Merge pull request #826 from crazy-max/cosign-install

cosign install
2025-10-29 18:24:27 +01:00
parent 9ada6fdf12 5b8fb95ca3
commit 6b0ff671bc
5 changed files with 514 additions and 0 deletions
--- a/tests/cosign/install.test.itg.ts
+++ b/tests/cosign/install.test.itg.ts
@@ -0,0 +1,50 @@
+/**
+ * Copyright 2025 actions-toolkit authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import {describe, expect, it, test} from '@jest/globals';
+import * as fs from 'fs';
+
+import {Install} from '../../src/cosign/install';
+
+const maybe = !process.env.GITHUB_ACTIONS || (process.env.GITHUB_ACTIONS === 'true' && process.env.ImageOS && process.env.ImageOS.startsWith('ubuntu')) ? describe : describe.skip;
+
+describe('download', () => {
+  // prettier-ignore
+  test.each(['latest'])(
+    'install cosign %s', async (version) => {
+      await expect((async () => {
+        const install = new Install();
+        const toolPath = await install.download(version);
+        if (!fs.existsSync(toolPath)) {
+          throw new Error('toolPath does not exist');
+        }
+        const binPath = await install.install(toolPath);
+        if (!fs.existsSync(binPath)) {
+          throw new Error('binPath does not exist');
+        }
+      })()).resolves.not.toThrow();
+    }, 60000);
+});
+
+maybe('build', () => {
+  it.skip('builds refs/pull/4492/head', async () => {
+    const install = new Install();
+    const toolPath = await install.build('https://github.com/sigstore/cosign.git#refs/pull/4492/head');
+    expect(fs.existsSync(toolPath)).toBe(true);
+    const buildxBin = await install.install(toolPath);
+    expect(fs.existsSync(buildxBin)).toBe(true);
+  }, 500000);
+});
--- a/tests/cosign/install.test.ts
+++ b/tests/cosign/install.test.ts
@@ -0,0 +1,132 @@
+/**
+ * Copyright 2025 actions-toolkit authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import {describe, expect, it, jest, test, afterEach} from '@jest/globals';
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+import * as rimraf from 'rimraf';
+import osm = require('os');
+
+import {Install} from '../../src/cosign/install';
+
+const tmpDir = fs.mkdtempSync(path.join(process.env.TEMP || os.tmpdir(), 'cosign-install-'));
+
+afterEach(function () {
+  rimraf.sync(tmpDir);
+});
+
+describe('download', () => {
+  // prettier-ignore
+  test.each([
+    ['v2.6.1'],
+    ['v3.0.1'],
+    ['latest']
+  ])(
+  'acquires %p of cosign', async (version) => {
+    const install = new Install();
+    const toolPath = await install.download(version);
+    expect(fs.existsSync(toolPath)).toBe(true);
+    const cosignBin = await install.install(toolPath, tmpDir);
+    expect(fs.existsSync(cosignBin)).toBe(true);
+  }, 100000);
+
+  // prettier-ignore
+  test.each([
+    // following versions are already cached to htc from previous test cases
+    ['v2.6.1'],
+    ['v3.0.1'],
+  ])(
+  'acquires %p of cosign with cache', async (version) => {
+    const install = new Install();
+    const toolPath = await install.download(version);
+    expect(fs.existsSync(toolPath)).toBe(true);
+  }, 100000);
+
+  // prettier-ignore
+  test.each([
+    ['v2.5.3'],
+    ['v2.6.0'],
+  ])(
+  'acquires %p of cosign without cache', async (version) => {
+    const install = new Install();
+    const toolPath = await install.download(version, true);
+    expect(fs.existsSync(toolPath)).toBe(true);
+  }, 100000);
+
+  // TODO: add tests for arm
+  // prettier-ignore
+  test.each([
+    ['win32', 'x64'],
+    ['darwin', 'x64'],
+    ['darwin', 'arm64'],
+    ['linux', 'x64'],
+    ['linux', 'arm64']
+  ])(
+  'acquires undock for %s/%s', async (os, arch) => {
+    jest.spyOn(osm, 'platform').mockImplementation(() => os as NodeJS.Platform);
+    jest.spyOn(osm, 'arch').mockImplementation(() => arch);
+    const install = new Install();
+    const cosignBin = await install.download('latest');
+    expect(fs.existsSync(cosignBin)).toBe(true);
+  }, 100000);
+});
+
+describe('getDownloadVersion', () => {
+  it('returns latest download version', async () => {
+    const version = await Install.getDownloadVersion('latest');
+    expect(version.version).toEqual('latest');
+    expect(version.downloadURL).toEqual('https://github.com/sigstore/cosign/releases/download/v%s/%s');
+    expect(version.contentOpts).toEqual({
+      owner: 'docker',
+      repo: 'actions-toolkit',
+      ref: 'main',
+      path: '.github/cosign-releases.json'
+    });
+  });
+  it('returns v3.0.2 download version', async () => {
+    const version = await Install.getDownloadVersion('v3.0.2');
+    expect(version.version).toEqual('v3.0.2');
+    expect(version.downloadURL).toEqual('https://github.com/sigstore/cosign/releases/download/v%s/%s');
+    expect(version.contentOpts).toEqual({
+      owner: 'docker',
+      repo: 'actions-toolkit',
+      ref: 'main',
+      path: '.github/cosign-releases.json'
+    });
+  });
+});
+
+describe('getRelease', () => {
+  it('returns latest GitHub release', async () => {
+    const version = await Install.getDownloadVersion('latest');
+    const release = await Install.getRelease(version);
+    expect(release).not.toBeNull();
+    expect(release?.tag_name).not.toEqual('');
+  });
+  it('returns v3.0.2 GitHub release', async () => {
+    const version = await Install.getDownloadVersion('v3.0.2');
+    const release = await Install.getRelease(version);
+    expect(release).not.toBeNull();
+    expect(release?.id).toEqual(253720294);
+    expect(release?.tag_name).toEqual('v3.0.2');
+    expect(release?.html_url).toEqual('https://github.com/sigstore/cosign/releases/tag/v3.0.2');
+  });
+  it('unknown release', async () => {
+    const version = await Install.getDownloadVersion('foo');
+    await expect(Install.getRelease(version)).rejects.toThrow(new Error('Cannot find Cosign release foo in releases JSON'));
+  });
+});
--- a/src/cosign/dockerfile.ts
+++ b/src/cosign/dockerfile.ts
@@ -0,0 +1,61 @@
+/**
+ * Copyright 2025 actions-toolkit authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+export const dockerfileContent = `
+# syntax=docker/dockerfile:1
+
+ARG GO_VERSION="1.24"
+ARG ALPINE_VERSION="3.22"
+
+FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.7.0 AS xx
+
+FROM --platform=$BUILDPLATFORM golang:\${GO_VERSION}-alpine\${ALPINE_VERSION} AS builder-base
+COPY --from=xx / /
+RUN apk add --no-cache git
+ENV GOTOOLCHAIN=auto
+ENV CGO_ENABLED=0
+WORKDIR /src
+RUN --mount=type=cache,target=/go/pkg/mod \\
+    --mount=type=bind,source=go.mod,target=go.mod \\
+    --mount=type=bind,source=go.sum,target=go.sum \\
+    go mod download
+
+FROM builder-base AS version
+RUN --mount=type=bind,target=. <<'EOT'
+  git rev-parse HEAD 2>/dev/null || {
+    echo >&2 "Failed to get git revision, make sure --build-arg BUILDKIT_CONTEXT_KEEP_GIT_DIR=1 is set when building from Git directly"
+    exit 1
+  }
+  set -ex
+  export PKG=sigs.k8s.io BUILDDATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ") TREESTATE=$(if ! git diff --no-ext-diff --quiet --exit-code; then echo dirty; else echo clean; fi) VERSION=$(git describe --match 'v[0-9]*' --dirty='.m' --always --tags) COMMIT=$(git rev-parse HEAD)$(if ! git diff --no-ext-diff --quiet --exit-code; then echo .m; fi);
+  echo "-X \${PKG}/release-utils/version.gitVersion=\${VERSION} -X \${PKG}/release-utils/version.gitCommit=\${COMMIT} -X \${PKG}/release-utils/version.gitTreeState=\${TREESTATE} -X \${PKG}/release-utils/version.buildDate=\${BUILDDATE}" > /tmp/.ldflags;
+  echo -n "\${VERSION}" > /tmp/.version;
+EOT
+
+FROM builder-base AS builder
+ARG TARGETPLATFORM
+RUN --mount=type=bind,target=. \\
+    --mount=type=cache,target=/root/.cache,id=cosign-$TARGETPLATFORM \\
+    --mount=source=/tmp/.ldflags,target=/tmp/.ldflags,from=version \\
+    --mount=type=cache,target=/go/pkg/mod <<EOT
+  set -ex
+  xx-go build -trimpath -ldflags "-s -w $(cat /tmp/.ldflags)" -o /out/cosign ./cmd/cosign
+  xx-verify --static /out/cosign
+EOT
+
+FROM scratch
+COPY --from=builder /out /
+`;
--- a/src/cosign/install.ts
+++ b/src/cosign/install.ts
@@ -0,0 +1,248 @@
+/**
+ * Copyright 2025 actions-toolkit authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+import * as core from '@actions/core';
+import * as tc from '@actions/tool-cache';
+import * as semver from 'semver';
+import * as util from 'util';
+
+import {Buildx} from '../buildx/buildx';
+import {Cache} from '../cache';
+import {Context} from '../context';
+import {Exec} from '../exec';
+import {Git} from '../git';
+import {GitHub} from '../github';
+import {Util} from '../util';
+
+import {DownloadVersion} from '../types/cosign/cosign';
+import {GitHubRelease} from '../types/github';
+import {dockerfileContent} from './dockerfile';
+
+export interface InstallOpts {
+  githubToken?: string;
+  buildx?: Buildx;
+}
+
+export class Install {
+  private readonly githubToken: string | undefined;
+  private readonly buildx: Buildx;
+
+  constructor(opts?: InstallOpts) {
+    this.githubToken = opts?.githubToken || process.env.GITHUB_TOKEN;
+    this.buildx = opts?.buildx || new Buildx();
+  }
+
+  public async download(v: string, ghaNoCache?: boolean): Promise<string> {
+    const version: DownloadVersion = await Install.getDownloadVersion(v);
+    core.debug(`Install.download version: ${version.version}`);
+
+    const release: GitHubRelease = await Install.getRelease(version, this.githubToken);
+    core.debug(`Install.download release tag name: ${release.tag_name}`);
+
+    const vspec = await this.vspec(release.tag_name);
+    core.debug(`Install.download vspec: ${vspec}`);
+
+    const c = semver.clean(vspec) || '';
+    if (!semver.valid(c)) {
+      throw new Error(`Invalid Cosign version "${vspec}".`);
+    }
+
+    const installCache = new Cache({
+      htcName: 'cosign-dl-bin',
+      htcVersion: vspec,
+      baseCacheDir: path.join(os.homedir(), '.bin'),
+      cacheFile: os.platform() == 'win32' ? 'cosign.exe' : 'cosign',
+      ghaNoCache: ghaNoCache
+    });
+
+    const cacheFoundPath = await installCache.find();
+    if (cacheFoundPath) {
+      core.info(`Cosign binary found in ${cacheFoundPath}`);
+      return cacheFoundPath;
+    }
+
+    const downloadURL = util.format(version.downloadURL, vspec, this.filename());
+    core.info(`Downloading ${downloadURL}`);
+
+    const htcDownloadPath = await tc.downloadTool(downloadURL, undefined, this.githubToken);
+    core.debug(`Install.download htcDownloadPath: ${htcDownloadPath}`);
+
+    const cacheSavePath = await installCache.save(htcDownloadPath);
+    core.info(`Cached to ${cacheSavePath}`);
+    return cacheSavePath;
+  }
+
+  public async build(gitContext: string, ghaNoCache?: boolean): Promise<string> {
+    const vspec = await this.vspec(gitContext);
+    core.debug(`Install.build vspec: ${vspec}`);
+
+    const installCache = new Cache({
+      htcName: 'cosign-build-bin',
+      htcVersion: vspec,
+      baseCacheDir: path.join(os.homedir(), '.bin'),
+      cacheFile: os.platform() == 'win32' ? 'cosign.exe' : 'cosign',
+      ghaNoCache: ghaNoCache
+    });
+
+    const cacheFoundPath = await installCache.find();
+    if (cacheFoundPath) {
+      core.info(`Cosign binary found in ${cacheFoundPath}`);
+      return cacheFoundPath;
+    }
+
+    const outputDir = path.join(Context.tmpDir(), 'cosign-build-cache');
+    const buildCmd = await this.buildCommand(gitContext, outputDir);
+
+    const buildBinPath = await Exec.getExecOutput(buildCmd.command, buildCmd.args, {
+      ignoreReturnCode: true,
+      input: Buffer.from(dockerfileContent)
+    }).then(res => {
+      if (res.stderr.length > 0 && res.exitCode != 0) {
+        throw new Error(`build failed with: ${res.stderr.match(/(.*)\s*$/)?.[0]?.trim() ?? 'unknown error'}`);
+      }
+      return `${outputDir}/cosign`;
+    });
+
+    const cacheSavePath = await installCache.save(buildBinPath);
+    core.info(`Cached to ${cacheSavePath}`);
+    return cacheSavePath;
+  }
+
+  public async install(binPath: string, dest?: string): Promise<string> {
+    dest = dest || Context.tmpDir();
+
+    const binDir = path.join(dest, 'cosign-bin');
+    if (!fs.existsSync(binDir)) {
+      fs.mkdirSync(binDir, {recursive: true});
+    }
+    const binName: string = os.platform() == 'win32' ? 'cosign.exe' : 'cosign';
+    const cosignPath: string = path.join(binDir, binName);
+    fs.copyFileSync(binPath, cosignPath);
+
+    core.info('Fixing perms');
+    fs.chmodSync(cosignPath, '0755');
+
+    core.addPath(binDir);
+    core.info('Added Unodck to PATH');
+
+    core.info(`Binary path: ${cosignPath}`);
+    return cosignPath;
+  }
+
+  private async buildCommand(gitContext: string, outputDir: string): Promise<{args: Array<string>; command: string}> {
+    const buildxStandaloneFound = await new Buildx({standalone: true}).isAvailable();
+    const buildxPluginFound = await new Buildx({standalone: false}).isAvailable();
+
+    let buildStandalone = false;
+    if ((await this.buildx.isStandalone()) && buildxStandaloneFound) {
+      core.debug(`Install.buildCommand: Buildx standalone found, build with it`);
+      buildStandalone = true;
+    } else if (!(await this.buildx.isStandalone()) && buildxPluginFound) {
+      core.debug(`Install.buildCommand: Buildx plugin found, build with it`);
+      buildStandalone = false;
+    } else if (buildxStandaloneFound) {
+      core.debug(`Install.buildCommand: Buildx plugin not found, but standalone found so trying to build with it`);
+      buildStandalone = true;
+    } else if (buildxPluginFound) {
+      core.debug(`Install.buildCommand: Buildx standalone not found, but plugin found so trying to build with it`);
+      buildStandalone = false;
+    } else {
+      throw new Error(`Neither buildx standalone or plugin have been found to build from ref ${gitContext}`);
+    }
+
+    const args = ['build', '--platform', 'local', '--build-arg', 'BUILDKIT_CONTEXT_KEEP_GIT_DIR=1', '--output', `type=local,dest=${outputDir}`];
+    if (process.env.GIT_AUTH_TOKEN) {
+      args.push('--secret', 'id=GIT_AUTH_TOKEN');
+    }
+    args.push('-f-', gitContext);
+
+    // prettier-ignore
+    return await new Buildx({standalone: buildStandalone}).getCommand(args);
+  }
+
+  private filename(): string {
+    let arch: string;
+    switch (os.arch()) {
+      case 'x64': {
+        arch = 'amd64';
+        break;
+      }
+      case 'ppc64': {
+        arch = 'ppc64le';
+        break;
+      }
+      default: {
+        arch = os.arch();
+        break;
+      }
+    }
+    const platform: string = os.platform() == 'win32' ? 'windows' : os.platform();
+    const ext: string = os.platform() == 'win32' ? '.exe' : '';
+    return util.format('cosign-%s-%s%s', platform, arch, ext);
+  }
+
+  private async vspec(versionOrRef: string): Promise<string> {
+    if (!Util.isValidRef(versionOrRef)) {
+      const v = versionOrRef.replace(/^v+|v+$/g, '');
+      core.info(`Use ${v} version spec cache key for ${versionOrRef}`);
+      return v;
+    }
+
+    // eslint-disable-next-line prefer-const
+    let [baseURL, ref] = versionOrRef.split('#');
+    if (ref.length == 0) {
+      ref = 'master';
+    }
+
+    let sha: string;
+    if (ref.match(/^[0-9a-fA-F]{40}$/)) {
+      sha = ref;
+    } else {
+      sha = await Git.remoteSha(baseURL, ref, process.env.GIT_AUTH_TOKEN);
+    }
+
+    const [owner, repo] = baseURL.substring('https://github.com/'.length).split('/');
+    const key = `${owner}/${Util.trimSuffix(repo, '.git')}/${sha}`;
+    const hash = Util.hash(key);
+    core.info(`Use ${hash} version spec cache key for ${key}`);
+    return hash;
+  }
+
+  public static async getDownloadVersion(v: string): Promise<DownloadVersion> {
+    return {
+      version: v,
+      downloadURL: 'https://github.com/sigstore/cosign/releases/download/v%s/%s',
+      contentOpts: {
+        owner: 'docker',
+        repo: 'actions-toolkit',
+        ref: 'main',
+        path: '.github/cosign-releases.json'
+      }
+    };
+  }
+
+  public static async getRelease(version: DownloadVersion, githubToken?: string): Promise<GitHubRelease> {
+    const github = new GitHub({token: githubToken});
+    const releases = await github.releases('Cosign', version.contentOpts);
+    if (!releases[version.version]) {
+      throw new Error(`Cannot find Cosign release ${version.version} in releases JSON`);
+    }
+    return releases[version.version];
+  }
+}
--- a/src/types/cosign/cosign.ts
+++ b/src/types/cosign/cosign.ts
@@ -0,0 +1,23 @@
+/**
+ * Copyright 2025 actions-toolkit authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import {GitHubContentOpts} from '../github';
+
+export interface DownloadVersion {
+  version: string;
+  downloadURL: string;
+  contentOpts: GitHubContentOpts;
+}