diff --git a/__tests__/cosign/install.test.itg.ts b/__tests__/cosign/install.test.itg.ts new file mode 100644 index 0000000..bcd0266 --- /dev/null +++ b/__tests__/cosign/install.test.itg.ts @@ -0,0 +1,50 @@ +/** + * Copyright 2025 actions-toolkit authors + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +import {describe, expect, it, test} from '@jest/globals'; +import * as fs from 'fs'; + +import {Install} from '../../src/cosign/install'; + +const maybe = !process.env.GITHUB_ACTIONS || (process.env.GITHUB_ACTIONS === 'true' && process.env.ImageOS && process.env.ImageOS.startsWith('ubuntu')) ? describe : describe.skip; + +describe('download', () => { + // prettier-ignore + test.each(['latest'])( + 'install cosign %s', async (version) => { + await expect((async () => { + const install = new Install(); + const toolPath = await install.download(version); + if (!fs.existsSync(toolPath)) { + throw new Error('toolPath does not exist'); + } + const binPath = await install.install(toolPath); + if (!fs.existsSync(binPath)) { + throw new Error('binPath does not exist'); + } + })()).resolves.not.toThrow(); + }, 60000); +}); + +maybe('build', () => { + it.skip('builds refs/pull/4492/head', async () => { + const install = new Install(); + const toolPath = await install.build('https://github.com/sigstore/cosign.git#refs/pull/4492/head'); + expect(fs.existsSync(toolPath)).toBe(true); + const buildxBin = await install.install(toolPath); + expect(fs.existsSync(buildxBin)).toBe(true); + }, 500000); +}); diff --git a/__tests__/cosign/install.test.ts b/__tests__/cosign/install.test.ts new file mode 100644 index 0000000..287cd6c --- /dev/null +++ b/__tests__/cosign/install.test.ts @@ -0,0 +1,132 @@ +/** + * Copyright 2025 actions-toolkit authors + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +import {describe, expect, it, jest, test, afterEach} from '@jest/globals'; +import fs from 'fs'; +import os from 'os'; +import path from 'path'; +import * as rimraf from 'rimraf'; +import osm = require('os'); + +import {Install} from '../../src/cosign/install'; + +const tmpDir = fs.mkdtempSync(path.join(process.env.TEMP || os.tmpdir(), 'cosign-install-')); + +afterEach(function () { + rimraf.sync(tmpDir); +}); + +describe('download', () => { + // prettier-ignore + test.each([ + ['v2.6.1'], + ['v3.0.1'], + ['latest'] + ])( + 'acquires %p of cosign', async (version) => { + const install = new Install(); + const toolPath = await install.download(version); + expect(fs.existsSync(toolPath)).toBe(true); + const cosignBin = await install.install(toolPath, tmpDir); + expect(fs.existsSync(cosignBin)).toBe(true); + }, 100000); + + // prettier-ignore + test.each([ + // following versions are already cached to htc from previous test cases + ['v2.6.1'], + ['v3.0.1'], + ])( + 'acquires %p of cosign with cache', async (version) => { + const install = new Install(); + const toolPath = await install.download(version); + expect(fs.existsSync(toolPath)).toBe(true); + }, 100000); + + // prettier-ignore + test.each([ + ['v2.5.3'], + ['v2.6.0'], + ])( + 'acquires %p of cosign without cache', async (version) => { + const install = new Install(); + const toolPath = await install.download(version, true); + expect(fs.existsSync(toolPath)).toBe(true); + }, 100000); + + // TODO: add tests for arm + // prettier-ignore + test.each([ + ['win32', 'x64'], + ['darwin', 'x64'], + ['darwin', 'arm64'], + ['linux', 'x64'], + ['linux', 'arm64'] + ])( + 'acquires undock for %s/%s', async (os, arch) => { + jest.spyOn(osm, 'platform').mockImplementation(() => os as NodeJS.Platform); + jest.spyOn(osm, 'arch').mockImplementation(() => arch); + const install = new Install(); + const cosignBin = await install.download('latest'); + expect(fs.existsSync(cosignBin)).toBe(true); + }, 100000); +}); + +describe('getDownloadVersion', () => { + it('returns latest download version', async () => { + const version = await Install.getDownloadVersion('latest'); + expect(version.version).toEqual('latest'); + expect(version.downloadURL).toEqual('https://github.com/sigstore/cosign/releases/download/v%s/%s'); + expect(version.contentOpts).toEqual({ + owner: 'docker', + repo: 'actions-toolkit', + ref: 'main', + path: '.github/cosign-releases.json' + }); + }); + it('returns v3.0.2 download version', async () => { + const version = await Install.getDownloadVersion('v3.0.2'); + expect(version.version).toEqual('v3.0.2'); + expect(version.downloadURL).toEqual('https://github.com/sigstore/cosign/releases/download/v%s/%s'); + expect(version.contentOpts).toEqual({ + owner: 'docker', + repo: 'actions-toolkit', + ref: 'main', + path: '.github/cosign-releases.json' + }); + }); +}); + +describe('getRelease', () => { + it('returns latest GitHub release', async () => { + const version = await Install.getDownloadVersion('latest'); + const release = await Install.getRelease(version); + expect(release).not.toBeNull(); + expect(release?.tag_name).not.toEqual(''); + }); + it('returns v3.0.2 GitHub release', async () => { + const version = await Install.getDownloadVersion('v3.0.2'); + const release = await Install.getRelease(version); + expect(release).not.toBeNull(); + expect(release?.id).toEqual(253720294); + expect(release?.tag_name).toEqual('v3.0.2'); + expect(release?.html_url).toEqual('https://github.com/sigstore/cosign/releases/tag/v3.0.2'); + }); + it('unknown release', async () => { + const version = await Install.getDownloadVersion('foo'); + await expect(Install.getRelease(version)).rejects.toThrow(new Error('Cannot find Cosign release foo in releases JSON')); + }); +}); diff --git a/src/cosign/dockerfile.ts b/src/cosign/dockerfile.ts new file mode 100644 index 0000000..0233b4b --- /dev/null +++ b/src/cosign/dockerfile.ts @@ -0,0 +1,61 @@ +/** + * Copyright 2025 actions-toolkit authors + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +export const dockerfileContent = ` +# syntax=docker/dockerfile:1 + +ARG GO_VERSION="1.24" +ARG ALPINE_VERSION="3.22" + +FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.7.0 AS xx + +FROM --platform=$BUILDPLATFORM golang:\${GO_VERSION}-alpine\${ALPINE_VERSION} AS builder-base +COPY --from=xx / / +RUN apk add --no-cache git +ENV GOTOOLCHAIN=auto +ENV CGO_ENABLED=0 +WORKDIR /src +RUN --mount=type=cache,target=/go/pkg/mod \\ + --mount=type=bind,source=go.mod,target=go.mod \\ + --mount=type=bind,source=go.sum,target=go.sum \\ + go mod download + +FROM builder-base AS version +RUN --mount=type=bind,target=. <<'EOT' + git rev-parse HEAD 2>/dev/null || { + echo >&2 "Failed to get git revision, make sure --build-arg BUILDKIT_CONTEXT_KEEP_GIT_DIR=1 is set when building from Git directly" + exit 1 + } + set -ex + export PKG=sigs.k8s.io BUILDDATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ") TREESTATE=$(if ! git diff --no-ext-diff --quiet --exit-code; then echo dirty; else echo clean; fi) VERSION=$(git describe --match 'v[0-9]*' --dirty='.m' --always --tags) COMMIT=$(git rev-parse HEAD)$(if ! git diff --no-ext-diff --quiet --exit-code; then echo .m; fi); + echo "-X \${PKG}/release-utils/version.gitVersion=\${VERSION} -X \${PKG}/release-utils/version.gitCommit=\${COMMIT} -X \${PKG}/release-utils/version.gitTreeState=\${TREESTATE} -X \${PKG}/release-utils/version.buildDate=\${BUILDDATE}" > /tmp/.ldflags; + echo -n "\${VERSION}" > /tmp/.version; +EOT + +FROM builder-base AS builder +ARG TARGETPLATFORM +RUN --mount=type=bind,target=. \\ + --mount=type=cache,target=/root/.cache,id=cosign-$TARGETPLATFORM \\ + --mount=source=/tmp/.ldflags,target=/tmp/.ldflags,from=version \\ + --mount=type=cache,target=/go/pkg/mod < { + const version: DownloadVersion = await Install.getDownloadVersion(v); + core.debug(`Install.download version: ${version.version}`); + + const release: GitHubRelease = await Install.getRelease(version, this.githubToken); + core.debug(`Install.download release tag name: ${release.tag_name}`); + + const vspec = await this.vspec(release.tag_name); + core.debug(`Install.download vspec: ${vspec}`); + + const c = semver.clean(vspec) || ''; + if (!semver.valid(c)) { + throw new Error(`Invalid Cosign version "${vspec}".`); + } + + const installCache = new Cache({ + htcName: 'cosign-dl-bin', + htcVersion: vspec, + baseCacheDir: path.join(os.homedir(), '.bin'), + cacheFile: os.platform() == 'win32' ? 'cosign.exe' : 'cosign', + ghaNoCache: ghaNoCache + }); + + const cacheFoundPath = await installCache.find(); + if (cacheFoundPath) { + core.info(`Cosign binary found in ${cacheFoundPath}`); + return cacheFoundPath; + } + + const downloadURL = util.format(version.downloadURL, vspec, this.filename()); + core.info(`Downloading ${downloadURL}`); + + const htcDownloadPath = await tc.downloadTool(downloadURL, undefined, this.githubToken); + core.debug(`Install.download htcDownloadPath: ${htcDownloadPath}`); + + const cacheSavePath = await installCache.save(htcDownloadPath); + core.info(`Cached to ${cacheSavePath}`); + return cacheSavePath; + } + + public async build(gitContext: string, ghaNoCache?: boolean): Promise { + const vspec = await this.vspec(gitContext); + core.debug(`Install.build vspec: ${vspec}`); + + const installCache = new Cache({ + htcName: 'cosign-build-bin', + htcVersion: vspec, + baseCacheDir: path.join(os.homedir(), '.bin'), + cacheFile: os.platform() == 'win32' ? 'cosign.exe' : 'cosign', + ghaNoCache: ghaNoCache + }); + + const cacheFoundPath = await installCache.find(); + if (cacheFoundPath) { + core.info(`Cosign binary found in ${cacheFoundPath}`); + return cacheFoundPath; + } + + const outputDir = path.join(Context.tmpDir(), 'cosign-build-cache'); + const buildCmd = await this.buildCommand(gitContext, outputDir); + + const buildBinPath = await Exec.getExecOutput(buildCmd.command, buildCmd.args, { + ignoreReturnCode: true, + input: Buffer.from(dockerfileContent) + }).then(res => { + if (res.stderr.length > 0 && res.exitCode != 0) { + throw new Error(`build failed with: ${res.stderr.match(/(.*)\s*$/)?.[0]?.trim() ?? 'unknown error'}`); + } + return `${outputDir}/cosign`; + }); + + const cacheSavePath = await installCache.save(buildBinPath); + core.info(`Cached to ${cacheSavePath}`); + return cacheSavePath; + } + + public async install(binPath: string, dest?: string): Promise { + dest = dest || Context.tmpDir(); + + const binDir = path.join(dest, 'cosign-bin'); + if (!fs.existsSync(binDir)) { + fs.mkdirSync(binDir, {recursive: true}); + } + const binName: string = os.platform() == 'win32' ? 'cosign.exe' : 'cosign'; + const cosignPath: string = path.join(binDir, binName); + fs.copyFileSync(binPath, cosignPath); + + core.info('Fixing perms'); + fs.chmodSync(cosignPath, '0755'); + + core.addPath(binDir); + core.info('Added Unodck to PATH'); + + core.info(`Binary path: ${cosignPath}`); + return cosignPath; + } + + private async buildCommand(gitContext: string, outputDir: string): Promise<{args: Array; command: string}> { + const buildxStandaloneFound = await new Buildx({standalone: true}).isAvailable(); + const buildxPluginFound = await new Buildx({standalone: false}).isAvailable(); + + let buildStandalone = false; + if ((await this.buildx.isStandalone()) && buildxStandaloneFound) { + core.debug(`Install.buildCommand: Buildx standalone found, build with it`); + buildStandalone = true; + } else if (!(await this.buildx.isStandalone()) && buildxPluginFound) { + core.debug(`Install.buildCommand: Buildx plugin found, build with it`); + buildStandalone = false; + } else if (buildxStandaloneFound) { + core.debug(`Install.buildCommand: Buildx plugin not found, but standalone found so trying to build with it`); + buildStandalone = true; + } else if (buildxPluginFound) { + core.debug(`Install.buildCommand: Buildx standalone not found, but plugin found so trying to build with it`); + buildStandalone = false; + } else { + throw new Error(`Neither buildx standalone or plugin have been found to build from ref ${gitContext}`); + } + + const args = ['build', '--platform', 'local', '--build-arg', 'BUILDKIT_CONTEXT_KEEP_GIT_DIR=1', '--output', `type=local,dest=${outputDir}`]; + if (process.env.GIT_AUTH_TOKEN) { + args.push('--secret', 'id=GIT_AUTH_TOKEN'); + } + args.push('-f-', gitContext); + + // prettier-ignore + return await new Buildx({standalone: buildStandalone}).getCommand(args); + } + + private filename(): string { + let arch: string; + switch (os.arch()) { + case 'x64': { + arch = 'amd64'; + break; + } + case 'ppc64': { + arch = 'ppc64le'; + break; + } + default: { + arch = os.arch(); + break; + } + } + const platform: string = os.platform() == 'win32' ? 'windows' : os.platform(); + const ext: string = os.platform() == 'win32' ? '.exe' : ''; + return util.format('cosign-%s-%s%s', platform, arch, ext); + } + + private async vspec(versionOrRef: string): Promise { + if (!Util.isValidRef(versionOrRef)) { + const v = versionOrRef.replace(/^v+|v+$/g, ''); + core.info(`Use ${v} version spec cache key for ${versionOrRef}`); + return v; + } + + // eslint-disable-next-line prefer-const + let [baseURL, ref] = versionOrRef.split('#'); + if (ref.length == 0) { + ref = 'master'; + } + + let sha: string; + if (ref.match(/^[0-9a-fA-F]{40}$/)) { + sha = ref; + } else { + sha = await Git.remoteSha(baseURL, ref, process.env.GIT_AUTH_TOKEN); + } + + const [owner, repo] = baseURL.substring('https://github.com/'.length).split('/'); + const key = `${owner}/${Util.trimSuffix(repo, '.git')}/${sha}`; + const hash = Util.hash(key); + core.info(`Use ${hash} version spec cache key for ${key}`); + return hash; + } + + public static async getDownloadVersion(v: string): Promise { + return { + version: v, + downloadURL: 'https://github.com/sigstore/cosign/releases/download/v%s/%s', + contentOpts: { + owner: 'docker', + repo: 'actions-toolkit', + ref: 'main', + path: '.github/cosign-releases.json' + } + }; + } + + public static async getRelease(version: DownloadVersion, githubToken?: string): Promise { + const github = new GitHub({token: githubToken}); + const releases = await github.releases('Cosign', version.contentOpts); + if (!releases[version.version]) { + throw new Error(`Cannot find Cosign release ${version.version} in releases JSON`); + } + return releases[version.version]; + } +} diff --git a/src/types/cosign/cosign.ts b/src/types/cosign/cosign.ts new file mode 100644 index 0000000..4aca14b --- /dev/null +++ b/src/types/cosign/cosign.ts @@ -0,0 +1,23 @@ +/** + * Copyright 2025 actions-toolkit authors + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +import {GitHubContentOpts} from '../github'; + +export interface DownloadVersion { + version: string; + downloadURL: string; + contentOpts: GitHubContentOpts; +}