Refresh TUF root, bridge sigstore-go TUF client, and update deps

[st3penta]

The acceptance test TUF root expired on 2026-05-03, breaking all
scenarios that use Given a initialized tuf root. Regenerate it
with a 10-year expiry (2036-05-05) by patching the scaffolding to
use AddDate(10, 0, 0), so this doesn't recur any time soon.

Also regenerate WireMock recordings for individual TUF targets
(ctfe.pub, rekor.pub, fulcio_v1.crt.pem, tsa_*.crt.pem) that the
old tuf.Initialize path still needs.

Add setupNewTUFClientCache to bridge the old sigstore/sigstore TUF
client cache layout with the sigstore-go layout that cosign v3's
TrustedRoot() expects. Without this, TrustedMaterial is nil when
the bundle verification path runs, because sigstore-go looks for
remote.json and root.json in a different directory structure than
what tuf.Initialize produces.

Bundle in the dependency updates from #3273 (go-jose/go-jose/v4,
ubi-minimal base image, Konflux task refs) so CI can pass on this
branch.

Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com">

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This PR refreshes acceptance test artifacts (TUF metadata, WireMock recordings/mappings, and OCI image blobs/manifests), adds TUF client cache setup in acceptance/tuf/tuf.go, updates test-image generation script, updates Tekton task image digests and base image pins across Dockerfiles, and bumps an indirect Go dependency.

Changes

Acceptance Test Infrastructure Refresh

Layer / File(s)	Summary
TUF Root Metadata acceptance/tuf/root.json	Replaced root metadata: new expiry and a new set of ed25519 keys; roles updated to reference new keyids (thresholds unchanged).
TUF Client Cache Setup / Control Flow acceptance/tuf/tuf.go	initializeRoot now obtains the TUF mirror (Stub(ctx)), calls new setupNewTUFClientCache(cacheDir, mirror) to write remote.json and populate the sigstore-go TUF cache (uses URLToPath), and marks TUF state initialized; imports expanded for JSON, fmt/path/filepath and sigstore-go tuf helper.
Test Image Manifests — Data Shape acceptance/image/testimage/blobs/sha256/*	Multiple OCI blob files removed (old manifests/configs) and multiple new blobs added (new image configs, manifests, DSSE/cosign layers, and provenance), plus some blob updates (digests, timestamps, provenance signatures).
Test Image Index / Wiring acceptance/image/testimage/index.json	Updated three manifest entries: two manifest digests changed, one manifest digest + size updated; index fields otherwise unchanged.
WireMock Recordings — Data acceptance/wiremock/recordings/tuf/__files/*	Deleted several old snapshot/timestamp/trusted_root recording files and added new snapshot/timestamp/trusted_root recordings; updated targets recording hashes and expiry.
WireMock Mappings — Integration acceptance/wiremock/recordings/tuf/mappings/*	Removed several old mapping JSONs for certificate/target endpoints and added or replaced new mappings for refreshed artifacts (new ids, bodyFileNames, headers).
Test Image Generation Script hack/generate-test-signed-images.sh	Inserted a sed patch to modify cloned scaffolding repo code (replace AddDate(0, 6, 0) with AddDate(10, 0, 0)) after checkout of sigstore/scaffolding v0.7.22.

CI Pipeline & Base Image Updates

Layer / File(s)	Summary
Tekton Task Image References .tekton/cli-main-pull-request.yaml, .tekton/cli-main-push.yaml	Updated image digests for ~13 Tekton tasks (init, git-clone-oci-ta, prefetch-dependencies-oci-ta, buildah-remote-oci-ta, source-build-oci-ta, deprecated-image-check, clair-scan, ecosystem-cert-preflight-checks, sast-snyk-check-oci-ta, clamav-scan, sast-unicode-check-oci-ta, apply-tags, push-dockerfile-oci-ta).
Base Container Images Dockerfile, Dockerfile.dist, acceptance/kubernetes/kind/acceptance.Dockerfile	Bumped ubi-minimal base image digests across Dockerfiles (FROM lines updated to newer sha256 pins).
Go Dependency go.mod	Bumped indirect dependency github.com/go-jose/go-jose/v4 from v4.1.3 to v4.1.4.

sequenceDiagram
participant TestRunner as Test Runner
participant TUFStub as TUF Stub/Mirror
participant TUFClient as sigstore-go TUF client
participant FS as Filesystem

TestRunner->>TUFStub: Stub(ctx) -> mirror URL
TestRunner->>TUFClient: setupNewTUFClientCache(cacheDir, mirror)
TUFClient->>FS: URLToPath(mirror) -> cache path
TUFClient->>FS: write remote.json (mirror URL)
TUFClient->>FS: write embedded root.json into cache path
TestRunner->>TUFClient: initializeRoot continues -> mark initialized

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the three main changes: refreshing the TUF root metadata, bridging sigstore-go TUF client integration, and updating dependencies.
Description check	✅ Passed	The description clearly explains the motivation (expired TUF root), solutions (regenerate with 10-year expiry, add setupNewTUFClientCache, regenerate WireMock recordings), and includes bundled dependency updates.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@hack/generate-test-signed-images.sh`:
- Line 94: The sed substitution line "sed -i 's/AddDate(0, 6, 0)/AddDate(10, 0,
0)/' pkg/repo/repo.go" can silently do nothing if the pattern changed; after
that command, add a post-check that verifies the replacement took place (e.g.,
search pkg/repo/repo.go for "AddDate(10, 0, 0)" or verify git diff shows the
change) and if the check fails print a clear error and exit non‑zero so the
script fails fast when the scaffolding patch did not apply.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 6f97982f-bd31-4f41-af1a-52fec184ae91

📥 Commits

Reviewing files that changed from the base of the PR and between b345847 and a86b971.

⛔ Files ignored due to path filters (12)

• acceptance/wiremock/recordings/tuf/__files/body-targets-00734240bff619474f1b52e68b205dd12768017038c34bb6645cbebe8068baec3de03f7c7b350212a9977fc6345ec35157ae838d35e8257b006e655c6bdc7a84.tsa_root.crt.-Vdz8g.pem is excluded by !**/*.pem
• acceptance/wiremock/recordings/tuf/__files/body-targets-150af49f08e52a117ae01f8e30c6a9917c6ee971bd2fb2da60467adb66269c45d0c4d671684e91df7c6dcff2e86a65948386186332b4c385522255d5b2cad1dc.fulcio_v1.crt-8PwWB.pem is excluded by !**/*.pem
• acceptance/wiremock/recordings/tuf/__files/body-targets-2ec3f1d95ef67deff23780067bc379bf472608994d5906b158dc32516cf28d781eaf1e0bb2db23907f5f9a79392ffee9838f6312867ab07e805ed99d15824259.fulcio_v1-crt-pem-b1851.pem is excluded by !**/*.pem
• acceptance/wiremock/recordings/tuf/__files/body-targets-4448f59d42f73d1174a3488ecc328be5bbb2d3c1edb5173556fbaa6cc63c130b3e8de0322a2d8ae998d219a1fdc4e86d93bddc16cb2999e36f4ac4dacb2494ff.tsa_leaf-crt-pem-2208f.pem is excluded by !**/*.pem
• acceptance/wiremock/recordings/tuf/__files/body-targets-47888d9ecb80c130e141d916f00fa70302b13eee560f2a1e9d1f7681ee5d3122a1c5e79e60b939e3e593db2503db942ef2b620d824858fa2b31ec1900ce4a5aa.tsa_intermediate_0-crt-pem-e5d62.pem is excluded by !**/*.pem
• acceptance/wiremock/recordings/tuf/__files/body-targets-490ea150f2c9845c32d1efff5fdb2051f990677a05f1377c920c428ac6fdef8ba60d3ff0efcc3ed10219c6f70c28b31ed5f6f641e8e3413e6dae59810b4b808d.rekor-pub-d1ebe.pem is excluded by !**/*.pem
• acceptance/wiremock/recordings/tuf/__files/body-targets-4e6dbecfadd039adaa1de4cfea94c8cb6f6fea27ff4505a4e950c5498b1c3e49ec4c9824ae1c5268f76c23980aa32b0318c660eb89419984087a121335356268.tsa_leaf.crt.-ptqwu.pem is excluded by !**/*.pem
• acceptance/wiremock/recordings/tuf/__files/body-targets-56649b190b13ca67089399cbee01d93ff5f79716494c27998e6b63178b3cbcf7df663bf0e01949c1b8e7db29b6f6a6133b74291d8755895794eb3c3eff911082.ctfe-pub-72f13.pem is excluded by !**/*.pem
• acceptance/wiremock/recordings/tuf/__files/body-targets-954abc4e4a9769b1d24a43bfb43aae152fae5e521bac47f59ff4e7fd70ba5859f6d3022fb68b18205148c3ad0e7b6d3798a860026b6456275df2c635f3d7ff9f.tsa_intermedi-8C7qr.pem is excluded by !**/*.pem
• acceptance/wiremock/recordings/tuf/__files/body-targets-c36342ad2dbe32e499149cbdf8d4f9ad2162403495f48f1ea89bbcf9138c1123d7ad0570ba87b5b3de50a732ecb4742a080f4ce4574f7e7739a00e1eef546d18.ctfe.pub-QOxpM.pub is excluded by !**/*.pub
• acceptance/wiremock/recordings/tuf/__files/body-targets-ca21dc965dfa3ea59e2358b6cf15ad331cbd626a295e83feeae176d6f8dbba09a29686a13299d07cbdf8ffb5729ddc2ac1cf989daf8e714fe6e9be33f4c4ec7e.rekor.pub-6bXBc.pub is excluded by !**/*.pub
• acceptance/wiremock/recordings/tuf/__files/body-targets-d21d962be7e69338fcca30d4e9f6799264bb80c72e5cc5df993cae7ebe3810fdd9236970f3bf2465972ce2acc1fbda58757b52d31afc0a8b18d2632aa3f4f37e.tsa_root-crt-pem-f8934.pem is excluded by !**/*.pem

📒 Files selected for processing (46)

• acceptance/image/testimage/blobs/sha256/0f983e7f56985ff99fd397e694a60b3f210a549c83545c866f0a663de7e63509
• acceptance/image/testimage/blobs/sha256/15c9186e2af9e35d42fdcad24516c0c60876e44df0aff4c8d5ecf47ca220e6bd
• acceptance/image/testimage/blobs/sha256/21fe579970b0abb42475321107b10d8118703acc42be10a9d7fc94da47cae255
• acceptance/image/testimage/blobs/sha256/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
• acceptance/image/testimage/blobs/sha256/4e9b664f9636dbd414def49ee60ffedfe0fdce6560cd6d919c49e524ba47fa56
• acceptance/image/testimage/blobs/sha256/697a5cdf2f0c0666708fcdc2fba505ad7a3dd5954500b501b0cf715bf3f4de5c
• acceptance/image/testimage/blobs/sha256/7875acf765e1130b65aa7c1bb4f72a23f6b49e09fe843dd261e4c43356d0f017
• acceptance/image/testimage/blobs/sha256/7ae4a16c8bb7342c480b2ee408906cde134a209c4736bacfc265e4700265e0a2
• acceptance/image/testimage/blobs/sha256/a2e3670559ba47378fc8e6c3e505d45fe50752a57e8703565aac6674f77ab880
• acceptance/image/testimage/blobs/sha256/abb2840b12cdbe114d4a36c9e210e8ac88134145b6eeeeb2421ba04a7e2c4f4a
• acceptance/image/testimage/blobs/sha256/c0e3131ee7d0ad5dce680cc378a03dc099dc96026adff1ce727c6a1e2e4200f1
• acceptance/image/testimage/blobs/sha256/c1780c9bfbdb041d469965ca68613ca7c640c7501aad41e2ebce50c9d117164f
• acceptance/image/testimage/blobs/sha256/c9b87d5a172b91263f3de915b58faf1dfad4318f99f182c02794e4539ec155ae
• acceptance/image/testimage/blobs/sha256/f0832ae8b3560ece9ef09f9b24b671874a3aaed10616260a7408ff56474df179
• acceptance/image/testimage/index.json
• acceptance/tuf/root.json
• acceptance/tuf/tuf.go
• acceptance/wiremock/recordings/tuf/__files/body-1.snapshot.json-4AYzM.json
• acceptance/wiremock/recordings/tuf/__files/body-1.snapshot.json-kXJgf.json
• acceptance/wiremock/recordings/tuf/__files/body-1.targets.json-9m7IM.json
• acceptance/wiremock/recordings/tuf/__files/body-1.targets.json-lRXBI.json
• acceptance/wiremock/recordings/tuf/__files/body-2.root.json-GLzp2.txt
• acceptance/wiremock/recordings/tuf/__files/body-targets-3ef849f6ca683c5263bef43082c65f3ce80d8d3996ffdca65c9ecd5fd7c781ffa0b81a174e89621be821381c007b9dbeed152e43d5ba9066bb4f0a0579a55cab.trusted_root.-HoiSR.json
• acceptance/wiremock/recordings/tuf/__files/body-targets-8afb423704f1291c85104797fc63a075a198ccf38def9875dcd76ea94190ef8f4e85c31e21f1c2a99ba30f6218bbd082ca3fa081d341cfeb7b835970aa8d4550.trusted_root.-BuA3p.json
• acceptance/wiremock/recordings/tuf/__files/body-timestamp.json-B3VOf.json
• acceptance/wiremock/recordings/tuf/__files/body-timestamp.json-DJ6HO.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-1.snapshot.json-kXJgf.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-1.targets.json-9m7IM.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-2.root.json-GLzp2.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-targets-00734240bff619474f1b52e68b205dd12768017038c34bb6645cbebe8068baec3de03f7c7b350212a9977fc6345ec35157ae838d35e8257b006e655c6bdc7a84.tsa_root.crt.-Vdz8g.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-targets-150af49f08e52a117ae01f8e30c6a9917c6ee971bd2fb2da60467adb66269c45d0c4d671684e91df7c6dcff2e86a65948386186332b4c385522255d5b2cad1dc.fulcio_v1.crt-8PwWB.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-targets-2ec3f1d95ef67deff23780067bc379bf472608994d5906b158dc32516cf28d781eaf1e0bb2db23907f5f9a79392ffee9838f6312867ab07e805ed99d15824259.fulcio_v1-crt-pem-b1851.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-targets-3ef849f6ca683c5263bef43082c65f3ce80d8d3996ffdca65c9ecd5fd7c781ffa0b81a174e89621be821381c007b9dbeed152e43d5ba9066bb4f0a0579a55cab.trusted_root.-HoiSR.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-targets-4448f59d42f73d1174a3488ecc328be5bbb2d3c1edb5173556fbaa6cc63c130b3e8de0322a2d8ae998d219a1fdc4e86d93bddc16cb2999e36f4ac4dacb2494ff.tsa_leaf-crt-pem-2208f.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-targets-47888d9ecb80c130e141d916f00fa70302b13eee560f2a1e9d1f7681ee5d3122a1c5e79e60b939e3e593db2503db942ef2b620d824858fa2b31ec1900ce4a5aa.tsa_intermediate_0-crt-pem-e5d62.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-targets-490ea150f2c9845c32d1efff5fdb2051f990677a05f1377c920c428ac6fdef8ba60d3ff0efcc3ed10219c6f70c28b31ed5f6f641e8e3413e6dae59810b4b808d.rekor-pub-d1ebe.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-targets-4e6dbecfadd039adaa1de4cfea94c8cb6f6fea27ff4505a4e950c5498b1c3e49ec4c9824ae1c5268f76c23980aa32b0318c660eb89419984087a121335356268.tsa_leaf.crt.-ptqwu.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-targets-56649b190b13ca67089399cbee01d93ff5f79716494c27998e6b63178b3cbcf7df663bf0e01949c1b8e7db29b6f6a6133b74291d8755895794eb3c3eff911082.ctfe-pub-72f13.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-targets-8afb423704f1291c85104797fc63a075a198ccf38def9875dcd76ea94190ef8f4e85c31e21f1c2a99ba30f6218bbd082ca3fa081d341cfeb7b835970aa8d4550.trusted_root.-BuA3p.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-targets-954abc4e4a9769b1d24a43bfb43aae152fae5e521bac47f59ff4e7fd70ba5859f6d3022fb68b18205148c3ad0e7b6d3798a860026b6456275df2c635f3d7ff9f.tsa_intermedi-8C7qr.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-targets-c36342ad2dbe32e499149cbdf8d4f9ad2162403495f48f1ea89bbcf9138c1123d7ad0570ba87b5b3de50a732ecb4742a080f4ce4574f7e7739a00e1eef546d18.ctfe.pub-QOxpM.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-targets-ca21dc965dfa3ea59e2358b6cf15ad331cbd626a295e83feeae176d6f8dbba09a29686a13299d07cbdf8ffb5729ddc2ac1cf989daf8e714fe6e9be33f4c4ec7e.rekor.pub-6bXBc.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-targets-d21d962be7e69338fcca30d4e9f6799264bb80c72e5cc5df993cae7ebe3810fdd9236970f3bf2465972ce2acc1fbda58757b52d31afc0a8b18d2632aa3f4f37e.tsa_root-crt-pem-f8934.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-timestamp.json-B3VOf.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-timestamp.json-DJ6HO.json
• hack/generate-test-signed-images.sh

💤 Files with no reviewable changes (19)

• acceptance/wiremock/recordings/tuf/__files/body-targets-3ef849f6ca683c5263bef43082c65f3ce80d8d3996ffdca65c9ecd5fd7c781ffa0b81a174e89621be821381c007b9dbeed152e43d5ba9066bb4f0a0579a55cab.trusted_root.-HoiSR.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-targets-c36342ad2dbe32e499149cbdf8d4f9ad2162403495f48f1ea89bbcf9138c1123d7ad0570ba87b5b3de50a732ecb4742a080f4ce4574f7e7739a00e1eef546d18.ctfe.pub-QOxpM.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-targets-00734240bff619474f1b52e68b205dd12768017038c34bb6645cbebe8068baec3de03f7c7b350212a9977fc6345ec35157ae838d35e8257b006e655c6bdc7a84.tsa_root.crt.-Vdz8g.json
• acceptance/wiremock/recordings/tuf/__files/body-1.snapshot.json-4AYzM.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-targets-954abc4e4a9769b1d24a43bfb43aae152fae5e521bac47f59ff4e7fd70ba5859f6d3022fb68b18205148c3ad0e7b6d3798a860026b6456275df2c635f3d7ff9f.tsa_intermedi-8C7qr.json
• acceptance/image/testimage/blobs/sha256/f0832ae8b3560ece9ef09f9b24b671874a3aaed10616260a7408ff56474df179
• acceptance/image/testimage/blobs/sha256/4e9b664f9636dbd414def49ee60ffedfe0fdce6560cd6d919c49e524ba47fa56
• acceptance/image/testimage/blobs/sha256/a2e3670559ba47378fc8e6c3e505d45fe50752a57e8703565aac6674f77ab880
• acceptance/image/testimage/blobs/sha256/c0e3131ee7d0ad5dce680cc378a03dc099dc96026adff1ce727c6a1e2e4200f1
• acceptance/image/testimage/blobs/sha256/7ae4a16c8bb7342c480b2ee408906cde134a209c4736bacfc265e4700265e0a2
• acceptance/wiremock/recordings/tuf/mappings/mapping-timestamp.json-DJ6HO.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-targets-150af49f08e52a117ae01f8e30c6a9917c6ee971bd2fb2da60467adb66269c45d0c4d671684e91df7c6dcff2e86a65948386186332b4c385522255d5b2cad1dc.fulcio_v1.crt-8PwWB.json
• acceptance/wiremock/recordings/tuf/__files/body-1.targets.json-lRXBI.json
• acceptance/wiremock/recordings/tuf/__files/body-timestamp.json-DJ6HO.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-targets-4e6dbecfadd039adaa1de4cfea94c8cb6f6fea27ff4505a4e950c5498b1c3e49ec4c9824ae1c5268f76c23980aa32b0318c660eb89419984087a121335356268.tsa_leaf.crt.-ptqwu.json
• acceptance/image/testimage/blobs/sha256/697a5cdf2f0c0666708fcdc2fba505ad7a3dd5954500b501b0cf715bf3f4de5c
• acceptance/wiremock/recordings/tuf/mappings/mapping-targets-ca21dc965dfa3ea59e2358b6cf15ad331cbd626a295e83feeae176d6f8dbba09a29686a13299d07cbdf8ffb5729ddc2ac1cf989daf8e714fe6e9be33f4c4ec7e.rekor.pub-6bXBc.json
• acceptance/image/testimage/blobs/sha256/0f983e7f56985ff99fd397e694a60b3f210a549c83545c866f0a663de7e63509
• acceptance/wiremock/recordings/tuf/mappings/mapping-targets-3ef849f6ca683c5263bef43082c65f3ce80d8d3996ffdca65c9ecd5fd7c781ffa0b81a174e89621be821381c007b9dbeed152e43d5ba9066bb4f0a0579a55cab.trusted_root.-HoiSR.json

[coderabbitai]

🧹 Nitpick comments (2)

acceptance/wiremock/recordings/tuf/__files/body-timestamp.json-B3VOf.json (1)

6-6: ⚡ Quick win

Keep the timestamp role short-lived.

Setting timestamp.json to expire in 2036 removes most freshness coverage from these acceptance fixtures. The PR objective only needed a longer-lived root, so leaving timestamp/snapshot/targets short-lived will keep stale-metadata behavior testable.

As per coding guidelines, Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@acceptance/wiremock/recordings/tuf/__files/body-timestamp.json-B3VOf.json` at
line 6, The timestamp role fixture currently sets the "expires" field in the
timestamp.json recording to 2036 which makes it effectively non-fresh; update
the "expires" value in the timestamp fixture (the file containing the "expires"
entry for the timestamp role, e.g., body-timestamp.json-B3VOf.json) to a
short-lived ISO8601 timestamp (e.g., days or weeks from now) so
timestamp/snapshot/targets remain short-lived and keep stale-metadata behavior
testable.

acceptance/tuf/tuf.go (1)

117-132: ⚡ Quick win

Bridge the initialized root, not the embedded bootstrap root.

initializeRoot() first copies the legacy cache from origin, but this helper always seeds the sigstore-go layout from rootJSON. That means the two layouts can drift the next time the fixture root is rotated or tuf.Initialize() accepts a newer root. It would be safer to populate <cache>/<url-path>/root.json from the copied/initialized cache so both clients stay aligned.

As per coding guidelines, Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@acceptance/tuf/tuf.go` around lines 117 - 132, The helper
setupNewTUFClientCache currently always writes the embedded rootJSON into
<cache>/<url-path>/root.json which can overwrite or diverge from the
initialized/copied cache produced by initializeRoot()/tuf.Initialize(); change
setupNewTUFClientCache to prefer the already-initialized root file: after
computing rootDir (sigstoretuf.URLToPath(mirror)), check if
filepath.Join(rootDir, "root.json") already exists and, if so, leave it as-is
(or read and reuse its bytes), otherwise write the embedded rootJSON; this
ensures the initialized root from the copied cache is preserved and both clients
remain aligned while keeping the fallback to rootJSON when no initialized root
is present.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@acceptance/tuf/tuf.go`:
- Around line 117-132: The helper setupNewTUFClientCache currently always writes
the embedded rootJSON into <cache>/<url-path>/root.json which can overwrite or
diverge from the initialized/copied cache produced by
initializeRoot()/tuf.Initialize(); change setupNewTUFClientCache to prefer the
already-initialized root file: after computing rootDir
(sigstoretuf.URLToPath(mirror)), check if filepath.Join(rootDir, "root.json")
already exists and, if so, leave it as-is (or read and reuse its bytes),
otherwise write the embedded rootJSON; this ensures the initialized root from
the copied cache is preserved and both clients remain aligned while keeping the
fallback to rootJSON when no initialized root is present.

In `@acceptance/wiremock/recordings/tuf/__files/body-timestamp.json-B3VOf.json`:
- Line 6: The timestamp role fixture currently sets the "expires" field in the
timestamp.json recording to 2036 which makes it effectively non-fresh; update
the "expires" value in the timestamp fixture (the file containing the "expires"
entry for the timestamp role, e.g., body-timestamp.json-B3VOf.json) to a
short-lived ISO8601 timestamp (e.g., days or weeks from now) so
timestamp/snapshot/targets remain short-lived and keep stale-metadata behavior
testable.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 328323d6-71e4-4cf8-b4b0-60ab90c591d3

📥 Commits

Reviewing files that changed from the base of the PR and between a86b971 and 2773251.

⛔ Files ignored due to path filters (12)

• acceptance/wiremock/recordings/tuf/__files/body-targets-00734240bff619474f1b52e68b205dd12768017038c34bb6645cbebe8068baec3de03f7c7b350212a9977fc6345ec35157ae838d35e8257b006e655c6bdc7a84.tsa_root.crt.-Vdz8g.pem is excluded by !**/*.pem
• acceptance/wiremock/recordings/tuf/__files/body-targets-150af49f08e52a117ae01f8e30c6a9917c6ee971bd2fb2da60467adb66269c45d0c4d671684e91df7c6dcff2e86a65948386186332b4c385522255d5b2cad1dc.fulcio_v1.crt-8PwWB.pem is excluded by !**/*.pem
• acceptance/wiremock/recordings/tuf/__files/body-targets-2ec3f1d95ef67deff23780067bc379bf472608994d5906b158dc32516cf28d781eaf1e0bb2db23907f5f9a79392ffee9838f6312867ab07e805ed99d15824259.fulcio_v1-crt-pem-b1851.pem is excluded by !**/*.pem
• acceptance/wiremock/recordings/tuf/__files/body-targets-4448f59d42f73d1174a3488ecc328be5bbb2d3c1edb5173556fbaa6cc63c130b3e8de0322a2d8ae998d219a1fdc4e86d93bddc16cb2999e36f4ac4dacb2494ff.tsa_leaf-crt-pem-2208f.pem is excluded by !**/*.pem
• acceptance/wiremock/recordings/tuf/__files/body-targets-47888d9ecb80c130e141d916f00fa70302b13eee560f2a1e9d1f7681ee5d3122a1c5e79e60b939e3e593db2503db942ef2b620d824858fa2b31ec1900ce4a5aa.tsa_intermediate_0-crt-pem-e5d62.pem is excluded by !**/*.pem
• acceptance/wiremock/recordings/tuf/__files/body-targets-490ea150f2c9845c32d1efff5fdb2051f990677a05f1377c920c428ac6fdef8ba60d3ff0efcc3ed10219c6f70c28b31ed5f6f641e8e3413e6dae59810b4b808d.rekor-pub-d1ebe.pem is excluded by !**/*.pem
• acceptance/wiremock/recordings/tuf/__files/body-targets-4e6dbecfadd039adaa1de4cfea94c8cb6f6fea27ff4505a4e950c5498b1c3e49ec4c9824ae1c5268f76c23980aa32b0318c660eb89419984087a121335356268.tsa_leaf.crt.-ptqwu.pem is excluded by !**/*.pem
• acceptance/wiremock/recordings/tuf/__files/body-targets-56649b190b13ca67089399cbee01d93ff5f79716494c27998e6b63178b3cbcf7df663bf0e01949c1b8e7db29b6f6a6133b74291d8755895794eb3c3eff911082.ctfe-pub-72f13.pem is excluded by !**/*.pem
• acceptance/wiremock/recordings/tuf/__files/body-targets-954abc4e4a9769b1d24a43bfb43aae152fae5e521bac47f59ff4e7fd70ba5859f6d3022fb68b18205148c3ad0e7b6d3798a860026b6456275df2c635f3d7ff9f.tsa_intermedi-8C7qr.pem is excluded by !**/*.pem
• acceptance/wiremock/recordings/tuf/__files/body-targets-c36342ad2dbe32e499149cbdf8d4f9ad2162403495f48f1ea89bbcf9138c1123d7ad0570ba87b5b3de50a732ecb4742a080f4ce4574f7e7739a00e1eef546d18.ctfe.pub-QOxpM.pub is excluded by !**/*.pub
• acceptance/wiremock/recordings/tuf/__files/body-targets-ca21dc965dfa3ea59e2358b6cf15ad331cbd626a295e83feeae176d6f8dbba09a29686a13299d07cbdf8ffb5729ddc2ac1cf989daf8e714fe6e9be33f4c4ec7e.rekor.pub-6bXBc.pub is excluded by !**/*.pub
• acceptance/wiremock/recordings/tuf/__files/body-targets-d21d962be7e69338fcca30d4e9f6799264bb80c72e5cc5df993cae7ebe3810fdd9236970f3bf2465972ce2acc1fbda58757b52d31afc0a8b18d2632aa3f4f37e.tsa_root-crt-pem-f8934.pem is excluded by !**/*.pem

📒 Files selected for processing (46)

• acceptance/image/testimage/blobs/sha256/0f983e7f56985ff99fd397e694a60b3f210a549c83545c866f0a663de7e63509
• acceptance/image/testimage/blobs/sha256/15c9186e2af9e35d42fdcad24516c0c60876e44df0aff4c8d5ecf47ca220e6bd
• acceptance/image/testimage/blobs/sha256/21fe579970b0abb42475321107b10d8118703acc42be10a9d7fc94da47cae255
• acceptance/image/testimage/blobs/sha256/44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
• acceptance/image/testimage/blobs/sha256/4e9b664f9636dbd414def49ee60ffedfe0fdce6560cd6d919c49e524ba47fa56
• acceptance/image/testimage/blobs/sha256/697a5cdf2f0c0666708fcdc2fba505ad7a3dd5954500b501b0cf715bf3f4de5c
• acceptance/image/testimage/blobs/sha256/7875acf765e1130b65aa7c1bb4f72a23f6b49e09fe843dd261e4c43356d0f017
• acceptance/image/testimage/blobs/sha256/7ae4a16c8bb7342c480b2ee408906cde134a209c4736bacfc265e4700265e0a2
• acceptance/image/testimage/blobs/sha256/a2e3670559ba47378fc8e6c3e505d45fe50752a57e8703565aac6674f77ab880
• acceptance/image/testimage/blobs/sha256/abb2840b12cdbe114d4a36c9e210e8ac88134145b6eeeeb2421ba04a7e2c4f4a
• acceptance/image/testimage/blobs/sha256/c0e3131ee7d0ad5dce680cc378a03dc099dc96026adff1ce727c6a1e2e4200f1
• acceptance/image/testimage/blobs/sha256/c1780c9bfbdb041d469965ca68613ca7c640c7501aad41e2ebce50c9d117164f
• acceptance/image/testimage/blobs/sha256/c9b87d5a172b91263f3de915b58faf1dfad4318f99f182c02794e4539ec155ae
• acceptance/image/testimage/blobs/sha256/f0832ae8b3560ece9ef09f9b24b671874a3aaed10616260a7408ff56474df179
• acceptance/image/testimage/index.json
• acceptance/tuf/root.json
• acceptance/tuf/tuf.go
• acceptance/wiremock/recordings/tuf/__files/body-1.snapshot.json-4AYzM.json
• acceptance/wiremock/recordings/tuf/__files/body-1.snapshot.json-kXJgf.json
• acceptance/wiremock/recordings/tuf/__files/body-1.targets.json-9m7IM.json
• acceptance/wiremock/recordings/tuf/__files/body-1.targets.json-lRXBI.json
• acceptance/wiremock/recordings/tuf/__files/body-2.root.json-GLzp2.txt
• acceptance/wiremock/recordings/tuf/__files/body-targets-3ef849f6ca683c5263bef43082c65f3ce80d8d3996ffdca65c9ecd5fd7c781ffa0b81a174e89621be821381c007b9dbeed152e43d5ba9066bb4f0a0579a55cab.trusted_root.-HoiSR.json
• acceptance/wiremock/recordings/tuf/__files/body-targets-8afb423704f1291c85104797fc63a075a198ccf38def9875dcd76ea94190ef8f4e85c31e21f1c2a99ba30f6218bbd082ca3fa081d341cfeb7b835970aa8d4550.trusted_root.-BuA3p.json
• acceptance/wiremock/recordings/tuf/__files/body-timestamp.json-B3VOf.json
• acceptance/wiremock/recordings/tuf/__files/body-timestamp.json-DJ6HO.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-1.snapshot.json-kXJgf.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-1.targets.json-9m7IM.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-2.root.json-GLzp2.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-targets-00734240bff619474f1b52e68b205dd12768017038c34bb6645cbebe8068baec3de03f7c7b350212a9977fc6345ec35157ae838d35e8257b006e655c6bdc7a84.tsa_root.crt.-Vdz8g.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-targets-150af49f08e52a117ae01f8e30c6a9917c6ee971bd2fb2da60467adb66269c45d0c4d671684e91df7c6dcff2e86a65948386186332b4c385522255d5b2cad1dc.fulcio_v1.crt-8PwWB.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-targets-2ec3f1d95ef67deff23780067bc379bf472608994d5906b158dc32516cf28d781eaf1e0bb2db23907f5f9a79392ffee9838f6312867ab07e805ed99d15824259.fulcio_v1-crt-pem-b1851.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-targets-3ef849f6ca683c5263bef43082c65f3ce80d8d3996ffdca65c9ecd5fd7c781ffa0b81a174e89621be821381c007b9dbeed152e43d5ba9066bb4f0a0579a55cab.trusted_root.-HoiSR.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-targets-4448f59d42f73d1174a3488ecc328be5bbb2d3c1edb5173556fbaa6cc63c130b3e8de0322a2d8ae998d219a1fdc4e86d93bddc16cb2999e36f4ac4dacb2494ff.tsa_leaf-crt-pem-2208f.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-targets-47888d9ecb80c130e141d916f00fa70302b13eee560f2a1e9d1f7681ee5d3122a1c5e79e60b939e3e593db2503db942ef2b620d824858fa2b31ec1900ce4a5aa.tsa_intermediate_0-crt-pem-e5d62.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-targets-490ea150f2c9845c32d1efff5fdb2051f990677a05f1377c920c428ac6fdef8ba60d3ff0efcc3ed10219c6f70c28b31ed5f6f641e8e3413e6dae59810b4b808d.rekor-pub-d1ebe.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-targets-4e6dbecfadd039adaa1de4cfea94c8cb6f6fea27ff4505a4e950c5498b1c3e49ec4c9824ae1c5268f76c23980aa32b0318c660eb89419984087a121335356268.tsa_leaf.crt.-ptqwu.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-targets-56649b190b13ca67089399cbee01d93ff5f79716494c27998e6b63178b3cbcf7df663bf0e01949c1b8e7db29b6f6a6133b74291d8755895794eb3c3eff911082.ctfe-pub-72f13.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-targets-8afb423704f1291c85104797fc63a075a198ccf38def9875dcd76ea94190ef8f4e85c31e21f1c2a99ba30f6218bbd082ca3fa081d341cfeb7b835970aa8d4550.trusted_root.-BuA3p.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-targets-954abc4e4a9769b1d24a43bfb43aae152fae5e521bac47f59ff4e7fd70ba5859f6d3022fb68b18205148c3ad0e7b6d3798a860026b6456275df2c635f3d7ff9f.tsa_intermedi-8C7qr.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-targets-c36342ad2dbe32e499149cbdf8d4f9ad2162403495f48f1ea89bbcf9138c1123d7ad0570ba87b5b3de50a732ecb4742a080f4ce4574f7e7739a00e1eef546d18.ctfe.pub-QOxpM.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-targets-ca21dc965dfa3ea59e2358b6cf15ad331cbd626a295e83feeae176d6f8dbba09a29686a13299d07cbdf8ffb5729ddc2ac1cf989daf8e714fe6e9be33f4c4ec7e.rekor.pub-6bXBc.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-targets-d21d962be7e69338fcca30d4e9f6799264bb80c72e5cc5df993cae7ebe3810fdd9236970f3bf2465972ce2acc1fbda58757b52d31afc0a8b18d2632aa3f4f37e.tsa_root-crt-pem-f8934.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-timestamp.json-B3VOf.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-timestamp.json-DJ6HO.json
• hack/generate-test-signed-images.sh

💤 Files with no reviewable changes (19)

• acceptance/wiremock/recordings/tuf/mappings/mapping-targets-00734240bff619474f1b52e68b205dd12768017038c34bb6645cbebe8068baec3de03f7c7b350212a9977fc6345ec35157ae838d35e8257b006e655c6bdc7a84.tsa_root.crt.-Vdz8g.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-targets-ca21dc965dfa3ea59e2358b6cf15ad331cbd626a295e83feeae176d6f8dbba09a29686a13299d07cbdf8ffb5729ddc2ac1cf989daf8e714fe6e9be33f4c4ec7e.rekor.pub-6bXBc.json
• acceptance/wiremock/recordings/tuf/__files/body-1.snapshot.json-4AYzM.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-timestamp.json-DJ6HO.json
• acceptance/wiremock/recordings/tuf/__files/body-targets-3ef849f6ca683c5263bef43082c65f3ce80d8d3996ffdca65c9ecd5fd7c781ffa0b81a174e89621be821381c007b9dbeed152e43d5ba9066bb4f0a0579a55cab.trusted_root.-HoiSR.json
• acceptance/image/testimage/blobs/sha256/697a5cdf2f0c0666708fcdc2fba505ad7a3dd5954500b501b0cf715bf3f4de5c
• acceptance/wiremock/recordings/tuf/mappings/mapping-targets-3ef849f6ca683c5263bef43082c65f3ce80d8d3996ffdca65c9ecd5fd7c781ffa0b81a174e89621be821381c007b9dbeed152e43d5ba9066bb4f0a0579a55cab.trusted_root.-HoiSR.json
• acceptance/wiremock/recordings/tuf/__files/body-timestamp.json-DJ6HO.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-targets-c36342ad2dbe32e499149cbdf8d4f9ad2162403495f48f1ea89bbcf9138c1123d7ad0570ba87b5b3de50a732ecb4742a080f4ce4574f7e7739a00e1eef546d18.ctfe.pub-QOxpM.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-targets-954abc4e4a9769b1d24a43bfb43aae152fae5e521bac47f59ff4e7fd70ba5859f6d3022fb68b18205148c3ad0e7b6d3798a860026b6456275df2c635f3d7ff9f.tsa_intermedi-8C7qr.json
• acceptance/image/testimage/blobs/sha256/4e9b664f9636dbd414def49ee60ffedfe0fdce6560cd6d919c49e524ba47fa56
• acceptance/wiremock/recordings/tuf/mappings/mapping-targets-150af49f08e52a117ae01f8e30c6a9917c6ee971bd2fb2da60467adb66269c45d0c4d671684e91df7c6dcff2e86a65948386186332b4c385522255d5b2cad1dc.fulcio_v1.crt-8PwWB.json
• acceptance/wiremock/recordings/tuf/__files/body-1.targets.json-lRXBI.json
• acceptance/image/testimage/blobs/sha256/7ae4a16c8bb7342c480b2ee408906cde134a209c4736bacfc265e4700265e0a2
• acceptance/image/testimage/blobs/sha256/f0832ae8b3560ece9ef09f9b24b671874a3aaed10616260a7408ff56474df179
• acceptance/wiremock/recordings/tuf/mappings/mapping-targets-4e6dbecfadd039adaa1de4cfea94c8cb6f6fea27ff4505a4e950c5498b1c3e49ec4c9824ae1c5268f76c23980aa32b0318c660eb89419984087a121335356268.tsa_leaf.crt.-ptqwu.json
• acceptance/image/testimage/blobs/sha256/0f983e7f56985ff99fd397e694a60b3f210a549c83545c866f0a663de7e63509
• acceptance/image/testimage/blobs/sha256/c0e3131ee7d0ad5dce680cc378a03dc099dc96026adff1ce727c6a1e2e4200f1
• acceptance/image/testimage/blobs/sha256/a2e3670559ba47378fc8e6c3e505d45fe50752a57e8703565aac6674f77ab880

✅ Files skipped from review due to trivial changes (3)

• acceptance/wiremock/recordings/tuf/mappings/mapping-targets-490ea150f2c9845c32d1efff5fdb2051f990677a05f1377c920c428ac6fdef8ba60d3ff0efcc3ed10219c6f70c28b31ed5f6f641e8e3413e6dae59810b4b808d.rekor-pub-d1ebe.json
• acceptance/wiremock/recordings/tuf/__files/body-targets-8afb423704f1291c85104797fc63a075a198ccf38def9875dcd76ea94190ef8f4e85c31e21f1c2a99ba30f6218bbd082ca3fa081d341cfeb7b835970aa8d4550.trusted_root.-BuA3p.json
• acceptance/image/testimage/blobs/sha256/c9b87d5a172b91263f3de915b58faf1dfad4318f99f182c02794e4539ec155ae

🚧 Files skipped from review as they are similar to previous changes (3)

• acceptance/wiremock/recordings/tuf/mappings/mapping-1.targets.json-9m7IM.json
• acceptance/wiremock/recordings/tuf/mappings/mapping-targets-4448f59d42f73d1174a3488ecc328be5bbb2d3c1edb5173556fbaa6cc63c130b3e8de0322a2d8ae998d219a1fdc4e86d93bddc16cb2999e36f4ac4dacb2494ff.tsa_leaf-crt-pem-2208f.json
• acceptance/image/testimage/index.json

[simonbaird]

I got these acceptance test failures locally, but unit tests are passing:

========================================
FAILED SCENARIOS SUMMARY (3)
========================================
1. Collect keyless signing parameters when the namespace does not exist
   Location: /tmp/tmp.rM6aNImveb/features/task_validate_image.feature

2. unexpected image signature cert
   Location: /tmp/tmp.rM6aNImveb/features/validate_image.feature

3. happy day with keyless
   Location: /tmp/tmp.rM6aNImveb/features/validate_image.feature
========================================

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag	Coverage Δ
acceptance	55.16% <ø> (-0.04%)	⬇️
generative	17.90% <ø> (ø)
integration	26.65% <ø> (ø)
unit	69.01% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.
see 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[simonbaird]

🚀 🎸 🔥