Skip to content

Commit

Permalink
add multiarch support for both linux and macOS runners (#43)
Browse files Browse the repository at this point in the history 
Signed-off-by: Bob Callaway <bob.callaway@gmail.com>
  • Loading branch information
@bobcallaway
bobcallaway committed Dec 29, 2021
1 parent eff0e5b commit 8eebefc
Show file tree
Hide file tree
Showing 3 changed files with 175 additions and 38 deletions.
38 changes: 31 additions & 7 deletions .github/workflows/test-action.yml
View file
Expand Up @@ -4,7 +4,10 @@ on: [pull_request]

jobs:
test_cosign_action:
runs-on: ubuntu-latest
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [macos-latest, ubuntu-latest]
permissions:
actions: none
checks: none
Expand Down Expand Up @@ -33,7 +36,11 @@ jobs:
fi
test_existing_release_action:
runs-on: ubuntu-latest
# this does not run on macOS as the support for multi-arch was not added yet
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-latest]
permissions:
actions: none
checks: none
Expand Down Expand Up @@ -62,7 +69,10 @@ jobs:
fi
test_cosign_action_custom:
runs-on: ubuntu-latest
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [macos-latest, ubuntu-latest]
permissions:
actions: none
checks: none
Expand Down Expand Up @@ -93,7 +103,10 @@ jobs:
fi
test_cosign_action_0_6_0:
runs-on: ubuntu-latest
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [macos-latest, ubuntu-latest]
permissions:
actions: none
checks: none
Expand Down Expand Up @@ -124,7 +137,11 @@ jobs:
fi
test_cosign_action_0_6_0_with_pre_installed_libpcsclite1_package:
runs-on: ubuntu-latest
# this test is specifically for linux and pcsclite1 dependencies
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-latest]
permissions:
actions: none
checks: none
Expand Down Expand Up @@ -159,7 +176,10 @@ jobs:
fi
test_cosign_action_wrong:
runs-on: ubuntu-latest
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [macos-latest, ubuntu-latest]
permissions:
actions: none
checks: none
Expand All @@ -179,8 +199,12 @@ jobs:
with:
cosign-release: 'honk'
continue-on-error: true

test_cosign_action_custom_dir:
runs-on: ubuntu-latest
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [macos-latest, ubuntu-latest]
permissions:
actions: none
checks: none
Expand Down
2 changes: 2 additions & 0 deletions README.md
View file
Expand Up @@ -8,6 +8,8 @@ For available `cosign` releases, see https://github.com/sigstore/cosign/releases

## Usage

This action currently supports both Linux and macOS runners (Windows support coming soon!)

Add the following entry to your Github workflow YAML file:

```yaml
Expand Down
173 changes: 142 additions & 31 deletions action.yml
View file
@@ -1,13 +1,14 @@
# action.yml
name: install-cosign
description: 'Install Cosign and put it on your path'
name: cosign-installer
author: sigstore
description: 'Installs cosign and includes it in your path'
branding:
icon: 'package'
color: 'blue'
# This is pinned to the last major release, we have to bump it for each action version.
inputs:
cosign-release:
description: 'Cosign release version to use in the actions.'
description: 'cosign release version to be installed'
required: false
default: 'v1.4.1'
install-dir:
Expand All @@ -18,56 +19,165 @@ runs:
using: "composite"
steps:
# We verify the version against a SHA **in the published action itself**, not in the GCS bucket.
- run: |
- if: ${{ runner.os == 'Linux' || runner.os == 'macOS' }}
shell: bash
run: |
#!/bin/bash
# cosign install script
shopt -s expand_aliases
if [ -z "$NO_COLOR" ]; then
alias log_info="echo -e \"\033[1;32mINFO\033[0m:\""
alias log_error="echo -e \"\033[1;31mERROR\033[0m:\""
else
alias log_info="echo \"INFO:\""
alias log_error="echo \"ERROR:\""
fi
set -e
bootstrap_version='v1.4.1'
bootstrap_linux_amd64_sha='08ba779a4e6ff827079abed1a6d1f0a0d9e48aea21f520ddeb42ff912f59d268'
bootstrap_linux_arm_sha='d13f12dea3b65ec4bcd25fe23d35772f7b0b5997dba14947ce242e1260b3a15d'
bootstrap_linux_arm64_sha='b0c02b607e722b9d2b1807f6efb73042762e77391c51c8948710e7f571ceaa73'
bootstrap_darwin_amd64_sha='0908ffd3ceea5534c27059e30276094d63ed9339c2bf75e38e3d88d0a34502f3'
bootstrap_darwin_arm64_sha='f8162aba987e1afddb20a672e47fb070ec6bf1547f65f23159e0f4a61e4ea673'
trap "popd" EXIT
mkdir -p ${{ inputs.install-dir }}
pushd ${{ inputs.install-dir }}
pushd ${{ inputs.install-dir }} > /dev/null
bootstrap_version='v1.4.1'
expected_bootstrap_version_digest='08ba779a4e6ff827079abed1a6d1f0a0d9e48aea21f520ddeb42ff912f59d268'
curl -L https://storage.googleapis.com/cosign-releases/${bootstrap_version}/cosign-linux-amd64 -o cosign
shaBootstrap=$(sha256sum cosign | cut -d' ' -f1);
if [[ $shaBootstrap != ${expected_bootstrap_version_digest} ]]; then exit 1; fi
case ${{ runner.os }} in
Linux)
shaprog='sha256sum'
case ${{ runner.arch }} in
X64)
bootstrap_filename='cosign-linux-amd64'
bootstrap_sha=${bootstrap_linux_amd64_sha}
desired_cosign_filename='cosign-linux-amd64'
# v0.6.0 had different filename structures from all other releases
if [[ ${{ inputs.cosign-release }} == 'v0.6.0' ]]; then
desired_cosign_filename='cosign_linux_amd64'
desired_cosign_v060_signature='cosign_linux_amd64_0.6.0_linux_amd64.sig'
fi
;;
ARM)
bootstrap_filename='cosign-linux-arm'
bootstrap_sha=${bootstrap_linux_arm_sha}
desired_cosign_filename='cosign-linux-arm'
if [[ ${{ inputs.cosign-release }} == 'v0.6.0' ]]; then
log_error "linux-arm build not available at v0.6.0"
exit 1
fi
;;
ARM64)
bootstrap_filename='cosign-linux-arm64'
bootstrap_sha=${bootstrap_linux_arm64_sha}
desired_cosign_filename='cosign-linux-amd64'
if [[ ${{ inputs.cosign-release }} == 'v0.6.0' ]]; then
log_error "linux-arm64 build not available at v0.6.0"
exit 1
fi
;;
*)
log_error "unsupported architecture $arch"
exit 1
;;
esac
;;
macOS)
shaprog='shasum -a256'
case ${{ runner.arch }} in
X64)
bootstrap_filename='cosign-darwin-amd64'
bootstrap_sha=${bootstrap_darwin_amd64_sha}
desired_cosign_filename='cosign-darwin-amd64'
# v0.6.0 had different filename structures from all other releases
if [[ ${{ inputs.cosign-release }} == 'v0.6.0' ]]; then
desired_cosign_filename='cosign_darwin_amd64'
desired_cosign_v060_signature='cosign_darwin_amd64_0.6.0_darwin_amd64.sig'
fi
;;
ARM64)
bootstrap_filename='cosign-darwin-arm64'
bootstrap_sha=${bootstrap_darwin_arm64_sha}
desired_cosign_filename='cosign-darwin-arm64'
# v0.6.0 had different filename structures from all other releases
if [[ ${{ inputs.cosign-release }} == 'v0.6.0' ]]; then
desired_cosign_filename='cosign_darwin_arm64'
desired_cosign_v060_signature='cosign_darwin_arm64_0.6.0_darwin_arm64.sig'
fi
;;
*)
log_error "unsupported architecture $arch"
exit 1
;;
esac
;;
*)
log_error "unsupported architecture $arch"
exit 1
;;
esac
expected_bootstrap_version_digest=${bootstrap_sha}
log_info "Downloading bootstrap version '${bootstrap_version}' of cosign to verify version to be installed...\n https://storage.googleapis.com/cosign-releases/${bootstrap_version}/${bootstrap_filename}"
curl -sL https://storage.googleapis.com/cosign-releases/${bootstrap_version}/${bootstrap_filename} -o cosign
shaBootstrap=$(${shaprog} cosign | cut -d' ' -f1);
if [[ $shaBootstrap != ${expected_bootstrap_version_digest} ]]; then
log_error "Unable to validate cosign version: '${{ inputs.cosign-release }}'"
exit 1
fi
chmod +x cosign
# If the bootstrap and specified `cosign` releases are the same, we're done.
if [[ ${{ inputs.cosign-release }} == ${bootstrap_version} ]]; then exit 0; fi
if [[ ${{ inputs.cosign-release }} == ${bootstrap_version} ]]; then
log_info "bootstrap version successfully verified and matches requested version so nothing else to do"
exit 0
fi
semver='^v([0-9]+\.){0,2}(\*|[0-9]+)$'
if [[ ${{ inputs.cosign-release }} =~ $semver ]]; then
echo "INFO: Custom Cosign Version ${{ inputs.cosign-release }}"
log_info "Custom cosign version '${{ inputs.cosign-release }}' requested"
else
echo "ERROR: Unable to validate cosign version: '${{ inputs.cosign-release }}'"
log_error "Unable to validate requested cosign version: '${{ inputs.cosign-release }}'"
exit 1
fi
# Download custom cosign
if [[ ${{ inputs.cosign-release }} == 'v0.6.0' ]]; then
curl -L https://storage.googleapis.com/cosign-releases/${{ inputs.cosign-release }}/cosign_linux_amd64 -o cosign_${{ inputs.cosign-release }}
else
curl -L https://storage.googleapis.com/cosign-releases/${{ inputs.cosign-release }}/cosign-linux-amd64 -o cosign_${{ inputs.cosign-release }}
fi
shaCustom=$(sha256sum cosign_${{ inputs.cosign-release }} | cut -d' ' -f1);
log_info "Downloading platform-specific version '${{ inputs.cosign-release }}' of cosign...\n https://storage.googleapis.com/cosign-releases/${{ inputs.cosign-release }}/${desired_cosign_filename}"
curl -sL https://storage.googleapis.com/cosign-releases/${{ inputs.cosign-release }}/${desired_cosign_filename} -o cosign_${{ inputs.cosign-release }}
shaCustom=$(${shaprog} cosign_${{ inputs.cosign-release }} | cut -d' ' -f1);
# same hash means it is the same release
if [[ $shaCustom != $shaBootstrap ]];
then
if [[ ${{ inputs.cosign-release }} == 'v0.6.0' ]]; then
if [[ $shaCustom != $shaBootstrap ]]; then
if [[ ${{ inputs.cosign-release }} == 'v0.6.0' && ${{ runner.os }} == 'Linux' ]]; then
# v0.6.0's linux release has a dependency on `libpcsclite1`
log_info "Installing libpcsclite1 package if necessary..."
set +e
sudo dpkg -s libpcsclite1
if [ $? -eq 0 ]; then
echo "INFO: libpcsclite1 package is already installed"
log_info "libpcsclite1 package is already installed"
else
echo "INFO: libpcsclite1 package is not installed, installing it now."
sudo apt-get update -q
log_info "libpcsclite1 package is not installed, installing it now."
sudo apt-get update -q -q
sudo apt-get install -yq libpcsclite1
fi
set -e
curl -L https://github.com/sigstore/cosign/releases/download/${{ inputs.cosign-release }}/cosign_linux_amd64_0.6.0_linux_amd64.sig -o cosign-linux-amd64.sig
fi
if [[ ${{ inputs.cosign-release }} == 'v0.6.0' ]]; then
log_info "Downloading detached signature for platform-specific '${{ inputs.cosign-release }}' of cosign...\n https://github.com/sigstore/cosign/releases/download/${{ inputs.cosign-release }}/${desired_cosign_v060_signature}"
curl -sL https://github.com/sigstore/cosign/releases/download/${{ inputs.cosign-release }}/${desired_cosign_v060_signature} -o ${desired_cosign_filename}.sig
else
curl -LO https://github.com/sigstore/cosign/releases/download/${{ inputs.cosign-release }}/cosign-linux-amd64.sig
log_info "Downloading detached signature for platform-specific '${{ inputs.cosign-release }}' of cosign...\n https://github.com/sigstore/cosign/releases/download/${{ inputs.cosign-release }}/${desired_cosign_filename}.sig"
curl -sLO https://github.com/sigstore/cosign/releases/download/${{ inputs.cosign-release }}/${desired_cosign_filename}.sig
fi
if [[ ${{ inputs.cosign-release }} < 'v0.6.0' ]]; then
Expand All @@ -76,13 +186,14 @@ runs:
RELEASE_COSIGN_PUB_KEY=https://raw.githubusercontent.com/sigstore/cosign/${{ inputs.cosign-release }}/release/release-cosign.pub
fi
./cosign verify-blob --key $RELEASE_COSIGN_PUB_KEY --signature cosign-linux-amd64.sig cosign_${{ inputs.cosign-release }}
if [[ $? != 0 ]]; then exit 1; fi
log_info "Using bootstrap cosign to verify signature of desired cosign version"
./cosign verify-blob --key $RELEASE_COSIGN_PUB_KEY --signature ${desired_cosign_filename}.sig cosign_${{ inputs.cosign-release }}
rm cosign
mv cosign_${{ inputs.cosign-release }} cosign
chmod +x cosign
log_info "Installation complete!"
fi
shell: bash
- run: echo "${{ inputs.install-dir }}" >> $GITHUB_PATH
- if: ${{ runner.os == 'Linux' || runner.os == 'macOS' }}
run: echo "${{ inputs.install-dir }}" >> $GITHUB_PATH
shell: bash

0 comments on commit 8eebefc

Please sign in to comment.