diff --git a/.github/workflows/test-action.yml b/.github/workflows/test-action.yml index 4fe55a9..d29fbed 100644 --- a/.github/workflows/test-action.yml +++ b/.github/workflows/test-action.yml @@ -65,3 +65,34 @@ jobs: else exit 0 fi + + test_ct_action_noverify: + runs-on: ubuntu-latest + + name: Install chart-testing without verifiing blob and test presence in path + steps: + - uses: actions/checkout@v4 + - name: Install chart-testing + uses: ./ + with: + verify_blob: 'false' + - name: Check install! + run: | + ct version + CT_VERSION_OUTPUT=$(ct version 2>&1 /dev/null) + ACTUAL_VERSION=$(echo "$CT_VERSION_OUTPUT" | grep Version | rev | cut -d ' ' -f1 | rev) + if [[ $ACTUAL_VERSION != 'v3.10.0' ]]; then + echo 'should be v3.10.0' + exit 1 + else + exit 0 + fi + shell: bash + - name: Check root directory + run: | + if [[ $(git diff --stat) != '' ]]; then + echo 'should be clean' + exit 1 + else + exit 0 + fi diff --git a/action.yml b/action.yml index 8f08990..6ef951f 100644 --- a/action.yml +++ b/action.yml @@ -5,6 +5,10 @@ branding: color: blue icon: anchor inputs: + verify_blob: + description: "determines whether the download blob should be verified (default: true)" + required: false + default: 'true' version: description: "The chart-testing version to install (default: 3.10.0)" required: false @@ -21,9 +25,11 @@ runs: using: composite steps: - uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 + if: ${{ inputs.verify_blob != 'false' }} - run: | cd $GITHUB_ACTION_PATH \ && ./ct.sh \ + --verify-blob ${{ inputs.verify_blob }} \ --version ${{ inputs.version }} \ --yamllint-version ${{ inputs.yamllint_version }} \ --yamale-version ${{ inputs.yamale_version }} diff --git a/ct.sh b/ct.sh index 4432ed9..d186b92 100755 --- a/ct.sh +++ b/ct.sh @@ -5,6 +5,7 @@ set -o nounset set -o pipefail DEFAULT_CHART_TESTING_VERSION=3.10.0 +DEFAULT_VERIFY_BLOB=true DEFAULT_YAMLLINT_VERSION=1.27.1 DEFAULT_YAMALE_VERSION=3.0.4 @@ -19,6 +20,7 @@ EOF main() { local version="${DEFAULT_CHART_TESTING_VERSION}" + local verify_blob="${DEFAULT_VERIFY_BLOB}" local yamllint_version="${DEFAULT_YAMLLINT_VERSION}" local yamale_version="${DEFAULT_YAMALE_VERSION}" @@ -34,6 +36,16 @@ parse_command_line() { show_help exit ;; + --verify-blob) + if [[ -n "${2:-}" ]]; then + verify_blob="${2#v}" + shift + else + echo "ERROR: '--verify-blob' cannot be empty." >&2 + show_help + exit 1 + fi + ;; -v|--version) if [[ -n "${2:-}" ]]; then version="${2#v}" @@ -88,21 +100,26 @@ install_chart_testing() { local cache_dir="${RUNNER_TOOL_CACHE}/ct/${version}/${arch}" local venv_dir="${cache_dir}/venv" + curl --retry 5 --retry-delay 1 -sSLo ct.tar.gz "https://github.com/helm/chart-testing/releases/download/v$version/chart-testing_${version#v}_linux_$arch.tar.gz" + echo "Installing chart-testing v${version}..." if [[ ! -d "${cache_dir}" ]]; then mkdir -p "${cache_dir}" - echo "Installing chart-testing v${version}..." - CT_CERT=https://github.com/helm/chart-testing/releases/download/v$version/chart-testing_${version#v}_linux_$arch.tar.gz.pem - CT_SIG=https://github.com/helm/chart-testing/releases/download/v$version/chart-testing_${version#v}_linux_$arch.tar.gz.sig - - curl --retry 5 --retry-delay 1 -sSLo ct.tar.gz "https://github.com/helm/chart-testing/releases/download/v$version/chart-testing_${version#v}_linux_$arch.tar.gz" - cosign verify-blob --certificate $CT_CERT --signature $CT_SIG \ - --certificate-identity "https://github.com/helm/chart-testing/.github/workflows/release.yaml@refs/heads/main" \ - --certificate-oidc-issuer "https://token.actions.githubusercontent.com" ct.tar.gz - retVal=$? - if [[ "${retVal}" -ne 0 ]]; then - log_error "Unable to validate chart-testing version: v${version}" - exit 1 + if [[ "${verify_blob}" != "false" ]]; then + echo "Verifing blob..." + CT_CERT=https://github.com/helm/chart-testing/releases/download/v$version/chart-testing_${version#v}_linux_$arch.tar.gz.pem + CT_SIG=https://github.com/helm/chart-testing/releases/download/v$version/chart-testing_${version#v}_linux_$arch.tar.gz.sig + + cosign verify-blob --certificate $CT_CERT --signature $CT_SIG \ + --certificate-identity "https://github.com/helm/chart-testing/.github/workflows/release.yaml@refs/heads/main" \ + --certificate-oidc-issuer "https://token.actions.githubusercontent.com" ct.tar.gz + retVal=$? + if [[ "${retVal}" -ne 0 ]]; then + log_error "Unable to validate chart-testing version: v${version}" + exit 1 + fi + else + echo "Skipping verifing blob..." fi tar -xzf ct.tar.gz -C "${cache_dir}"