)
 	require.ErrorContains(t, err, "no attestations found for tag v1")
 	require.ErrorContains(t, err, "sha256:"+fakeSHA)
+	require.Equal(t, "sha256:"+fakeSHA, capturedParams.Digest)
 }
 
 func Test_verifyAssetRun_FailedTagNotInAttestation(t *testing.T) {
diff --git a/pkg/cmd/release/verify/verify_test.go b/pkg/cmd/release/verify/verify_test.go
@@ -103,7 +103,7 @@ func Test_verifyRun_Success(t *testing.T) {
 	require.NoError(t, err)
 }
 
-func Test_verifyRun_FailedNoAttestations(t *testing.T) {
+func Test_verifyRun_FailedNoAttestations_SHA1(t *testing.T) {
 	ios, _, _, _ := iostreams.Test()
 	tagName := "v1"
 
@@ -115,6 +115,14 @@ func Test_verifyRun_FailedNoAttestations(t *testing.T) {
 	baseRepo, err := ghrepo.FromFullName("owner/repo")
 	require.NoError(t, err)
 
+	var capturedParams api.FetchParams
+	attClient := &api.MockClient{
+		OnGetByDigest: func(params api.FetchParams) ([]*api.Attestation, error) {
+			capturedParams = params
+			return api.OnGetByDigestFailure(params)
+		},
+	}
+
 	cfg := &VerifyConfig{
 		Opts: &VerifyOptions{
 			TagName:  tagName,
@@ -123,12 +131,14 @@ func Test_verifyRun_FailedNoAttestations(t *testing.T) {
 		},
 		IO:          ios,
 		HttpClient:  &http.Client{Transport: fakeHTTP},
-		AttClient:   api.NewFailTestClient(),
+		AttClient:   attClient,
 		AttVerifier: nil,
 	}
 
 	err = verifyRun(cfg)
 	require.ErrorContains(t, err, "no attestations for tag v1")
+	require.ErrorContains(t, err, "sha1:"+fakeSHA)
+	require.Equal(t, "sha1:"+fakeSHA, capturedParams.Digest)
 }
 
 func Test_verifyRun_FailedNoAttestations_SHA256(t *testing.T) {
@@ -143,6 +153,14 @@ func Test_verifyRun_FailedNoAttestations_SHA256(t *testing.T) {
 	baseRepo, err := ghrepo.FromFullName("owner/repo")
 	require.NoError(t, err)
 
+	var capturedParams api.FetchParams
+	attClient := &api.MockClient{
+		OnGetByDigest: func(params api.FetchParams) ([]*api.Attestation, error) {
+			capturedParams = params
+			return api.OnGetByDigestFailure(params)
+		},
+	}
+
 	cfg := &VerifyConfig{
 		Opts: &VerifyOptions{
 			TagName:  tagName,
@@ -151,13 +169,14 @@ func Test_verifyRun_FailedNoAttestations_SHA256(t *testing.T) {
 		},
 		IO:          ios,
 		HttpClient:  &http.Client{Transport: fakeHTTP},
-		AttClient:   api.NewFailTestClient(),
+		AttClient:   attClient,
 		AttVerifier: nil,
 	}
 
 	err = verifyRun(cfg)
 	require.ErrorContains(t, err, "no attestations for tag v1")
 	require.ErrorContains(t, err, "sha256:"+fakeSHA)
+	require.Equal(t, "sha256:"+fakeSHA, capturedParams.Digest)
 }
 
 func Test_verifyRun_FailedTagNotInAttestation(t *testing.T) {
