Test OIDC tweak

.github/workflows/test.yml

@@ -83,8 +83,10 @@ jobs:
       - name: Run Go tests
         run: go test -covermode atomic -coverprofile coverage.txt $(go list ./... | grep -v third_party/)
       - name: Workaround buggy Codecov OIDC auth
-        if: github.event_name == 'push'
         run: |
+          # only set CODECOV_TOKEN if OIDC token is available
+          [ -z $ACTIONS_ID_TOKEN_REQUEST_TOKEN ] && exit 0
+
           TOKEN_RESPONSE=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=https://codecov.io")
           CODECOV_TOKEN=$(echo $TOKEN_RESPONSE | jq -r .value)
           echo "CODECOV_TOKEN=$CODECOV_TOKEN" >> "$GITHUB_ENV"

pkg/tessera/safeint.go

@@ -20,13 +20,13 @@ import (
 	"math"
 )
 
-// safeInt64 holds equivalent int64 and uint64 integers.
-type safeInt64 struct {
+// SafeInt64 holds equivalent int64 and uint64 integers.
+type SafeInt64 struct {
 	u uint64
 	i int64
 }
 
-// newSafeInt64 returns a safeInt64 struct as long as the number is either an
+// NewSafeInt64 returns a safeInt64 struct as long as the number is either an
 // int64 or uint64 and the value can safely be converted in either direction
 // without overflowing, i.e. is not greater than MaxInt64 and not negative.
 //
@@ -36,8 +36,8 @@ type safeInt64 struct {
 //
 // This is needed for compatibility with TransparencyLogEntry
 // (https://github.com/sigstore/protobuf-specs/blob/e871d3e6fd06fa73a1524ef0efaf1452d3304cf6/protos/sigstore_rekor.proto#L86-L138).
-func newSafeInt64(number any) (*safeInt64, error) {
-	var result safeInt64
+func NewSafeInt64(number any) (*SafeInt64, error) {
+	var result SafeInt64
 	switch n := number.(type) {
 	case uint64:
 		if n > math.MaxInt64 {
@@ -56,3 +56,13 @@ func newSafeInt64(number any) (*safeInt64, error) {
 	}
 	return &result, nil
 }
+
+// U returns the uint64 value of the integer.
+func (s *SafeInt64) U() uint64 {
+	return s.u
+}
+
+// I returns the int64 value of the integer.
+func (s *SafeInt64) I() int64 {
+	return s.i
+}

pkg/tessera/safeint_test.go

@@ -23,22 +23,22 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
-func Test_newSafeInt64(t *testing.T) {
+func TestNewSafeInt64(t *testing.T) {
 	tests := []struct {
 		name      string
 		number    any
-		expect    *safeInt64
+		expect    *SafeInt64
 		expectErr error
 	}{
 		{
 			name:   "small uint",
 			number: uint64(42),
-			expect: &safeInt64{u: uint64(42), i: int64(42)},
+			expect: &SafeInt64{u: uint64(42), i: int64(42)},
 		},
 		{
 			name:   "small positive int",
 			number: int64(42),
-			expect: &safeInt64{u: uint64(42), i: int64(42)},
+			expect: &SafeInt64{u: uint64(42), i: int64(42)},
 		},
 		{
 			name:      "too large uint",
@@ -67,7 +67,7 @@ func Test_newSafeInt64(t *testing.T) {
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			got, gotErr := newSafeInt64(test.number)
+			got, gotErr := NewSafeInt64(test.number)
 			assert.Equal(t, test.expect, got)
 			assert.Equal(t, test.expectErr, gotErr)
 		})

pkg/tessera/tessera.go

@@ -77,7 +77,7 @@ func (s *storage) Add(ctx context.Context, entry *tessera.Entry) (*rekor_pb.Tran
 		return nil, fmt.Errorf("building inclusion proof: %w", err)
 	}
 	return &rekor_pb.TransparencyLogEntry{
-		LogIndex:       idx.i,
+		LogIndex:       idx.I(),
 		InclusionProof: inclusionProof,
 	}, nil
 }
@@ -92,19 +92,19 @@ func (s *storage) ReadTile(ctx context.Context, level, index uint64, p uint8) ([
 	return tile, nil
 }
 
-func (s *storage) addEntry(ctx context.Context, entry *tessera.Entry) (*safeInt64, []byte, error) {
+func (s *storage) addEntry(ctx context.Context, entry *tessera.Entry) (*SafeInt64, []byte, error) {
 	idx, checkpointBody, err := s.awaiter.Await(ctx, s.addFn(ctx, entry))
 	if err != nil {
 		return nil, nil, fmt.Errorf("await: %w", err)
 	}
-	safeIdx, err := newSafeInt64(idx)
+	safeIdx, err := NewSafeInt64(idx)
 	if err != nil {
 		return nil, nil, fmt.Errorf("invalid index: %w", err)
 	}
 	return safeIdx, checkpointBody, nil
 }
 
-func (s *storage) buildProof(ctx context.Context, idx *safeInt64, signedCheckpoint, leafHash []byte) (*rekor_pb.InclusionProof, error) {
+func (s *storage) buildProof(ctx context.Context, idx *SafeInt64, signedCheckpoint, leafHash []byte) (*rekor_pb.InclusionProof, error) {
 	checkpoint, err := unmarshalCheckpoint(signedCheckpoint)
 	if err != nil {
 		return nil, fmt.Errorf("unmarshalling checkpoint: %w", err)
@@ -113,22 +113,22 @@ func (s *storage) buildProof(ctx context.Context, idx *safeInt64, signedCheckpoi
 	if err != nil {
 		return nil, fmt.Errorf("new proof builder: %w", err)
 	}
-	inclusionProof, err := proofBuilder.InclusionProof(ctx, idx.u)
+	inclusionProof, err := proofBuilder.InclusionProof(ctx, idx.U())
 	if err != nil {
 		return nil, fmt.Errorf("generating inclusion proof: %w", err)
 	}
-	safeCheckpointSize, err := newSafeInt64(checkpoint.Size)
+	safeCheckpointSize, err := NewSafeInt64(checkpoint.Size)
 	if err != nil {
 		return nil, fmt.Errorf("invalid tree size: %d", checkpoint.Size)
 	}
 	// TODO(cmurphy): add metrics to detect when this inclusion proof ever fails as well as the overhead time for running this check.
-	if err := proof.VerifyInclusion(rfc6962.DefaultHasher, idx.u, safeCheckpointSize.u, leafHash, inclusionProof, checkpoint.Hash); err != nil {
+	if err := proof.VerifyInclusion(rfc6962.DefaultHasher, idx.U(), safeCheckpointSize.U(), leafHash, inclusionProof, checkpoint.Hash); err != nil {
 		return nil, fmt.Errorf("failed to verify entry inclusion: %w", err)
 	}
 	return &rekor_pb.InclusionProof{
-		LogIndex: idx.i,
+		LogIndex: idx.I(),
 		RootHash: []byte(hex.EncodeToString(checkpoint.Hash)),
-		TreeSize: safeCheckpointSize.i,
+		TreeSize: safeCheckpointSize.I(),
 		Hashes:   inclusionProof,
 		Checkpoint: &rekor_pb.Checkpoint{
 			Envelope: string(signedCheckpoint),