feat: improve plugin installation UX

[duffney]

Adds an install and remove subcommand to the notation plugin command. The install command takes a plugin binary and copies it to the plugin directory. If the plugin directory doesn't exist, it is created, and the plugin copied. If an exist plugin exists, the version is compared and copied when the current version is less than the version of the plugin binary provided as an argument. A --force flag is available to overwrite this logic and copy the plugin binary regardless of the existing plugin version. The remove command removes the plugin specific directory and its contents.

[yizha1]

@priteshbandi @shizhMSFT @FeynmanZhou I suggest we also put this new subcommand install as experimental command since install command takes a plugin binary only, how can users get to know what kind of file should be used. So, it will be good to let users try this command first and provide feedback.

[shizhMSFT]

Should we make a struct instead of a single variable?

[duffney]

Are there any other config settings we'd like to add to the struct? If so, it might be worthwhile to look into adding viper for configuration.

[shizhMSFT]

@priteshbandi I'd like to see if notation plugin install from a tar gz file. There is no security risk if we require the file structure in the tar ball to be flatten and only allow regular files. No symlinks and hard links of course.

[codecov-commenter]

Codecov Report

Merging #617 (3eb146c) into main (c9d3997) will decrease coverage by 2.92%.
The diff coverage is 19.01%.

❗ Your organization is not using the GitHub App Integration. As a result you may experience degraded service beginning May 15th. Please install the Github App Integration for your organization. Read more.

@@            Coverage Diff             @@
##             main     #617      +/-   ##
==========================================
- Coverage   63.77%   60.86%   -2.92%     
==========================================
  Files          40       40              
  Lines        2228     2379     +151     
==========================================
+ Hits         1421     1448      +27     
- Misses        686      808     +122     
- Partials      121      123       +2     

Impacted Files	Coverage Δ
cmd/notation/plugin.go	35.86% <19.01%> (-56.99%)	⬇️

... and 1 file with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[duffney]

@priteshbandi @shizhMSFT @FeynmanZhou I suggest we also put this new subcommand install as experimental command since install command takes a plugin binary only, how can users get to know what kind of file should be used. So, it will be good to let users try this command first and provide feedback.

Is there anything I need to do to mark it as experimental?

[yizha1]

@priteshbandi @shizhMSFT @FeynmanZhou I suggest we also put this new subcommand install as experimental command since install command takes a plugin binary only, how can users get to know what kind of file should be used. So, it will be good to let users try this command first and provide feedback.

Is there anything I need to do to mark it as experimental?

@duffney Sorry. Please ignore my comments for now.

[duffney]

My apologies to everyone for the delay in replying to these comments. I'm actively re-reviewing all the comments and working to resolve them. Thank you for your patience. :)

[duffney]

@priteshbandi I'd like to see if notation plugin install from a tar gz file. There is no security risk if we require the file structure in the tar ball to be flatten and only allow regular files. No symlinks and hard links of course.

I agree. Users will expect the subcommand to handle archives because that's how they're downloaded. If it's not added to this PR, it might be worth adding error handling for people who pass in a .zip or .tar.gz to throw and error saying it needs to be extracted.

[yizha1]

Closed as plugin installation was covered by a different PR #827