sudo mv the cosign binary to the install-dir

We cannot use `install-dir`s like `/usr/bin/cosign` right now because this would cause an permission denied error. To be able to use those paths we have to run `mv` and `chmod` via root. Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
sigstore · Jun 22, 2022 · 530738d · 530738d
1 parent 6679bb8
commit 530738d
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 2 deletions.
diff --git a/.github/workflows/test-action.yml b/.github/workflows/test-action.yml
@@ -176,6 +176,39 @@ jobs:
           fi
         shell: bash
 
+  test_cosign_action_custom_dir_root:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [macos-latest, ubuntu-latest, windows-latest]
+    permissions: {}
+    name: Install Custom Cosign and test presence in path
+    steps:
+      - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b #v3
+      - name: Install Cosign
+        uses: ./
+        with:
+          install-dir: "/usr/bin"
+      - name: Check install!
+        run: cosign version
+      - name: Check install dir!
+        run: |
+          if [[ $(dirname `which cosign`) == "/usr/bin/cosign" ]]; then
+            exit 0
+          else
+            exit 1
+          fi
+        shell: bash
+      - name: Check root directory
+        run: |
+          if [[ $(git diff --stat) != '' ]]; then
+            echo 'should be clean'
+            exit 1
+          else
+            exit 0
+          fi
+        shell: bash
+
   # test_cosign_with_go_install:
   #   runs-on: ubuntu-latest
   #   permissions: {}

diff --git a/action.yml b/action.yml
@@ -235,8 +235,14 @@ runs:
           ./cosign verify-blob --key $RELEASE_COSIGN_PUB_KEY --signature ${desired_cosign_filename}.sig cosign_${{ inputs.cosign-release }}
 
           rm cosign
-          mv cosign_${{ inputs.cosign-release }} ${cosign_executable_name}
-          chmod +x ${cosign_executable_name}
+
+          SUDO=
+          if command -v sudo; then
+            SUDO=sudo
+          fi
+
+          $SUDO mv cosign_${{ inputs.cosign-release }} ${cosign_executable_name}
+          $SUDO chmod +x ${cosign_executable_name}
           log_info "Installation complete!"
         fi
     - if: ${{ runner.os == 'Linux' || runner.os == 'macOS' }}