diff --git a/__tests__/cosign/cosign.test.ts b/__tests__/cosign/cosign.test.ts new file mode 100644 index 0000000..0596147 --- /dev/null +++ b/__tests__/cosign/cosign.test.ts @@ -0,0 +1,63 @@ +/** + * Copyright 2025 actions-toolkit authors + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +import {describe, expect, it, jest, test} from '@jest/globals'; +import * as semver from 'semver'; + +import {Exec} from '../../src/exec'; +import {Cosign} from '../../src/cosign/cosign'; + +describe('isAvailable', () => { + it('checks Cosign is available', async () => { + const execSpy = jest.spyOn(Exec, 'getExecOutput'); + const cosign = new Cosign(); + await cosign.isAvailable(); + // eslint-disable-next-line jest/no-standalone-expect + expect(execSpy).toHaveBeenCalledWith(`cosign`, [], { + silent: true, + ignoreReturnCode: true + }); + }); +}); + +describe('printVersion', () => { + it('prints Cosign version', async () => { + const execSpy = jest.spyOn(Exec, 'exec'); + const cosign = new Cosign(); + await cosign.printVersion(); + expect(execSpy).toHaveBeenCalledWith(`cosign`, ['version', '--json'], { + failOnStdErr: false + }); + }); +}); + +describe('version', () => { + it('valid', async () => { + const cosign = new Cosign(); + expect(semver.valid(await cosign.version())).not.toBeUndefined(); + }); +}); + +describe('versionSatisfies', () => { + test.each([ + ['v0.4.1', '>=0.3.2', true], + ['v0.8.0', '>0.6.0', true], + ['v0.8.0', '<0.3.0', false] + ])('given %p', async (version, range, expected) => { + const cosign = new Cosign(); + expect(await cosign.versionSatisfies(range, version)).toBe(expected); + }); +}); diff --git a/dev.Dockerfile b/dev.Dockerfile index 97c913d..97454a1 100644 --- a/dev.Dockerfile +++ b/dev.Dockerfile @@ -20,6 +20,7 @@ ARG BUILDX_VERSION=0.29.1 ARG COMPOSE_VERSION=2.39.1 ARG UNDOCK_VERSION=0.10.0 ARG REGCTL_VERSION=v0.8.2 +ARG COSIGN_VERSION=v3.0.2 FROM node:${NODE_VERSION}-alpine AS base RUN apk add --no-cache cpio findutils git @@ -81,6 +82,7 @@ FROM docker/buildx-bin:${BUILDX_VERSION} AS buildx FROM docker/compose-bin:v${COMPOSE_VERSION} AS compose FROM crazymax/undock:${UNDOCK_VERSION} AS undock FROM ghcr.io/regclient/regctl:${REGCTL_VERSION} AS regctl +FROM ghcr.io/sigstore/cosign/cosign:${COSIGN_VERSION} AS cosign FROM deps AS test RUN --mount=type=bind,target=.,rw \ @@ -93,6 +95,7 @@ RUN --mount=type=bind,target=.,rw \ --mount=type=bind,from=compose,source=/docker-compose,target=/usr/bin/compose \ --mount=type=bind,from=undock,source=/usr/local/bin/undock,target=/usr/bin/undock \ --mount=type=bind,from=regctl,source=/regctl,target=/usr/bin/regctl \ + --mount=type=bind,from=cosign,source=/ko-app/cosign,target=/usr/bin/cosign \ --mount=type=secret,id=GITHUB_TOKEN \ GITHUB_TOKEN=$(cat /run/secrets/GITHUB_TOKEN) yarn run test:coverage --coverageDirectory=/tmp/coverage diff --git a/src/cosign/cosign.ts b/src/cosign/cosign.ts new file mode 100644 index 0000000..700706f --- /dev/null +++ b/src/cosign/cosign.ts @@ -0,0 +1,91 @@ +/** + * Copyright 2025 actions-toolkit authors + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +import * as core from '@actions/core'; + +import {Exec} from '../exec'; +import * as semver from 'semver'; + +export interface CosignOpts { + binPath?: string; +} + +export class Cosign { + private readonly binPath: string; + private _version: string; + private _versionOnce: boolean; + + constructor(opts?: CosignOpts) { + this.binPath = opts?.binPath || 'cosign'; + this._version = ''; + this._versionOnce = false; + } + + public async isAvailable(): Promise { + const ok: boolean = await Exec.getExecOutput(this.binPath, [], { + ignoreReturnCode: true, + silent: true + }) + .then(res => { + if (res.stderr.length > 0 && res.exitCode != 0) { + core.debug(`Cosign.isAvailable cmd err: ${res.stderr.trim()}`); + return false; + } + return res.exitCode == 0; + }) + .catch(error => { + core.debug(`Cosign.isAvailable error: ${error}`); + return false; + }); + + core.debug(`Cosign.isAvailable: ${ok}`); + return ok; + } + + public async version(): Promise { + if (this._versionOnce) { + return this._version; + } + this._versionOnce = true; + this._version = await Exec.getExecOutput(this.binPath, ['version', '--json'], { + ignoreReturnCode: true, + silent: true + }).then(res => { + if (res.stderr.length > 0 && res.exitCode != 0) { + throw new Error(res.stderr.trim()); + } + return JSON.parse(res.stdout.trim()).gitVersion; + }); + return this._version; + } + + public async printVersion() { + await Exec.exec(this.binPath, ['version', '--json'], { + failOnStdErr: false + }); + } + + public async versionSatisfies(range: string, version?: string): Promise { + const ver = version ?? (await this.version()); + if (!ver) { + core.debug(`Cosign.versionSatisfies false: undefined version`); + return false; + } + const res = semver.satisfies(ver, range) || /^[0-9a-f]{7}$/.exec(ver) !== null; + core.debug(`Cosign.versionSatisfies ${ver} statisfies ${range}: ${res}`); + return res; + } +}