From a8493e182c5a8d147a34922735e32d99a9893f0d Mon Sep 17 00:00:00 2001 From: Marco Lecheler Date: Fri, 27 Oct 2023 10:06:13 +0200 Subject: [PATCH 1/8] feat: add input verify_blob to add option to disable verification Signed-off-by: Marco Lecheler --- action.yml | 4 ++++ ct.sh | 38 ++++++++++++++++++++++++++------------ 2 files changed, 30 insertions(+), 12 deletions(-) diff --git a/action.yml b/action.yml index 6324f52..9a02fc4 100644 --- a/action.yml +++ b/action.yml @@ -5,6 +5,9 @@ branding: color: blue icon: anchor inputs: + verify_blob: + description: "determines whether the download blob should be verified (default: true)" + default: 'true' version: description: "The chart-testing version to install (default: 3.9.0)" required: false @@ -24,6 +27,7 @@ runs: - run: | cd $GITHUB_ACTION_PATH \ && ./ct.sh \ + --verify-blob ${{ inputs.verify_blob }} \ --version ${{ inputs.version }} \ --yamllint-version ${{ inputs.yamllint_version }} \ --yamale-version ${{ inputs.yamale_version }} diff --git a/ct.sh b/ct.sh index 9f1dad6..0b740d6 100755 --- a/ct.sh +++ b/ct.sh @@ -5,6 +5,7 @@ set -o nounset set -o pipefail DEFAULT_CHART_TESTING_VERSION=3.9.0 +DEFAULT_VERIFY_BLOB=true DEFAULT_YAMLLINT_VERSION=1.27.1 DEFAULT_YAMALE_VERSION=3.0.4 @@ -19,6 +20,7 @@ EOF main() { local version="${DEFAULT_CHART_TESTING_VERSION}" + local verify_blob="${DEFAULT_VERIFY_BLOB}" local yamllint_version="${DEFAULT_YAMLLINT_VERSION}" local yamale_version="${DEFAULT_YAMALE_VERSION}" @@ -34,6 +36,16 @@ parse_command_line() { show_help exit ;; + --verify-blob) + if [[ -n "${2:-}" ]]; then + verify_blob="${2#v}" + shift + else + echo "ERROR: '--verify-blob' cannot be empty." >&2 + show_help + exit 1 + fi + ;; -v|--version) if [[ -n "${2:-}" ]]; then version="${2#v}" @@ -91,18 +103,20 @@ install_chart_testing() { if [[ ! -d "${cache_dir}" ]]; then mkdir -p "${cache_dir}" - echo "Installing chart-testing v${version}..." - CT_CERT=https://github.com/helm/chart-testing/releases/download/v$version/chart-testing_${version#v}_linux_$arch.tar.gz.pem - CT_SIG=https://github.com/helm/chart-testing/releases/download/v$version/chart-testing_${version#v}_linux_$arch.tar.gz.sig - - curl --retry 5 --retry-delay 1 -sSLo ct.tar.gz "https://github.com/helm/chart-testing/releases/download/v$version/chart-testing_${version#v}_linux_$arch.tar.gz" - cosign verify-blob --certificate $CT_CERT --signature $CT_SIG \ - --certificate-identity "https://github.com/helm/chart-testing/.github/workflows/release.yaml@refs/heads/main" \ - --certificate-oidc-issuer "https://token.actions.githubusercontent.com" ct.tar.gz - retVal=$? - if [[ "${retVal}" -ne 0 ]]; then - log_error "Unable to validate chart-testing version: v${version}" - exit 1 + if [[ "${verify_blob}" != "false" ]]; then + echo "Installing chart-testing v${version}..." + CT_CERT=https://github.com/helm/chart-testing/releases/download/v$version/chart-testing_${version#v}_linux_$arch.tar.gz.pem + CT_SIG=https://github.com/helm/chart-testing/releases/download/v$version/chart-testing_${version#v}_linux_$arch.tar.gz.sig + + curl --retry 5 --retry-delay 1 -sSLo ct.tar.gz "https://github.com/helm/chart-testing/releases/download/v$version/chart-testing_${version#v}_linux_$arch.tar.gz" + cosign verify-blob --certificate $CT_CERT --signature $CT_SIG \ + --certificate-identity "https://github.com/helm/chart-testing/.github/workflows/release.yaml@refs/heads/main" \ + --certificate-oidc-issuer "https://token.actions.githubusercontent.com" ct.tar.gz + retVal=$? + if [[ "${retVal}" -ne 0 ]]; then + log_error "Unable to validate chart-testing version: v${version}" + exit 1 + fi fi tar -xzf ct.tar.gz -C "${cache_dir}" From 861053ac3341aabdcb39cf50ceefd8dfe9f0fd80 Mon Sep 17 00:00:00 2001 From: Marco Lecheler Date: Fri, 27 Oct 2023 10:15:03 +0200 Subject: [PATCH 2/8] fix: move curl outside verify_blob statement Signed-off-by: Marco Lecheler --- ct.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ct.sh b/ct.sh index 0b740d6..680e60a 100755 --- a/ct.sh +++ b/ct.sh @@ -100,6 +100,7 @@ install_chart_testing() { local cache_dir="${RUNNER_TOOL_CACHE}/ct/${version}/${arch}" local venv_dir="${cache_dir}/venv" + curl --retry 5 --retry-delay 1 -sSLo ct.tar.gz "https://github.com/helm/chart-testing/releases/download/v$version/chart-testing_${version#v}_linux_$arch.tar.gz" if [[ ! -d "${cache_dir}" ]]; then mkdir -p "${cache_dir}" @@ -108,7 +109,6 @@ install_chart_testing() { CT_CERT=https://github.com/helm/chart-testing/releases/download/v$version/chart-testing_${version#v}_linux_$arch.tar.gz.pem CT_SIG=https://github.com/helm/chart-testing/releases/download/v$version/chart-testing_${version#v}_linux_$arch.tar.gz.sig - curl --retry 5 --retry-delay 1 -sSLo ct.tar.gz "https://github.com/helm/chart-testing/releases/download/v$version/chart-testing_${version#v}_linux_$arch.tar.gz" cosign verify-blob --certificate $CT_CERT --signature $CT_SIG \ --certificate-identity "https://github.com/helm/chart-testing/.github/workflows/release.yaml@refs/heads/main" \ --certificate-oidc-issuer "https://token.actions.githubusercontent.com" ct.tar.gz From 96db42b007328f634b7ac9cd2f4fe1e954a9038e Mon Sep 17 00:00:00 2001 From: Marco Lecheler Date: Tue, 31 Oct 2023 13:36:40 +0100 Subject: [PATCH 3/8] chore: disable cosign installation when verify blob disabled As from cpanato suggested the installation of cosign should be skipped. Signed-off-by: Marco Lecheler --- action.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/action.yml b/action.yml index 9a02fc4..c338678 100644 --- a/action.yml +++ b/action.yml @@ -24,6 +24,7 @@ runs: using: composite steps: - uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 + if: ${{ inputs.verify_blob != 'false' }} - run: | cd $GITHUB_ACTION_PATH \ && ./ct.sh \ From 3cd4d56913b66eb19f21d5d82f98c9b7b9c1edb3 Mon Sep 17 00:00:00 2001 From: Marco Lecheler Date: Tue, 31 Oct 2023 13:47:34 +0100 Subject: [PATCH 4/8] chore: add gh wf test test_ct_action_noverify Signed-off-by: Marco Lecheler --- .github/workflows/test-action.yml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/.github/workflows/test-action.yml b/.github/workflows/test-action.yml index 41020b7..514d732 100644 --- a/.github/workflows/test-action.yml +++ b/.github/workflows/test-action.yml @@ -65,3 +65,34 @@ jobs: else exit 0 fi + + test_ct_action_noverify: + runs-on: ubuntu-latest + + name: Install chart-testing and test presence in path + steps: + - uses: actions/checkout@v4 + - name: Install chart-testing + uses: ./ + with: + verify_blob: 'false' + - name: Check install! + run: | + ct version + CT_VERSION_OUTPUT=$(ct version 2>&1 /dev/null) + ACTUAL_VERSION=$(echo "$CT_VERSION_OUTPUT" | grep Version | rev | cut -d ' ' -f1 | rev) + if [[ $ACTUAL_VERSION != 'v3.9.0' ]]; then + echo 'should be v3.9.0' + exit 1 + else + exit 0 + fi + shell: bash + - name: Check root directory + run: | + if [[ $(git diff --stat) != '' ]]; then + echo 'should be clean' + exit 1 + else + exit 0 + fi From be0575515630e29f4e60652c8feec562e5d494f0 Mon Sep 17 00:00:00 2001 From: Marco Lecheler Date: Thu, 2 Nov 2023 09:24:40 +0100 Subject: [PATCH 5/8] chore: add required key for input verify_blob Signed-off-by: Marco Lecheler --- action.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/action.yml b/action.yml index 4551328..6ef951f 100644 --- a/action.yml +++ b/action.yml @@ -7,6 +7,7 @@ branding: inputs: verify_blob: description: "determines whether the download blob should be verified (default: true)" + required: false default: 'true' version: description: "The chart-testing version to install (default: 3.10.0)" From 3f5368d4182ffc40fbc52c538cc52bbc0c9c587e Mon Sep 17 00:00:00 2001 From: Marco Lecheler Date: Thu, 2 Nov 2023 09:28:01 +0100 Subject: [PATCH 6/8] fix: set noverify test name to more meaningful value The name of the test_ct_action_noverify test did not receive any customizing for the name. No there is a unique name to describe what is tested. Signed-off-by: Marco Lecheler --- .github/workflows/test-action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test-action.yml b/.github/workflows/test-action.yml index 4cc24d6..d4faae1 100644 --- a/.github/workflows/test-action.yml +++ b/.github/workflows/test-action.yml @@ -69,7 +69,7 @@ jobs: test_ct_action_noverify: runs-on: ubuntu-latest - name: Install chart-testing and test presence in path + name: Install chart-testing without verifiing blob and test presence in path steps: - uses: actions/checkout@v4 - name: Install chart-testing From 6acc8cc67bee951c83257172c69f7c6d7d503ee1 Mon Sep 17 00:00:00 2001 From: Marco Lecheler Date: Thu, 2 Nov 2023 10:08:42 +0100 Subject: [PATCH 7/8] chore: adding verify message Adding messages to determinate if blob was verified. Also moving Install message out of verify if statement Signed-off-by: Marco Lecheler --- ct.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ct.sh b/ct.sh index 17acce1..d186b92 100755 --- a/ct.sh +++ b/ct.sh @@ -101,11 +101,12 @@ install_chart_testing() { local venv_dir="${cache_dir}/venv" curl --retry 5 --retry-delay 1 -sSLo ct.tar.gz "https://github.com/helm/chart-testing/releases/download/v$version/chart-testing_${version#v}_linux_$arch.tar.gz" + echo "Installing chart-testing v${version}..." if [[ ! -d "${cache_dir}" ]]; then mkdir -p "${cache_dir}" if [[ "${verify_blob}" != "false" ]]; then - echo "Installing chart-testing v${version}..." + echo "Verifing blob..." CT_CERT=https://github.com/helm/chart-testing/releases/download/v$version/chart-testing_${version#v}_linux_$arch.tar.gz.pem CT_SIG=https://github.com/helm/chart-testing/releases/download/v$version/chart-testing_${version#v}_linux_$arch.tar.gz.sig @@ -117,6 +118,8 @@ install_chart_testing() { log_error "Unable to validate chart-testing version: v${version}" exit 1 fi + else + echo "Skipping verifing blob..." fi tar -xzf ct.tar.gz -C "${cache_dir}" From 2ef262f9ab58beac3e4308bbbea7adf16e298829 Mon Sep 17 00:00:00 2001 From: Marco Lecheler Date: Thu, 2 Nov 2023 10:11:52 +0100 Subject: [PATCH 8/8] fix: update test version to v3.10.0 Updating version required after merging main to PR. Signed-off-by: Marco Lecheler --- .github/workflows/test-action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test-action.yml b/.github/workflows/test-action.yml index d4faae1..d29fbed 100644 --- a/.github/workflows/test-action.yml +++ b/.github/workflows/test-action.yml @@ -81,8 +81,8 @@ jobs: ct version CT_VERSION_OUTPUT=$(ct version 2>&1 /dev/null) ACTUAL_VERSION=$(echo "$CT_VERSION_OUTPUT" | grep Version | rev | cut -d ' ' -f1 | rev) - if [[ $ACTUAL_VERSION != 'v3.9.0' ]]; then - echo 'should be v3.9.0' + if [[ $ACTUAL_VERSION != 'v3.10.0' ]]; then + echo 'should be v3.10.0' exit 1 else exit 0