From 7e31ab714b385c19de695f52e3ea23e99424608f Mon Sep 17 00:00:00 2001 From: Derek Nola Date: Tue, 18 Jun 2024 13:14:59 -0700 Subject: [PATCH 1/2] Check for bad token permissions when install via PR Signed-off-by: Derek Nola --- install.sh | 12 ++++++++---- install.sh.sha256sum | 2 +- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/install.sh b/install.sh index e618672be144..50f485aaf7b9 100755 --- a/install.sh +++ b/install.sh @@ -482,11 +482,15 @@ get_pr_artifact_url() { fi if [ -z "${GITHUB_TOKEN}" ]; then - fatal "Installing PR builds requires GITHUB_TOKEN with k3s-io/k3s repo authorization" + fatal "Installing PR builds requires GITHUB_TOKEN with k3s-io/k3s repo permissions" fi - # GET request to the GitHub API to retrieve the latest commit SHA from the pull request - commit_id=$(curl -s -H "Authorization: Bearer $GITHUB_TOKEN" "$github_api_url/pulls/$INSTALL_K3S_PR" | jq -r '.head.sha') + pr_raw=$(curl -s -H "Authorization: Bearer $GITHUB_TOKEN" "$github_api_url/pulls/$INSTALL_K3S_PR") + + if ! echo "$pr_raw" | grep -q "Bad credentials.*401" ; then + fatal "Installing PR builds requires GITHUB_TOKEN with k3s-io/k3s repo permissions" + fi + commit_id=$( echo "$pr_raw" | jq -r '.head.sha') # GET request to the GitHub API to retrieve the Build workflow associated with the commit wf_raw=$(curl -s -H "Authorization: Bearer $GITHUB_TOKEN" "$github_api_url/commits/$commit_id/check-runs") @@ -507,7 +511,7 @@ download_binary() { # Since Binary and Hash are zipped together, check if TMP_ZIP already exists if ! [ -f ${TMP_ZIP} ]; then info "Downloading K3s artifact ${GITHUB_PR_URL}" - curl -o ${TMP_ZIP} -H "Authorization: Bearer $GITHUB_TOKEN" -L ${GITHUB_PR_URL} + curl -o -f ${TMP_ZIP} -H "Authorization: Bearer $GITHUB_TOKEN" -L ${GITHUB_PR_URL} fi # extract k3s binary from zip unzip -p ${TMP_ZIP} k3s > ${TMP_BIN} diff --git a/install.sh.sha256sum b/install.sh.sha256sum index 2cc73369576e..8840a507e25f 100644 --- a/install.sh.sha256sum +++ b/install.sh.sha256sum @@ -1 +1 @@ -696c6a93262b3e1f06a78841b8a82c238a8f17755824c024baad652b18bc92bc install.sh +92c835d2180837fadd4f556e73f16ead3fd3af649a130fbae44832f65c3913a7 install.sh From 05f59b6c455f6441b57aa1026cdbefc684e8a134 Mon Sep 17 00:00:00 2001 From: Derek Nola Date: Thu, 20 Jun 2024 09:28:44 -0700 Subject: [PATCH 2/2] Remove extra "-f" Signed-off-by: Derek Nola --- install.sh | 2 +- install.sh.sha256sum | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/install.sh b/install.sh index 50f485aaf7b9..cf72346f6d5f 100755 --- a/install.sh +++ b/install.sh @@ -511,7 +511,7 @@ download_binary() { # Since Binary and Hash are zipped together, check if TMP_ZIP already exists if ! [ -f ${TMP_ZIP} ]; then info "Downloading K3s artifact ${GITHUB_PR_URL}" - curl -o -f ${TMP_ZIP} -H "Authorization: Bearer $GITHUB_TOKEN" -L ${GITHUB_PR_URL} + curl -o ${TMP_ZIP} -H "Authorization: Bearer $GITHUB_TOKEN" -L ${GITHUB_PR_URL} fi # extract k3s binary from zip unzip -p ${TMP_ZIP} k3s > ${TMP_BIN} diff --git a/install.sh.sha256sum b/install.sh.sha256sum index 8840a507e25f..2a09542d1fd6 100644 --- a/install.sh.sha256sum +++ b/install.sh.sha256sum @@ -1 +1 @@ -92c835d2180837fadd4f556e73f16ead3fd3af649a130fbae44832f65c3913a7 install.sh +2e2469498e1d6a5dcd97d0eeae342298500b27fe0768527ea8039a3295cdbce9 install.sh