From 352b6c9b66b702c6cb338882668bbef5870804b2 Mon Sep 17 00:00:00 2001 From: cpanato Date: Fri, 24 Mar 2023 14:53:40 +0100 Subject: [PATCH 1/2] use cosign to verify the release artifact Signed-off-by: cpanato --- action.yml | 1 + ct.sh | 12 ++++++++++++ 2 files changed, 13 insertions(+) diff --git a/action.yml b/action.yml index b44dfa0..020c575 100644 --- a/action.yml +++ b/action.yml @@ -20,6 +20,7 @@ inputs: runs: using: composite steps: + - uses: sigstore/cosign-installer@c3667d99424e7e6047999fb6246c0da843953c65 # v3.0.1 - run: | cd $GITHUB_ACTION_PATH \ && ./ct.sh \ diff --git a/ct.sh b/ct.sh index f606690..d80c7eb 100755 --- a/ct.sh +++ b/ct.sh @@ -88,7 +88,19 @@ install_chart_testing() { mkdir -p "$cache_dir" echo "Installing chart-testing ${version}..." + CT_CERT=https://github.com/helm/chart-testing/releases/download/$version/chart-testing_${version#v}_linux_amd64.tar.gz.pem + CT_SIG=https://github.com/helm/chart-testing/releases/download/$version/chart-testing_${version#v}_linux_amd64.tar.gz.sig + curl --retry 5 --retry-delay 1 -sSLo ct.tar.gz "https://github.com/helm/chart-testing/releases/download/$version/chart-testing_${version#v}_linux_amd64.tar.gz" + cosign verify-blob --certificate $CT_CERT --signature $CT_SIG \ + --certificate-identity "https://github.com/helm/chart-testing/.github/workflows/release.yaml@refs/tags/${version#v}" \ + --certificate-oidc-issuer "https://token.actions.githubusercontent.com" "chart-testing_${version#v}_linux_amd64.tar.gz" + retVal=$? + if [[ "$retVal" -ne 0 ]]; then + log_error "Unable to validate chart-testing version: ${version}" + exit 1 + fi + tar -xzf ct.tar.gz -C "$cache_dir" rm -f ct.tar.gz From 757e665a39a8cf6bd0408fec3cc92388484769a0 Mon Sep 17 00:00:00 2001 From: cpanato Date: Fri, 24 Mar 2023 14:56:12 +0100 Subject: [PATCH 2/2] bump chart-testing to v3.8.0 Signed-off-by: cpanato --- .github/workflows/test-action.yml | 10 +++++----- README.md | 11 +++++------ action.yml | 4 ++-- ct.sh | 6 +++--- 4 files changed, 15 insertions(+), 16 deletions(-) diff --git a/.github/workflows/test-action.yml b/.github/workflows/test-action.yml index 8f4eaff..1f88377 100644 --- a/.github/workflows/test-action.yml +++ b/.github/workflows/test-action.yml @@ -16,8 +16,8 @@ jobs: ct version CT_VERSION_OUTPUT=$(ct version 2>&1 /dev/null) ACTUAL_VERSION=$(echo "$CT_VERSION_OUTPUT" | grep Version | rev | cut -d ' ' -f1 | rev) - if [[ $ACTUAL_VERSION != 'v3.7.1' ]]; then - echo 'should be v3.7.1' + if [[ $ACTUAL_VERSION != 'v3.8.0' ]]; then + echo 'should be v3.8.0' exit 1 else exit 0 @@ -41,7 +41,7 @@ jobs: - name: Install chart-testing uses: ./ with: - version: 'v3.5.1' + version: 'v3.7.1' yamllint_version: '1.27.1' yamale_version: '3.0.4' - name: Check install! @@ -49,8 +49,8 @@ jobs: ct version CT_VERSION_OUTPUT=$(ct version 2>&1 /dev/null) ACTUAL_VERSION=$(echo "$CT_VERSION_OUTPUT" | grep Version | rev | cut -d ' ' -f1 | rev) - if [[ $ACTUAL_VERSION != 'v3.5.1' ]]; then - echo 'should be v3.5.1' + if [[ $ACTUAL_VERSION != 'v3.7.1' ]]; then + echo 'should be v3.7.1' exit 1 else exit 0 diff --git a/README.md b/README.md index 66f8ccb..94f0587 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ A GitHub Action for installing the [helm/chart-testing](https://github.com/helm/ For more information on inputs, see the [API Documentation](https://developer.github.com/v3/repos/releases/#input) -- `version`: The chart-testing version to install (default: `v3.7.1`) +- `version`: The chart-testing version to install (default: `v3.8.0`) - `yamllint_version`: The chart-testing version to install (default: `1.27.1`) - `yamale_version`: The chart-testing version to install (default: `3.0.4`) @@ -44,7 +44,7 @@ jobs: - name: Set up Helm uses: azure/setup-helm@v3 with: - version: v3.10.0 + version: v3.11.2 - uses: actions/setup-python@v4 with: @@ -52,7 +52,7 @@ jobs: check-latest: true - name: Set up chart-testing - uses: helm/chart-testing-action@v2.3.1 + uses: helm/chart-testing-action@v2.4.0 - name: Run chart-testing (list-changed) id: list-changed @@ -67,13 +67,12 @@ jobs: run: ct lint --target-branch ${{ github.event.repository.default_branch }} - name: Create kind cluster - uses: helm/kind-action@v1.4.0 if: steps.list-changed.outputs.changed == 'true' + uses: helm/kind-action@v1.4.0 - name: Run chart-testing (install) - run: ct install --target-branch ${{ github.event.repository.default_branch }} if: steps.list-changed.outputs.changed == 'true' - + run: ct install --target-branch ${{ github.event.repository.default_branch }} ``` This uses [`helm/kind-action`](https://www.github.com/helm/kind-action) GitHub Action to spin up a [kind](https://kind.sigs.k8s.io/) Kubernetes cluster, diff --git a/action.yml b/action.yml index 020c575..980bd1e 100644 --- a/action.yml +++ b/action.yml @@ -6,9 +6,9 @@ branding: icon: anchor inputs: version: - description: "The chart-testing version to install (default: v3.7.1)" + description: "The chart-testing version to install (default: v3.8.0)" required: false - default: v3.7.1 + default: v3.8.0 yamllint_version: description: "The yamllint version to install (default: 1.27.1)" required: false diff --git a/ct.sh b/ct.sh index d80c7eb..151baa3 100755 --- a/ct.sh +++ b/ct.sh @@ -4,7 +4,7 @@ set -o errexit set -o nounset set -o pipefail -DEFAULT_CHART_TESTING_VERSION=v3.7.1 +DEFAULT_CHART_TESTING_VERSION=v3.8.0 DEFAULT_YAMLLINT_VERSION=1.27.1 DEFAULT_YAMALE_VERSION=3.0.4 @@ -93,8 +93,8 @@ install_chart_testing() { curl --retry 5 --retry-delay 1 -sSLo ct.tar.gz "https://github.com/helm/chart-testing/releases/download/$version/chart-testing_${version#v}_linux_amd64.tar.gz" cosign verify-blob --certificate $CT_CERT --signature $CT_SIG \ - --certificate-identity "https://github.com/helm/chart-testing/.github/workflows/release.yaml@refs/tags/${version#v}" \ - --certificate-oidc-issuer "https://token.actions.githubusercontent.com" "chart-testing_${version#v}_linux_amd64.tar.gz" + --certificate-identity "https://github.com/helm/chart-testing/.github/workflows/release.yaml@refs/heads/main" \ + --certificate-oidc-issuer "https://token.actions.githubusercontent.com" ct.tar.gz retVal=$? if [[ "$retVal" -ne 0 ]]; then log_error "Unable to validate chart-testing version: ${version}"