From 5e2a397693db4522812ca26114fb5ce424d1e31a Mon Sep 17 00:00:00 2001
From: SequeI <asiek@redhat.com>
Date: Wed, 13 May 2026 23:30:39 +0100
Subject: [PATCH] test: ambient workflow

Signed-off-by: SequeI <asiek@redhat.com>
---
 .github/workflows/test-ambient-signing.yml | 57 ++++++++++++++++++++++
 1 file changed, 57 insertions(+)
 create mode 100644 .github/workflows/test-ambient-signing.yml

diff --git a/.github/workflows/test-ambient-signing.yml b/.github/workflows/test-ambient-signing.yml
new file mode 100644
index 00000000..08bb642c
--- /dev/null
+++ b/.github/workflows/test-ambient-signing.yml
@@ -0,0 +1,57 @@
+name: Test Ambient Credentials Signing
+
+on:
+  pull_request:
+  workflow_dispatch:
+
+permissions:
+  id-token: write  # Required for OIDC token
+  contents: read
+
+jobs:
+  test-signing:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install rh-model-signing
+        run: pip install rh-model-signing
+
+      - name: Create test model
+        run: |
+          mkdir -p test-model
+          echo "test weights" > test-model/weights.bin
+          echo '{"name": "test"}' > test-model/config.json
+
+      - name: Bootstrap trust (public Sigstore)
+        run: |
+          curl -sL https://tuf-repo-cdn.sigstore.dev/root.json -o root.json
+          rh_model_signing trust-instance root.json --instance https://tuf-repo-cdn.sigstore.dev
+
+      - name: Sign with ambient credentials
+        run: |
+          rh_model_signing sign sigstore test-model \
+            --instance https://tuf-repo-cdn.sigstore.dev \
+            --use-ambient-credentials \
+            --signature model.sig
+
+      - name: Verify signature
+        run: |
+          IDENTITY="https://github.com/${{ github.repository }}/.github/workflows/test-ambient-signing.yml@${{ github.ref }}"
+          echo "Verifying with identity: $IDENTITY"
+          rh_model_signing verify sigstore test-model \
+            --instance https://tuf-repo-cdn.sigstore.dev \
+            --signature model.sig \
+            --identity "$IDENTITY" \
+            --identity-provider "https://token.actions.githubusercontent.com"
+
+      - name: Upload signature artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: model-signature
+          path: model.sig