Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add option to disable blob verification #131

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
31 changes: 31 additions & 0 deletions .github/workflows/test-action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -65,3 +65,34 @@ jobs:
else
exit 0
fi

test_ct_action_noverify:
runs-on: ubuntu-latest

name: Install chart-testing without verifiing blob and test presence in path
steps:
- uses: actions/checkout@v4
- name: Install chart-testing
uses: ./
with:
verify_blob: 'false'
- name: Check install!
run: |
ct version
CT_VERSION_OUTPUT=$(ct version 2>&1 /dev/null)
ACTUAL_VERSION=$(echo "$CT_VERSION_OUTPUT" | grep Version | rev | cut -d ' ' -f1 | rev)
if [[ $ACTUAL_VERSION != 'v3.10.0' ]]; then
echo 'should be v3.10.0'
exit 1
else
exit 0
fi
shell: bash
- name: Check root directory
run: |
if [[ $(git diff --stat) != '' ]]; then
echo 'should be clean'
exit 1
else
exit 0
fi
6 changes: 6 additions & 0 deletions action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,10 @@ branding:
color: blue
icon: anchor
inputs:
verify_blob:
description: "determines whether the download blob should be verified (default: true)"
required: false
default: 'true'
fty4 marked this conversation as resolved.
Show resolved Hide resolved
fty4 marked this conversation as resolved.
Show resolved Hide resolved
version:
description: "The chart-testing version to install (default: 3.10.0)"
required: false
Expand All @@ -21,9 +25,11 @@ runs:
using: composite
steps:
- uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
if: ${{ inputs.verify_blob != 'false' }}
- run: |
cd $GITHUB_ACTION_PATH \
&& ./ct.sh \
--verify-blob ${{ inputs.verify_blob }} \
--version ${{ inputs.version }} \
--yamllint-version ${{ inputs.yamllint_version }} \
--yamale-version ${{ inputs.yamale_version }}
Expand Down
41 changes: 29 additions & 12 deletions ct.sh
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ set -o nounset
set -o pipefail

DEFAULT_CHART_TESTING_VERSION=3.10.0
DEFAULT_VERIFY_BLOB=true
DEFAULT_YAMLLINT_VERSION=1.27.1
DEFAULT_YAMALE_VERSION=3.0.4

Expand All @@ -19,6 +20,7 @@ EOF

main() {
local version="${DEFAULT_CHART_TESTING_VERSION}"
local verify_blob="${DEFAULT_VERIFY_BLOB}"
local yamllint_version="${DEFAULT_YAMLLINT_VERSION}"
local yamale_version="${DEFAULT_YAMALE_VERSION}"

Expand All @@ -34,6 +36,16 @@ parse_command_line() {
show_help
exit
;;
--verify-blob)
if [[ -n "${2:-}" ]]; then
verify_blob="${2#v}"
shift
else
echo "ERROR: '--verify-blob' cannot be empty." >&2
show_help
exit 1
fi
;;
-v|--version)
if [[ -n "${2:-}" ]]; then
version="${2#v}"
Expand Down Expand Up @@ -88,21 +100,26 @@ install_chart_testing() {
local cache_dir="${RUNNER_TOOL_CACHE}/ct/${version}/${arch}"
local venv_dir="${cache_dir}/venv"

curl --retry 5 --retry-delay 1 -sSLo ct.tar.gz "https://github.com/helm/chart-testing/releases/download/v$version/chart-testing_${version#v}_linux_$arch.tar.gz"
echo "Installing chart-testing v${version}..."
if [[ ! -d "${cache_dir}" ]]; then
mkdir -p "${cache_dir}"

echo "Installing chart-testing v${version}..."
CT_CERT=https://github.com/helm/chart-testing/releases/download/v$version/chart-testing_${version#v}_linux_$arch.tar.gz.pem
CT_SIG=https://github.com/helm/chart-testing/releases/download/v$version/chart-testing_${version#v}_linux_$arch.tar.gz.sig

curl --retry 5 --retry-delay 1 -sSLo ct.tar.gz "https://github.com/helm/chart-testing/releases/download/v$version/chart-testing_${version#v}_linux_$arch.tar.gz"
cosign verify-blob --certificate $CT_CERT --signature $CT_SIG \
--certificate-identity "https://github.com/helm/chart-testing/.github/workflows/release.yaml@refs/heads/main" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" ct.tar.gz
retVal=$?
if [[ "${retVal}" -ne 0 ]]; then
log_error "Unable to validate chart-testing version: v${version}"
exit 1
if [[ "${verify_blob}" != "false" ]]; then
echo "Verifing blob..."
CT_CERT=https://github.com/helm/chart-testing/releases/download/v$version/chart-testing_${version#v}_linux_$arch.tar.gz.pem
CT_SIG=https://github.com/helm/chart-testing/releases/download/v$version/chart-testing_${version#v}_linux_$arch.tar.gz.sig

cosign verify-blob --certificate $CT_CERT --signature $CT_SIG \
--certificate-identity "https://github.com/helm/chart-testing/.github/workflows/release.yaml@refs/heads/main" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" ct.tar.gz
retVal=$?
if [[ "${retVal}" -ne 0 ]]; then
log_error "Unable to validate chart-testing version: v${version}"
exit 1
fi
else
echo "Skipping verifing blob..."
fi

tar -xzf ct.tar.gz -C "${cache_dir}"
Expand Down