From de28bc13fbe64de43a2dbd0d62d901d5756557e5 Mon Sep 17 00:00:00 2001
From: Sascha Grunert <sgrunert@redhat.com>
Date: Wed, 22 Jun 2022 09:26:57 +0200
Subject: [PATCH] `sudo` mv the cosign binary to the `install-dir`

We cannot use `install-dir`s like `/usr/bin/cosign` right now because
this would cause an permission denied error. To be able to use those
paths we have to run `mv` and `chmod` via root.

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
---
 .github/workflows/test-action.yml | 33 +++++++++++++++++++++++++++++++
 action.yml                        | 18 +++++++++++------
 2 files changed, 45 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/test-action.yml b/.github/workflows/test-action.yml
index 06890a5..73dea5e 100644
--- a/.github/workflows/test-action.yml
+++ b/.github/workflows/test-action.yml
@@ -176,6 +176,39 @@ jobs:
           fi
         shell: bash
 
+  test_cosign_action_custom_dir_root:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [macos-latest, ubuntu-latest, windows-latest]
+    permissions: {}
+    name: Install Custom Cosign and test presence in path
+    steps:
+      - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b #v3
+      - name: Install Cosign
+        uses: ./
+        with:
+          install-dir: "/usr/bin"
+      - name: Check install!
+        run: cosign version
+      - name: Check install dir!
+        run: |
+          if [[ $(dirname `which cosign`) == "/usr/bin/cosign" ]]; then
+            exit 0
+          else
+            exit 1
+          fi
+        shell: bash
+      - name: Check root directory
+        run: |
+          if [[ $(git diff --stat) != '' ]]; then
+            echo 'should be clean'
+            exit 1
+          else
+            exit 0
+          fi
+        shell: bash
+
   # test_cosign_with_go_install:
   #   runs-on: ubuntu-latest
   #   permissions: {}
diff --git a/action.yml b/action.yml
index 2ddc57c..8b7d2bf 100644
--- a/action.yml
+++ b/action.yml
@@ -33,7 +33,12 @@ runs:
         fi
         set -e
 
-        mkdir -p ${{ inputs.install-dir }}
+        SUDO=
+        if command -v sudo; then
+          SUDO=sudo
+        fi
+
+        $SUDO mkdir -p ${{ inputs.install-dir }}
 
         if [[ ${{ inputs.cosign-release }} == "main" ]]; then
           log_info "installing cosign via 'go install' from its main version"
@@ -206,13 +211,13 @@ runs:
             # v0.6.0's linux release has a dependency on `libpcsclite1`
             log_info "Installing libpcsclite1 package if necessary..."
             set +e
-            sudo dpkg -s libpcsclite1
+            $SUDO dpkg -s libpcsclite1
             if [ $? -eq 0 ]; then
                 log_info "libpcsclite1 package is already installed"
             else
                  log_info "libpcsclite1 package is not installed, installing it now."
-                 sudo apt-get update -q -q
-                 sudo apt-get install -yq libpcsclite1
+                 $SUDO apt-get update -q -q
+                 $SUDO apt-get install -yq libpcsclite1
             fi
             set -e
           fi
@@ -235,8 +240,9 @@ runs:
           ./cosign verify-blob --key $RELEASE_COSIGN_PUB_KEY --signature ${desired_cosign_filename}.sig cosign_${{ inputs.cosign-release }}
 
           rm cosign
-          mv cosign_${{ inputs.cosign-release }} ${cosign_executable_name}
-          chmod +x ${cosign_executable_name}
+
+          $SUDO mv cosign_${{ inputs.cosign-release }} ${cosign_executable_name}
+          $SUDO chmod +x ${cosign_executable_name}
           log_info "Installation complete!"
         fi
     - if: ${{ runner.os == 'Linux' || runner.os == 'macOS' }}