diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 40683d917..5d39bf3af 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -5,6 +5,10 @@ internal/codespaces/ @cli/codespaces # Limit Package Security team ownership to the attestation command package and related integration tests pkg/cmd/attestation/ @cli/package-security +pkg/cmd/release/attestation @cli/package-security +pkg/cmd/release/verify @cli/package-security +pkg/cmd/release/verify-asset @cli/package-security + test/integration/attestation-cmd @cli/package-security pkg/cmd/attestation/verification/embed/tuf-repo.github.com/ @cli/tuf-root-reviewers diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 37bbb0607..06d9bc81f 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -27,6 +27,12 @@ jobs: - name: Check out code uses: actions/checkout@v4 + - name: Setup Go + if: matrix.language == 'go' + uses: actions/setup-go@v5 + with: + go-version-file: "go.mod" + - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: @@ -37,12 +43,6 @@ jobs: - 'third-party/**' - 'third-party-licenses.*.md' - - name: Setup Go - if: matrix.language == 'go' - uses: actions/setup-go@v5 - with: - go-version-file: 'go.mod' - - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 with: diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 2d8a79ab5..a855a443f 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -31,17 +31,7 @@ jobs: with: go-version-file: 'go.mod' - - name: Verify dependencies - run: | - go mod verify - go mod download - - LINT_VERSION=1.63.4 - curl -fsSL https://github.com/golangci/golangci-lint/releases/download/v${LINT_VERSION}/golangci-lint-${LINT_VERSION}-linux-amd64.tar.gz | \ - tar xz --strip-components 1 --wildcards \*/golangci-lint - mkdir -p bin && mv golangci-lint bin/ - - - name: Run checks + - name: Ensure go.mod and go.sum are up to date run: | STATUS=0 assert-nothing-changed() { @@ -53,14 +43,14 @@ jobs: STATUS=1 fi } - - assert-nothing-changed go fmt ./... assert-nothing-changed go mod tidy - - bin/golangci-lint run --out-format=colored-line-number --timeout=3m || STATUS=$? - exit $STATUS + - name: golangci-lint + uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0 + with: + version: v2.1.6 + # actions/setup-go does not setup the installed toolchain to be preferred over the system install, # which causes go-licenses to raise "Package ... does not have module info" errors. # for more information, https://github.com/google/go-licenses/issues/244#issuecomment-1885098633 diff --git a/.github/workflows/pr-help-wanted.yml b/.github/workflows/pr-help-wanted.yml index 313e91e14..3482ecd08 100644 --- a/.github/workflows/pr-help-wanted.yml +++ b/.github/workflows/pr-help-wanted.yml @@ -20,12 +20,8 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} PR_AUTHOR: ${{ github.event.pull_request.user.login }} PR_AUTHOR_TYPE: ${{ github.event.pull_request.user.type }} + PR_AUTHOR_ASSOCIATION: ${{ github.event.pull_request.author_association }} if: "!github.event.pull_request.draft" run: | - # Skip if PR is from a bot or org member - if [ "$PR_AUTHOR_TYPE" = "Bot" ] || gh api orgs/cli/public_members/"${PR_AUTHOR}" --silent 2>/dev/null; then - exit 0 - fi - # Run the script to check for issues without help-wanted label bash .github/workflows/scripts/check-help-wanted.sh ${{ github.event.pull_request.html_url }} diff --git a/.github/workflows/scripts/check-help-wanted.sh b/.github/workflows/scripts/check-help-wanted.sh index 59c12fecd..d316e8bde 100755 --- a/.github/workflows/scripts/check-help-wanted.sh +++ b/.github/workflows/scripts/check-help-wanted.sh @@ -12,6 +12,12 @@ if [ -z "$PR_URL" ]; then exit 1 fi +# Skip if PR is from a bot or org member +if [ "$PR_AUTHOR_TYPE" = "Bot" ] || [ "$PR_AUTHOR_ASSOCIATION" = "MEMBER" ] || [ "$PR_AUTHOR_ASSOCIATION" = "OWNER" ]; then + echo "Skipping check for PR #$PR_URL as it is from a bot ($PR_AUTHOR_TYPE) or an org member ($PR_AUTHOR_ASSOCIATION: MEMBER/OWNER)" + exit 0 +fi + # Extract PR number from URL for logging PR_NUM="$(basename "$PR_URL")" diff --git a/.golangci.yml b/.golangci.yml index ff7f37014..861198dd8 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -1,7 +1,17 @@ +version: "2" + linters: enable: - - gofmt - - nolintlint + - nolintlint + disable: + # The following linters are disabled purely because this config was migrated to v2 where they are in the default + # set, and we should have separate work to enable them if we truly want them. + - staticcheck + - errcheck + +formatters: + enable: + - gofmt issues: max-issues-per-linter: 0 diff --git a/acceptance/testdata/repo/repo-rename-transfer-ownership.txtar b/acceptance/testdata/repo/repo-rename-transfer-ownership.txtar index 6b1a3e3fb..754a609d7 100644 --- a/acceptance/testdata/repo/repo-rename-transfer-ownership.txtar +++ b/acceptance/testdata/repo/repo-rename-transfer-ownership.txtar @@ -3,7 +3,7 @@ exec gh repo create $ORG/$SCRIPT_NAME-$RANDOM_STRING --add-readme --private # Attempt to rename the repo with a slash in the name ! exec gh repo rename $ORG/new-name --repo=$ORG/$SCRIPT_NAME-$RANDOM_STRING --yes -stderr 'New repository name cannot contain '/' character - to transfer a repository to a new owner, you must follow additional steps on GitHub.com. For more information on transferring repository ownership, see .' +stderr 'New repository name cannot contain \''/\'' character - to transfer a repository to a new owner, you must follow additional steps on . For more information on transferring repository ownership, see .' # Defer repo deletion defer gh repo delete $ORG/$SCRIPT_NAME-$RANDOM_STRING --yes \ No newline at end of file diff --git a/docs/install_linux.md b/docs/install_linux.md index 43ba876a1..cdae81168 100644 --- a/docs/install_linux.md +++ b/docs/install_linux.md @@ -19,6 +19,7 @@ Install: && out=$(mktemp) && wget -nv -O$out https://cli.github.com/packages/githubcli-archive-keyring.gpg \ && cat $out | sudo tee /etc/apt/keyrings/githubcli-archive-keyring.gpg > /dev/null \ && sudo chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg \ + && sudo mkdir -p -m 755 /etc/apt/sources.list.d \ && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null \ && sudo apt update \ && sudo apt install gh -y @@ -163,6 +164,20 @@ Or via [pkg(8)](https://www.freebsd.org/cgi/man.cgi?pkg(8)): pkg install gh ``` +### MidnightBSD + +MidnightBSD users can install from [mports](https://www.midnightbsd.org/documentation/mports/index.html) + +```bash +cd /usr/mports/devel/gh/ && make install clean +``` + +Or via [mport(1)](http://man.midnightbsd.org/cgi-bin/man.cgi/mport): + +```bash +mport install gh +``` + ### NetBSD/pkgsrc NetBSD users and those on [platforms supported by pkgsrc](https://pkgsrc.org/#index4h1) can install the [gh package](https://pkgsrc.se/net/gh): diff --git a/go.mod b/go.mod index 289fd83a5..e5d499aee 100644 --- a/go.mod +++ b/go.mod @@ -1,8 +1,8 @@ module github.com/cli/cli/v2 -go 1.23.0 +go 1.24 -toolchain go1.23.5 +toolchain go1.24.4 require ( github.com/AlecAivazis/survey/v2 v2.3.7 @@ -26,14 +26,14 @@ require ( github.com/gdamore/tcell/v2 v2.5.4 github.com/golang/snappy v0.0.4 github.com/google/go-cmp v0.7.0 - github.com/google/go-containerregistry v0.20.3 + github.com/google/go-containerregistry v0.20.6 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 github.com/gorilla/websocket v1.5.3 github.com/hashicorp/go-multierror v1.1.1 github.com/hashicorp/go-version v1.3.0 github.com/henvic/httpretty v0.1.4 github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec - github.com/in-toto/attestation v1.1.1 + github.com/in-toto/attestation v1.1.2 github.com/joho/godotenv v1.5.1 github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 github.com/mattn/go-colorable v0.1.14 @@ -52,10 +52,10 @@ require ( github.com/theupdateframework/go-tuf/v2 v2.1.1 github.com/yuin/goldmark v1.7.12 github.com/zalando/go-keyring v0.2.5 - golang.org/x/crypto v0.38.0 - golang.org/x/sync v0.14.0 + golang.org/x/crypto v0.39.0 + golang.org/x/sync v0.15.0 golang.org/x/term v0.32.0 - golang.org/x/text v0.25.0 + golang.org/x/text v0.26.0 google.golang.org/grpc v1.72.2 google.golang.org/protobuf v1.36.6 gopkg.in/h2non/gock.v1 v1.1.2 @@ -86,13 +86,13 @@ require ( github.com/cli/shurcooL-graphql v0.0.4 // indirect github.com/containerd/stargz-snapshotter/estargz v0.16.3 // indirect github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7 // indirect - github.com/danieljoos/wincred v1.2.1 // indirect + github.com/danieljoos/wincred v1.2.2 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect github.com/dlclark/regexp2 v1.11.0 // indirect - github.com/docker/cli v27.5.0+incompatible // indirect + github.com/docker/cli v28.2.2+incompatible // indirect github.com/docker/distribution v2.8.3+incompatible // indirect - github.com/docker/docker-credential-helpers v0.8.2 // indirect + github.com/docker/docker-credential-helpers v0.9.3 // indirect github.com/dustin/go-humanize v1.0.1 // indirect github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect github.com/fatih/color v1.16.0 // indirect @@ -100,7 +100,7 @@ require ( github.com/gdamore/encoding v1.0.0 // indirect github.com/go-chi/chi v4.1.2+incompatible // indirect github.com/go-jose/go-jose/v4 v4.0.5 // indirect - github.com/go-logr/logr v1.4.2 // indirect + github.com/go-logr/logr v1.4.3 // indirect github.com/go-logr/stdr v1.2.2 // indirect github.com/go-openapi/analysis v0.23.0 // indirect github.com/go-openapi/errors v0.22.1 // indirect @@ -126,7 +126,7 @@ require ( github.com/itchyny/timefmt-go v0.1.5 // indirect github.com/jedisct1/go-minisign v0.0.0-20211028175153-1c139d1cc84b // indirect github.com/josharian/intern v1.0.0 // indirect - github.com/klauspost/compress v1.17.11 // indirect + github.com/klauspost/compress v1.18.0 // indirect github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec // indirect github.com/lucasb-eyer/go-colorful v1.2.0 // indirect github.com/mailru/easyjson v0.9.0 // indirect @@ -144,7 +144,7 @@ require ( github.com/muesli/termenv v0.16.0 // indirect github.com/oklog/ulid v1.3.1 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect - github.com/opencontainers/image-spec v1.1.0 // indirect + github.com/opencontainers/image-spec v1.1.1 // indirect github.com/pelletier/go-toml/v2 v2.2.3 // indirect github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect @@ -171,21 +171,21 @@ require ( github.com/thlib/go-timezone-local v0.0.0-20210907160436-ef149e42d28e // indirect github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect github.com/transparency-dev/merkle v0.0.2 // indirect - github.com/vbatts/tar-split v0.11.6 // indirect + github.com/vbatts/tar-split v0.12.1 // indirect github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect github.com/yuin/goldmark-emoji v1.0.5 // indirect go.mongodb.org/mongo-driver v1.14.0 // indirect go.opentelemetry.io/auto/sdk v1.1.0 // indirect - go.opentelemetry.io/otel v1.35.0 // indirect - go.opentelemetry.io/otel/metric v1.35.0 // indirect - go.opentelemetry.io/otel/trace v1.35.0 // indirect + go.opentelemetry.io/otel v1.36.0 // indirect + go.opentelemetry.io/otel/metric v1.36.0 // indirect + go.opentelemetry.io/otel/trace v1.36.0 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect golang.org/x/exp v0.0.0-20240531132922-fd00a4e0eefc // indirect - golang.org/x/mod v0.24.0 // indirect - golang.org/x/net v0.40.0 // indirect + golang.org/x/mod v0.25.0 // indirect + golang.org/x/net v0.41.0 // indirect golang.org/x/sys v0.33.0 // indirect - golang.org/x/tools v0.29.0 // indirect + golang.org/x/tools v0.34.0 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20250414145226-207652e42e2e // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20250414145226-207652e42e2e // indirect k8s.io/klog/v2 v2.130.1 // indirect diff --git a/go.sum b/go.sum index 95f7ed75d..f0f2bb5ed 100644 --- a/go.sum +++ b/go.sum @@ -4,8 +4,8 @@ cloud.google.com/go/auth v0.16.0 h1:Pd8P1s9WkcrBE2n/PhAwKsdrR35V3Sg2II9B+ndM3CU= cloud.google.com/go/auth v0.16.0/go.mod h1:1howDHJ5IETh/LwYs3ZxvlkXF48aSqqJUM+5o02dNOI= cloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc= cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c= -cloud.google.com/go/compute/metadata v0.6.0 h1:A6hENjEsCDtC1k8byVsgwvVcioamEHvZ4j01OwKxG9I= -cloud.google.com/go/compute/metadata v0.6.0/go.mod h1:FjyFAW1MW0C203CEOMDTu3Dk1FlqW3Rga40jzHL4hfg= +cloud.google.com/go/compute/metadata v0.7.0 h1:PBWF+iiAerVNe8UCHxdOt6eHLVc3ydFeOCw78U8ytSU= +cloud.google.com/go/compute/metadata v0.7.0/go.mod h1:j5MvL9PprKL39t166CoB1uVHfQMs4tFQZZcKwksXUjo= cloud.google.com/go/iam v1.5.0 h1:QlLcVMhbLGOjRcGe6VTGGTyQib8dRLK2B/kYNV0+2xs= cloud.google.com/go/iam v1.5.0/go.mod h1:U+DOtKQltF/LxPEtcDLoobcsZMilSRwR7mgNL7knOpo= cloud.google.com/go/kms v1.21.2 h1:c/PRUSMNQ8zXrc1sdAUnsenWWaNXN+PzTXfXOcSFdoE= @@ -160,8 +160,8 @@ github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s= github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE= github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7 h1:vU+EP9ZuFUCYE0NYLwTSob+3LNEJATzNfP/DC7SWGWI= github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw= -github.com/danieljoos/wincred v1.2.1 h1:dl9cBrupW8+r5250DYkYxocLeZ1Y4vB1kxgtjxw8GQs= -github.com/danieljoos/wincred v1.2.1/go.mod h1:uGaFL9fDn3OLTvzCGulzE+SzjEe5NGlh5FdCcyfPwps= +github.com/danieljoos/wincred v1.2.2 h1:774zMFJrqaeYCK2W57BgAem/MLi6mtSE47MB6BOJ0i0= +github.com/danieljoos/wincred v1.2.2/go.mod h1:w7w4Utbrz8lqeMbDAK0lkNJUv5sAOkFi7nd/ogr0Uh8= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= @@ -175,12 +175,12 @@ github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5Qvfr github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= github.com/dlclark/regexp2 v1.11.0 h1:G/nrcoOa7ZXlpoa/91N3X7mM3r8eIlMBBJZvsz/mxKI= github.com/dlclark/regexp2 v1.11.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8= -github.com/docker/cli v27.5.0+incompatible h1:aMphQkcGtpHixwwhAXJT1rrK/detk2JIvDaFkLctbGM= -github.com/docker/cli v27.5.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v28.2.2+incompatible h1:qzx5BNUDFqlvyq4AHzdNB7gSyVTmU4cgsyN9SdInc1A= +github.com/docker/cli v28.2.2+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo= -github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M= +github.com/docker/docker-credential-helpers v0.9.3 h1:gAm/VtF9wgqJMoxzT3Gj5p4AqIjCBS4wrsOh9yRqcz8= +github.com/docker/docker-credential-helpers v0.9.3/go.mod h1:x+4Gbw9aGmChi3qTLZj8Dfn0TD20M/fuWy0E5+WDeCo= github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY= github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f h1:Y/CXytFA4m6baUTXGLOoWe4PQhGxaX0KpnayAqC48p4= @@ -205,8 +205,8 @@ github.com/go-chi/chi v4.1.2+incompatible/go.mod h1:eB3wogJHnLi3x/kFX2A+IbTBlXxm github.com/go-jose/go-jose/v4 v4.0.5 h1:M6T8+mKZl/+fNNuFHvGIzDz7BTLQPIounk/b9dw3AaE= github.com/go-jose/go-jose/v4 v4.0.5/go.mod h1:s3P1lRrkT8igV8D9OjyL4WRyHvjB6a4JSllnOrmmBOA= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= -github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI= +github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= github.com/go-openapi/analysis v0.23.0 h1:aGday7OWupfMs+LbmLZG4k0MYXIANxcuBTYUC03zFCU= @@ -247,8 +247,8 @@ github.com/google/certificate-transparency-go v1.3.1 h1:akbcTfQg0iZlANZLn0L9xOeW github.com/google/certificate-transparency-go v1.3.1/go.mod h1:gg+UQlx6caKEDQ9EElFOujyxEQEfOiQzAt6782Bvi8k= github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= -github.com/google/go-containerregistry v0.20.3 h1:oNx7IdTI936V8CQRveCjaxOiegWwvM7kqkbXTpyiovI= -github.com/google/go-containerregistry v0.20.3/go.mod h1:w00pIgBRDVUDFM6bq+Qx8lwNWK+cxgCuX1vd3PIBDNI= +github.com/google/go-containerregistry v0.20.6 h1:cvWX87UxxLgaH76b4hIvya6Dzz9qHB31qAwjAohdSTU= +github.com/google/go-containerregistry v0.20.6/go.mod h1:T0x8MuoAoKX/873bkeSfLD2FAkwCDf9/HZgsFJ02E2Y= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/s2a-go v0.1.9 h1:LGD7gtMgezd8a/Xak7mEWL0PjoTQFvpRudN895yqKW0= @@ -304,8 +304,8 @@ github.com/howeyc/gopass v0.0.0-20210920133722-c8aef6fb66ef h1:A9HsByNhogrvm9cWb github.com/howeyc/gopass v0.0.0-20210920133722-c8aef6fb66ef/go.mod h1:lADxMC39cJJqL93Duh1xhAs4I2Zs8mKS89XWXFGp9cs= github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI= github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= -github.com/in-toto/attestation v1.1.1 h1:QD3d+oATQ0dFsWoNh5oT0udQ3tUrOsZZ0Fc3tSgWbzI= -github.com/in-toto/attestation v1.1.1/go.mod h1:Dcq1zVwA2V7Qin8I7rgOi+i837wEf/mOZwRm047Sjys= +github.com/in-toto/attestation v1.1.2 h1:MBFn6lsMq6dptQZJBhalXTcWMb/aJy3V+GX3VYj/V1E= +github.com/in-toto/attestation v1.1.2/go.mod h1:gYFddHMZj3DiQ0b62ltNi1Vj5rC879bTmBbrv9CRHpM= github.com/in-toto/in-toto-golang v0.9.0 h1:tHny7ac4KgtsfrG6ybU8gVOZux2H8jN05AXJ9EBM1XU= github.com/in-toto/in-toto-golang v0.9.0/go.mod h1:xsBVrVsHNsB61++S6Dy2vWosKhuA3lUTQd+eF9HdeMo= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= @@ -338,8 +338,8 @@ github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8Hm github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs= github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8= -github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc= -github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0= +github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo= +github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= @@ -402,8 +402,8 @@ github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= -github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= -github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM= +github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040= +github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M= github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs= github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc= github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M= @@ -515,8 +515,8 @@ github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs= github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG81+twTK4= github.com/transparency-dev/merkle v0.0.2/go.mod h1:pqSy+OXefQ1EDUVmAJ8MUhHB9TXGuzVAT58PqBoHz1A= -github.com/vbatts/tar-split v0.11.6 h1:4SjTW5+PU11n6fZenf2IPoV8/tz3AaYHMWjf23envGs= -github.com/vbatts/tar-split v0.11.6/go.mod h1:dqKNtesIOr2j2Qv3W/cHjnvk9I8+G7oAkFDFN6TCBEI= +github.com/vbatts/tar-split v0.12.1 h1:CqKoORW7BUWBe7UL/iqTVvkTBOF8UvOMKOIZykxnnbo= +github.com/vbatts/tar-split v0.12.1/go.mod h1:eF6B6i6ftWQcDqEn3/iGFRFRo8cBIMSJVOpnNdfTMFA= github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no= github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= @@ -533,18 +533,18 @@ go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJyS go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 h1:x7wzEgXfnzJcHDwStJT+mxOz4etr2EcexjqhBvmoakw= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0/go.mod h1:rg+RlpR5dKwaS95IyyZqj5Wd4E13lk/msnTS0Xl9lJM= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 h1:sbiXRNDSWJOTobXh5HyQKjq6wUC5tNybqjIqDpAY4CU= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0/go.mod h1:69uWxva0WgAA/4bu2Yy70SLDBwZXuQ6PbBpbsa5iZrQ= -go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ= -go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y= -go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M= -go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q= +go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg= +go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E= +go.opentelemetry.io/otel/metric v1.36.0 h1:MoWPKVhQvJ+eeXWHFBOPoBOi20jh6Iq2CcCREuTYufE= +go.opentelemetry.io/otel/metric v1.36.0/go.mod h1:zC7Ks+yeyJt4xig9DEw9kuUFe5C3zLbVjV2PzT6qzbs= go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A= go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU= go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk= go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w= -go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs= -go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc= +go.opentelemetry.io/otel/trace v1.36.0 h1:ahxWNuqZjpdiFAyrIoQ4GIiAIhxAunQR6MUoKrsNd4w= +go.opentelemetry.io/otel/trace v1.36.0/go.mod h1:gQ+OnDZzrybY4k4seLzPAWNwVBBVlF2szhehOBB/tGA= go.step.sm/crypto v0.63.0 h1:U1QGELQqJ85oDfeNFE2V52cow1rvy0m3MekG3wFmyXY= go.step.sm/crypto v0.63.0/go.mod h1:aj3LETmCZeSil1DMq3BlbhDBcN86+mmKrHZtXWyc0L4= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= @@ -555,24 +555,24 @@ go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8= -golang.org/x/crypto v0.38.0/go.mod h1:MvrbAqul58NNYPKnOra203SB9vpuZW0e+RRZV+Ggqjw= +golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM= +golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U= golang.org/x/exp v0.0.0-20240531132922-fd00a4e0eefc h1:O9NuF4s+E/PvMIy+9IUZB9znFwUIXEWSstNjek6VpVg= golang.org/x/exp v0.0.0-20240531132922-fd00a4e0eefc/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= -golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU= -golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww= +golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w= +golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY= -golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds= -golang.org/x/oauth2 v0.29.0 h1:WdYw2tdTK1S8olAzWHdgeqfy+Mtm9XNhv/xJsY65d98= -golang.org/x/oauth2 v0.29.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8= +golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw= +golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA= +golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI= +golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ= -golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= +golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8= +golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -594,15 +594,15 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4= -golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA= +golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M= +golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA= golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0= golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= -golang.org/x/tools v0.29.0 h1:Xx0h3TtM9rzQpQuR4dKLrdglAmCEN5Oi+P74JdhdzXE= -golang.org/x/tools v0.29.0/go.mod h1:KMQVMRsVxU6nHCFXrBPhDB8XncLNLM0lIy/F14RP588= +golang.org/x/tools v0.34.0 h1:qIpSLOxeCYGg9TrcJokLBG4KFA6d795g0xkBkiESGlo= +golang.org/x/tools v0.34.0/go.mod h1:pAP9OwEaY1CAW3HOmg3hLZC5Z0CCmzjAF2UQMSqNARg= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/api v0.230.0 h1:2u1hni3E+UXAXrONrrkfWpi/V6cyKVAbfGVeGtC3OxM= google.golang.org/api v0.230.0/go.mod h1:aqvtoMk7YkiXx+6U12arQFExiRV9D/ekvMCwCd/TksQ= diff --git a/pkg/cmd/attestation/api/mock_client.go b/pkg/cmd/attestation/api/mock_client.go index b6062b39f..4b4f06eff 100644 --- a/pkg/cmd/attestation/api/mock_client.go +++ b/pkg/cmd/attestation/api/mock_client.go @@ -6,6 +6,13 @@ import ( "github.com/cli/cli/v2/pkg/cmd/attestation/test/data" ) +func makeTestReleaseAttestation() Attestation { + return Attestation{ + Bundle: data.GitHubReleaseBundle(nil), + BundleURL: "https://example.com", + } +} + func makeTestAttestation() Attestation { return Attestation{Bundle: data.SigstoreBundle(nil), BundleURL: "https://example.com"} } @@ -26,8 +33,12 @@ func (m MockClient) GetTrustDomain() (string, error) { func OnGetByDigestSuccess(params FetchParams) ([]*Attestation, error) { att1 := makeTestAttestation() att2 := makeTestAttestation() + att3 := makeTestReleaseAttestation() attestations := []*Attestation{&att1, &att2} if params.PredicateType != "" { + if params.PredicateType == "https://in-toto.io/attestation/release/v0.1" { + attestations = append(attestations, &att3) + } return FilterAttestations(params.PredicateType, attestations) } diff --git a/pkg/cmd/attestation/artifact/artifact.go b/pkg/cmd/attestation/artifact/artifact.go index 131785166..9d8125450 100644 --- a/pkg/cmd/attestation/artifact/artifact.go +++ b/pkg/cmd/attestation/artifact/artifact.go @@ -54,6 +54,13 @@ func normalizeReference(reference string, pathSeparator rune) (normalized string return filepath.Clean(reference), fileArtifactType, nil } +func NewDigestedArtifactForRelease(digest string, digestAlg string) (artifact *DigestedArtifact) { + return &DigestedArtifact{ + digest: digest, + digestAlg: digestAlg, + } +} + func NewDigestedArtifact(client oci.Client, reference, digestAlg string) (artifact *DigestedArtifact, err error) { normalized, artifactType, err := normalizeReference(reference, os.PathSeparator) if err != nil { diff --git a/pkg/cmd/attestation/artifact/file.go b/pkg/cmd/attestation/artifact/file.go index 789a92a5d..237a9bbf7 100644 --- a/pkg/cmd/attestation/artifact/file.go +++ b/pkg/cmd/attestation/artifact/file.go @@ -10,7 +10,7 @@ import ( func digestLocalFileArtifact(filename, digestAlg string) (*DigestedArtifact, error) { data, err := os.Open(filename) if err != nil { - return nil, fmt.Errorf("failed to get open local artifact: %v", err) + return nil, fmt.Errorf("failed to open local artifact: %v", err) } defer data.Close() digest, err := digest.CalculateDigestWithAlgorithm(data, digestAlg) diff --git a/pkg/cmd/attestation/artifact/file_test.go b/pkg/cmd/attestation/artifact/file_test.go new file mode 100644 index 000000000..54768e93e --- /dev/null +++ b/pkg/cmd/attestation/artifact/file_test.go @@ -0,0 +1,23 @@ +package artifact + +import ( + "testing" + + "github.com/cli/cli/v2/pkg/cmd/attestation/test" + "github.com/stretchr/testify/require" +) + +func Test_digestLocalFileArtifact_withRealZip(t *testing.T) { + // Path to the test artifact + artifactPath := test.NormalizeRelativePath("../../attestation/test/data/github_release_artifact.zip") + + // Calculate expected digest using the same algorithm as the function under test + expectedDigest := "e15b593c6ab8d7725a3cc82226ef816cac6bf9c70eed383bd459295cc65f5ec3" + + // Call the function under test + artifact, err := digestLocalFileArtifact(artifactPath, "sha256") + require.NoError(t, err) + require.Equal(t, "file://"+artifactPath, artifact.URL) + require.Equal(t, expectedDigest, artifact.digest) + require.Equal(t, "sha256", artifact.digestAlg) +} diff --git a/pkg/cmd/attestation/test/data/data.go b/pkg/cmd/attestation/test/data/data.go index ef3c35c20..223d6f22e 100644 --- a/pkg/cmd/attestation/test/data/data.go +++ b/pkg/cmd/attestation/test/data/data.go @@ -10,6 +10,9 @@ import ( //go:embed sigstore-js-2.1.0-bundle.json var SigstoreBundleRaw []byte +//go:embed github_release_bundle.json +var GitHubReleaseBundleRaw []byte + // SigstoreBundle returns a test sigstore-go bundle.Bundle func SigstoreBundle(t *testing.T) *bundle.Bundle { b := &bundle.Bundle{} @@ -19,3 +22,12 @@ func SigstoreBundle(t *testing.T) *bundle.Bundle { } return b } + +func GitHubReleaseBundle(t *testing.T) *bundle.Bundle { + b := &bundle.Bundle{} + err := b.UnmarshalJSON(GitHubReleaseBundleRaw) + if err != nil { + t.Fatalf("failed to unmarshal GitHub release bundle: %v", err) + } + return b +} diff --git a/pkg/cmd/attestation/test/data/github_release_artifact.zip b/pkg/cmd/attestation/test/data/github_release_artifact.zip new file mode 100644 index 000000000..a4d222eb9 Binary files /dev/null and b/pkg/cmd/attestation/test/data/github_release_artifact.zip differ diff --git a/pkg/cmd/attestation/test/data/github_release_artifact_invalid.zip b/pkg/cmd/attestation/test/data/github_release_artifact_invalid.zip new file mode 100644 index 000000000..fcdda88fe Binary files /dev/null and b/pkg/cmd/attestation/test/data/github_release_artifact_invalid.zip differ diff --git a/pkg/cmd/attestation/test/data/github_release_bundle.json b/pkg/cmd/attestation/test/data/github_release_bundle.json new file mode 100644 index 000000000..8ca506dcb --- /dev/null +++ b/pkg/cmd/attestation/test/data/github_release_bundle.json @@ -0,0 +1,24 @@ +{ + "mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json", + "verificationMaterial": { + "timestampVerificationData": { + "rfc3161Timestamps": [ + { + "signedTimestamp": "MIIC0DADAgEAMIICxwYJKoZIhvcNAQcCoIICuDCCArQCAQMxDTALBglghkgBZQMEAgIwgbwGCyqGSIb3DQEJEAEEoIGsBIGpMIGmAgEBBgkrBgEEAYO/MAIwMTANBglghkgBZQMEAgEFAAQg1c3kQQpo4Adf2E+nx78lNg8EjRSLpIRERpPF0HIavogCFQCOfZuxr0DOc1LsM+y+sjQCMFrtbxgPMjAyNTA1MzAyMDEzMzlaMAMCAQGgNqQ0MDIxFTATBgNVBAoTDEdpdEh1YiwgSW5jLjEZMBcGA1UEAxMQVFNBIFRpbWVzdGFtcGluZ6AAMYIB3TCCAdkCAQEwSjAyMRUwEwYDVQQKEwxHaXRIdWIsIEluYy4xGTAXBgNVBAMTEFRTQSBpbnRlcm1lZGlhdGUCFB+7MIjE5/rL4XA4fNDnmXHA04+wMAsGCWCGSAFlAwQCAqCCAQUwGgYJKoZIhvcNAQkDMQ0GCyqGSIb3DQEJEAEEMBwGCSqGSIb3DQEJBTEPFw0yNTA1MzAyMDEzMzlaMD8GCSqGSIb3DQEJBDEyBDDkw1fXMZ6l/uWne+PcdzhLl2ckTZftcUuHcnYCwjhyYMeGOcgbpNNMDem46JCxItwwgYcGCyqGSIb3DQEJEAIvMXgwdjB0MHIEIHuISsKSyiJtlhGjT+RyS+tYQ7iwCMsMCTGmz2NK3D7DME4wNqQ0MDIxFTATBgNVBAoTDEdpdEh1YiwgSW5jLjEZMBcGA1UEAxMQVFNBIGludGVybWVkaWF0ZQIUH7swiMTn+svhcDh80OeZccDTj7AwCgYIKoZIzj0EAwMEZjBkAjBhE76zis18/xOtQdx6rJUuaRoZCflXHCjH6BqEk1B29r9C8STztZhAKalXL+Wy4rsCMFFaGPKF1uOl5JADiKMg5/7chJbWrfwyO9oa0tbmvcGrtBCdFeJ1Ic0tIi1sOVvq5Q==" + } + ] + }, + "certificate": { + "rawBytes": "MIICKjCCAbCgAwIBAgIUaa62dj98DUB+TpyvKtVaR4vGSM0wCgYIKoZIzj0EAwMwODEVMBMGA1UEChMMR2l0SHViLCBJbmMuMR8wHQYDVQQDExZGdWxjaW8gSW50ZXJtZWRpYXRlIGwxMB4XDTI1MDMxMDE1MDMwMloXDTI2MDMxMDE1MDMwMlowKjEVMBMGA1UEChMMR2l0SHViLCBJbmMuMREwDwYDVQQDEwhBdHRlc3RlcjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABIMB7plPnZvBRlC2lvAocKTAqAPMJqstEqYk26e9vDJDC1yqoiHxZfPV4W/1RqUMZD1dFKm9t4RiSmm73/QnQKajgaUwgaIwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFOqaGpr5SbdYk5CQXsmmDZCBHR+XMB8GA1UdIwQYMBaAFMDhuFKkS08+3no4EQbPSY6hRZszMC0GA1UdEQQmMCSGImh0dHBzOi8vZG90Y29tLnJlbGVhc2VzLmdpdGh1Yi5jb20wCgYIKoZIzj0EAwMDaAAwZQIwWFdF6xcXazHVPHEAtd1SeaizLdY1erRl5hK+XlwhfpnasQHHZ9bdu4Zj8ARhW/AhAjEArujhmJGo7Fi4/Ek1RN8bufs6UhIQneQd/pxE8QdorwZkj2C8nf2EzrUYzlxKfktC" + } + }, + "dsseEnvelope": { + "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCAic3ViamVjdCI6W3sidXJpIjoicGtnOmdpdGh1Yi9iZGVoYW1lci9kZWxtZUB2NiIsICJkaWdlc3QiOnsic2hhMSI6ImM1ZTE3YTYyZTA2YTFkMjAxNTcwMjQ5YzYxZmFlNTMxZTkyNDRlMWIifX0sIHsibmFtZSI6ImFydGlmYWN0LnppcCIsICJkaWdlc3QiOnsic2hhMjU2IjoiZTE1YjU5M2M2YWI4ZDc3MjVhM2NjODIyMjZlZjgxNmNhYzZiZjljNzBlZWQzODNiZDQ1OTI5NWNjNjVmNWVjMyJ9fV0sICJwcmVkaWNhdGVUeXBlIjoiaHR0cHM6Ly9pbi10b3RvLmlvL2F0dGVzdGF0aW9uL3JlbGVhc2UvdjAuMSIsICJwcmVkaWNhdGUiOnsib3duZXJJZCI6IjM5ODAyNyIsICJwdXJsIjoicGtnOmdpdGh1Yi9iZGVoYW1lci9kZWxtZUB2NiIsICJyZWxlYXNlSWQiOiIyMjIxNTg2NzEiLCAicmVwb3NpdG9yeSI6ImJkZWhhbWVyL2RlbG1lIiwgInJlcG9zaXRvcnlJZCI6IjkwNTk4ODA0NCIsICJ0YWciOiJ2NiJ9fQ==", + "payloadType": "application/vnd.in-toto+json", + "signatures": [ + { + "sig": "MEUCIGq+T2g2gV2+lcmgyCaVPrjO1tj86RxitwiEOjU5dH/GAiEAvKaT/7H0sIVdAY7EzLq1IFaF8LmlW6eV68eZQvtuA0c=" + } + ] + } +} \ No newline at end of file diff --git a/pkg/cmd/extension/command_test.go b/pkg/cmd/extension/command_test.go index 76741714a..7001c8f1a 100644 --- a/pkg/cmd/extension/command_test.go +++ b/pkg/cmd/extension/command_test.go @@ -23,15 +23,14 @@ import ( "github.com/cli/cli/v2/pkg/iostreams" "github.com/spf13/cobra" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" ) func TestNewCmdExtension(t *testing.T) { tempDir := t.TempDir() - oldWd, _ := os.Getwd() localExtensionTempDir := filepath.Join(tempDir, "gh-hello") - assert.NoError(t, os.MkdirAll(localExtensionTempDir, 0755)) - assert.NoError(t, os.Chdir(localExtensionTempDir)) - t.Cleanup(func() { _ = os.Chdir(oldWd) }) + require.NoError(t, os.MkdirAll(localExtensionTempDir, 0755)) + t.Chdir(localExtensionTempDir) tests := []struct { name string diff --git a/pkg/cmd/extension/manager_test.go b/pkg/cmd/extension/manager_test.go index 167af3439..e933f0bdf 100644 --- a/pkg/cmd/extension/manager_test.go +++ b/pkg/cmd/extension/manager_test.go @@ -1251,9 +1251,10 @@ func TestManager_repo_not_found(t *testing.T) { } func TestManager_Create(t *testing.T) { - chdirTemp(t) + tempDir := t.TempDir() + t.Chdir(tempDir) err := os.MkdirAll("gh-test", 0755) - assert.NoError(t, err) + require.NoError(t, err) ios, _, stdout, stderr := iostreams.Test() @@ -1279,9 +1280,10 @@ func TestManager_Create(t *testing.T) { } func TestManager_Create_go_binary(t *testing.T) { - chdirTemp(t) + tempDir := t.TempDir() + t.Chdir(tempDir) err := os.MkdirAll("gh-test", 0755) - assert.NoError(t, err) + require.NoError(t, err) reg := httpmock.Registry{} defer reg.Verify(t) @@ -1329,9 +1331,10 @@ func TestManager_Create_go_binary(t *testing.T) { } func TestManager_Create_other_binary(t *testing.T) { - chdirTemp(t) + tempDir := t.TempDir() + t.Chdir(tempDir) err := os.MkdirAll("gh-test", 0755) - assert.NoError(t, err) + require.NoError(t, err) ios, _, stdout, stderr := iostreams.Test() @@ -1392,18 +1395,6 @@ func Test_ensurePrefixed(t *testing.T) { } } -// chdirTemp changes the current working directory to a temporary directory for the duration of the test. -func chdirTemp(t *testing.T) { - oldWd, _ := os.Getwd() - tempDir := t.TempDir() - if err := os.Chdir(tempDir); err != nil { - t.Fatal(err) - } - t.Cleanup(func() { - _ = os.Chdir(oldWd) - }) -} - func fileNames(files []os.DirEntry) []string { names := make([]string, len(files)) for i, f := range files { diff --git a/pkg/cmd/pr/shared/find_refs_resolution.go b/pkg/cmd/pr/shared/find_refs_resolution.go index e4e51bab8..4b977c716 100644 --- a/pkg/cmd/pr/shared/find_refs_resolution.go +++ b/pkg/cmd/pr/shared/find_refs_resolution.go @@ -129,7 +129,7 @@ func NewPullRequestFindRefsResolver(gitConfigClient GitConfigClient, remotesFn f } } -// ResolvePullRequests takes a base repository, a base branch name and a local branch name and uses the git configuration to +// ResolvePullRequestRefs takes a base repository, a base branch name and a local branch name and uses the git configuration to // determine the head repository and remote branch name. If we were unable to determine this from git, we default the head // repository to the base repository. func (r *PullRequestFindRefsResolver) ResolvePullRequestRefs(baseRepo ghrepo.Interface, baseBranchName, localBranchName string) (PRFindRefs, error) { diff --git a/pkg/cmd/release/download/download_test.go b/pkg/cmd/release/download/download_test.go index 9337c9b65..37c0e3c02 100644 --- a/pkg/cmd/release/download/download_test.go +++ b/pkg/cmd/release/download/download_test.go @@ -174,11 +174,6 @@ func Test_NewCmdDownload(t *testing.T) { } func Test_downloadRun(t *testing.T) { - oldwd, err := os.Getwd() - if err != nil { - t.Fatalf("could not determine working directory: %v", err) - } - tests := []struct { name string isTTY bool @@ -526,11 +521,7 @@ func Test_downloadRun(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { tempDir := t.TempDir() - if err := os.Chdir(tempDir); err == nil { - t.Cleanup(func() { _ = os.Chdir(oldwd) }) - } else { - t.Fatal(err) - } + t.Chdir(tempDir) ios, _, stdout, stderr := iostreams.Test() ios.SetStdoutTTY(tt.isTTY) diff --git a/pkg/cmd/release/release.go b/pkg/cmd/release/release.go index 6805b09eb..f56042c81 100644 --- a/pkg/cmd/release/release.go +++ b/pkg/cmd/release/release.go @@ -8,6 +8,8 @@ import ( cmdUpdate "github.com/cli/cli/v2/pkg/cmd/release/edit" cmdList "github.com/cli/cli/v2/pkg/cmd/release/list" cmdUpload "github.com/cli/cli/v2/pkg/cmd/release/upload" + cmdVerify "github.com/cli/cli/v2/pkg/cmd/release/verify" + cmdVerifyAsset "github.com/cli/cli/v2/pkg/cmd/release/verify-asset" cmdView "github.com/cli/cli/v2/pkg/cmd/release/view" "github.com/cli/cli/v2/pkg/cmdutil" "github.com/spf13/cobra" @@ -34,6 +36,8 @@ func NewCmdRelease(f *cmdutil.Factory) *cobra.Command { cmdDownload.NewCmdDownload(f, nil), cmdDelete.NewCmdDelete(f, nil), cmdDeleteAsset.NewCmdDeleteAsset(f, nil), + cmdVerify.NewCmdVerify(f, nil), + cmdVerifyAsset.NewCmdVerifyAsset(f, nil), ) return cmd diff --git a/pkg/cmd/release/shared/attestation.go b/pkg/cmd/release/shared/attestation.go new file mode 100644 index 000000000..4e0377fed --- /dev/null +++ b/pkg/cmd/release/shared/attestation.go @@ -0,0 +1,128 @@ +package shared + +import ( + "fmt" + "net/http" + + "github.com/cli/cli/v2/pkg/cmd/attestation/api" + "github.com/cli/cli/v2/pkg/cmd/attestation/artifact" + att_io "github.com/cli/cli/v2/pkg/cmd/attestation/io" + "github.com/cli/cli/v2/pkg/cmd/attestation/test/data" + "github.com/cli/cli/v2/pkg/cmd/attestation/verification" + "github.com/cli/cli/v2/pkg/iostreams" + "github.com/sigstore/sigstore-go/pkg/fulcio/certificate" + "github.com/sigstore/sigstore-go/pkg/verify" + + v1 "github.com/in-toto/attestation/go/v1" + "google.golang.org/protobuf/encoding/protojson" +) + +const ReleasePredicateType = "https://in-toto.io/attestation/release/v0.1" + +type Verifier interface { + // VerifyAttestation verifies the attestation for a given artifact + VerifyAttestation(art *artifact.DigestedArtifact, att *api.Attestation) (*verification.AttestationProcessingResult, error) +} + +type AttestationVerifier struct { + AttClient api.Client + HttpClient *http.Client + IO *iostreams.IOStreams +} + +func (v *AttestationVerifier) VerifyAttestation(art *artifact.DigestedArtifact, att *api.Attestation) (*verification.AttestationProcessingResult, error) { + td, err := v.AttClient.GetTrustDomain() + if err != nil { + return nil, err + } + + verifier, err := verification.NewLiveSigstoreVerifier(verification.SigstoreConfig{ + HttpClient: v.HttpClient, + Logger: att_io.NewHandler(v.IO), + NoPublicGood: true, + TrustDomain: td, + }) + if err != nil { + return nil, err + } + + policy := buildVerificationPolicy(*art) + sigstoreVerified, err := verifier.Verify([]*api.Attestation{att}, policy) + if err != nil { + return nil, err + } + + return sigstoreVerified[0], nil +} + +func FilterAttestationsByTag(attestations []*api.Attestation, tagName string) ([]*api.Attestation, error) { + var filtered []*api.Attestation + for _, att := range attestations { + statement := att.Bundle.Bundle.GetDsseEnvelope().Payload + var statementData v1.Statement + err := protojson.Unmarshal([]byte(statement), &statementData) + if err != nil { + return nil, fmt.Errorf("failed to unmarshal statement: %w", err) + } + tagValue := statementData.Predicate.GetFields()["tag"].GetStringValue() + + if tagValue == tagName { + filtered = append(filtered, att) + } + } + return filtered, nil +} + +func FilterAttestationsByFileDigest(attestations []*api.Attestation, fileDigest string) ([]*api.Attestation, error) { + var filtered []*api.Attestation + for _, att := range attestations { + statement := att.Bundle.Bundle.GetDsseEnvelope().Payload + var statementData v1.Statement + err := protojson.Unmarshal([]byte(statement), &statementData) + + if err != nil { + return nil, fmt.Errorf("failed to unmarshal statement: %w", err) + } + subjects := statementData.Subject + for _, subject := range subjects { + digestMap := subject.GetDigest() + alg := "sha256" + + digest := digestMap[alg] + if digest == fileDigest { + filtered = append(filtered, att) + } + } + + } + return filtered, nil +} + +// buildVerificationPolicy constructs a verification policy for GitHub releases +func buildVerificationPolicy(a artifact.DigestedArtifact) verify.PolicyBuilder { + // SAN must match the GitHub releases domain. No issuer extension (match anything) + sanMatcher, _ := verify.NewSANMatcher("", "^https://.*\\.releases\\.github\\.com$") + issuerMatcher, _ := verify.NewIssuerMatcher("", ".*") + certId, _ := verify.NewCertificateIdentity(sanMatcher, issuerMatcher, certificate.Extensions{}) + + artifactDigestPolicyOption, _ := verification.BuildDigestPolicyOption(a) + return verify.NewPolicy(artifactDigestPolicyOption, verify.WithCertificateIdentity(certId)) +} + +type MockVerifier struct { + mockResult *verification.AttestationProcessingResult +} + +func NewMockVerifier(mockResult *verification.AttestationProcessingResult) *MockVerifier { + return &MockVerifier{mockResult: mockResult} +} + +func (v *MockVerifier) VerifyAttestation(art *artifact.DigestedArtifact, att *api.Attestation) (*verification.AttestationProcessingResult, error) { + return &verification.AttestationProcessingResult{ + Attestation: &api.Attestation{ + Bundle: data.GitHubReleaseBundle(nil), + BundleURL: "https://example.com", + }, + VerificationResult: nil, + }, nil +} diff --git a/pkg/cmd/release/shared/fetch.go b/pkg/cmd/release/shared/fetch.go index 4c0a014b9..322f33c17 100644 --- a/pkg/cmd/release/shared/fetch.go +++ b/pkg/cmd/release/shared/fetch.go @@ -133,6 +133,41 @@ type fetchResult struct { error error } +func FetchRefSHA(ctx context.Context, httpClient *http.Client, repo ghrepo.Interface, tagName string) (string, error) { + path := fmt.Sprintf("repos/%s/%s/git/refs/tags/%s", repo.RepoOwner(), repo.RepoName(), tagName) + req, err := http.NewRequestWithContext(ctx, "GET", ghinstance.RESTPrefix(repo.RepoHost())+path, nil) + if err != nil { + return "", err + } + + resp, err := httpClient.Do(req) + if err != nil { + return "", err + } + defer resp.Body.Close() + + if resp.StatusCode == http.StatusNotFound { + _, _ = io.Copy(io.Discard, resp.Body) + // ErrRefNotFound + return "", ErrReleaseNotFound + } + + if resp.StatusCode > 299 { + return "", api.HandleHTTPError(resp) + } + + var ref struct { + Object struct { + SHA string `json:"sha"` + } `json:"object"` + } + if err := json.NewDecoder(resp.Body).Decode(&ref); err != nil { + return "", err + } + + return ref.Object.SHA, nil +} + // FetchRelease finds a published repository release by its tagName, or a draft release by its pending tag name. func FetchRelease(ctx context.Context, httpClient *http.Client, repo ghrepo.Interface, tagName string) (*Release, error) { cc, cancel := context.WithCancel(ctx) @@ -213,7 +248,7 @@ func fetchReleasePath(ctx context.Context, httpClient *http.Client, host string, } defer resp.Body.Close() - if resp.StatusCode == 404 { + if resp.StatusCode == http.StatusNotFound { _, _ = io.Copy(io.Discard, resp.Body) return nil, ErrReleaseNotFound } else if resp.StatusCode > 299 { @@ -248,3 +283,11 @@ func StubFetchRelease(t *testing.T, reg *httpmock.Registry, owner, repoName, tag ) } } + +func StubFetchRefSHA(t *testing.T, reg *httpmock.Registry, owner, repoName, tagName, sha string) { + path := fmt.Sprintf("repos/%s/%s/git/refs/tags/%s", owner, repoName, tagName) + reg.Register( + httpmock.REST("GET", path), + httpmock.StringResponse(fmt.Sprintf(`{"object": {"sha": "%s"}}`, sha)), + ) +} diff --git a/pkg/cmd/release/verify-asset/verify_asset.go b/pkg/cmd/release/verify-asset/verify_asset.go new file mode 100644 index 000000000..2b66f3502 --- /dev/null +++ b/pkg/cmd/release/verify-asset/verify_asset.go @@ -0,0 +1,211 @@ +package verifyasset + +import ( + "context" + "fmt" + "net/http" + "path/filepath" + + "github.com/cli/cli/v2/pkg/iostreams" + + "github.com/cli/cli/v2/internal/ghrepo" + "github.com/cli/cli/v2/pkg/cmd/attestation/api" + "github.com/cli/cli/v2/pkg/cmd/attestation/artifact" + att_io "github.com/cli/cli/v2/pkg/cmd/attestation/io" + "github.com/cli/cli/v2/pkg/cmd/release/shared" + + "github.com/MakeNowJust/heredoc" + "github.com/cli/cli/v2/pkg/cmdutil" + "github.com/spf13/cobra" +) + +type VerifyAssetOptions struct { + TagName string + BaseRepo ghrepo.Interface + Exporter cmdutil.Exporter + AssetFilePath string +} + +type VerifyAssetConfig struct { + HttpClient *http.Client + IO *iostreams.IOStreams + Opts *VerifyAssetOptions + AttClient api.Client + AttVerifier shared.Verifier +} + +func NewCmdVerifyAsset(f *cmdutil.Factory, runF func(*VerifyAssetConfig) error) *cobra.Command { + opts := &VerifyAssetOptions{} + + cmd := &cobra.Command{ + Use: "verify-asset [] ", + Short: "Verify that a given asset originated from a specific GitHub Release.", + Long: heredoc.Doc(` + Verify that a given asset file originated from a specific GitHub Release using cryptographically signed attestations. + + ## Understanding Verification + + An attestation is a claim made by GitHub regarding a release and its assets. + + ## What This Command Does + + This command checks that the asset you provide matches an attestation produced by GitHub for a particular release. + It ensures the asset's integrity by validating: + * The asset's digest matches the subject in the attestation + * The attestation is associated with the specified release + `), + Hidden: true, + Args: cobra.MaximumNArgs(2), + Example: heredoc.Doc(` + # Verify an asset from the latest release + $ gh release verify-asset ./dist/my-asset.zip + + # Verify an asset from a specific release tag + $ gh release verify-asset v1.2.3 ./dist/my-asset.zip + + # Verify an asset from a specific release tag and output the attestation in JSON format + $ gh release verify-asset v1.2.3 ./dist/my-asset.zip --format json + `), + RunE: func(cmd *cobra.Command, args []string) error { + if len(args) == 2 { + opts.TagName = args[0] + opts.AssetFilePath = args[1] + } else if len(args) == 1 { + opts.AssetFilePath = args[0] + } else { + return cmdutil.FlagErrorf("you must specify an asset filepath") + } + + opts.AssetFilePath = filepath.Clean(opts.AssetFilePath) + + baseRepo, err := f.BaseRepo() + if err != nil { + return fmt.Errorf("failed to determine base repository: %w", err) + } + opts.BaseRepo = baseRepo + + httpClient, err := f.HttpClient() + if err != nil { + return err + } + + io := f.IOStreams + attClient := api.NewLiveClient(httpClient, baseRepo.RepoHost(), att_io.NewHandler(io)) + + attVerifier := &shared.AttestationVerifier{ + AttClient: attClient, + HttpClient: httpClient, + IO: io, + } + + config := &VerifyAssetConfig{ + Opts: opts, + HttpClient: httpClient, + AttClient: attClient, + AttVerifier: attVerifier, + IO: io, + } + + if runF != nil { + return runF(config) + } + + return verifyAssetRun(config) + }, + } + cmdutil.AddFormatFlags(cmd, &opts.Exporter) + + return cmd +} + +func verifyAssetRun(config *VerifyAssetConfig) error { + ctx := context.Background() + opts := config.Opts + baseRepo := opts.BaseRepo + tagName := opts.TagName + + if tagName == "" { + release, err := shared.FetchLatestRelease(ctx, config.HttpClient, baseRepo) + if err != nil { + return err + } + tagName = release.TagName + } + + fileName := getFileName(opts.AssetFilePath) + + // Calculate the digest of the file + fileDigest, err := artifact.NewDigestedArtifact(nil, opts.AssetFilePath, "sha256") + if err != nil { + return err + } + + ref, err := shared.FetchRefSHA(ctx, config.HttpClient, baseRepo, tagName) + if err != nil { + return err + } + + releaseRefDigest := artifact.NewDigestedArtifactForRelease(ref, "sha1") + + // Find attestations for the release tag SHA + attestations, err := config.AttClient.GetByDigest(api.FetchParams{ + Digest: releaseRefDigest.DigestWithAlg(), + PredicateType: shared.ReleasePredicateType, + Owner: baseRepo.RepoOwner(), + Repo: baseRepo.RepoOwner() + "/" + baseRepo.RepoName(), + // TODO: Allow this value to be set via a flag. + // The limit is set to 100 to ensure we fetch all attestations for a given SHA. + // While multiple attestations can exist for a single SHA, + // only one attestation is associated with each release tag. + Limit: 100, + }) + if err != nil { + return fmt.Errorf("no attestations found for tag %s (%s)", tagName, releaseRefDigest.DigestWithAlg()) + } + + // Filter attestations by tag name + filteredAttestations, err := shared.FilterAttestationsByTag(attestations, opts.TagName) + if err != nil { + return fmt.Errorf("error parsing attestations for tag %s: %w", tagName, err) + } + + if len(filteredAttestations) == 0 { + return fmt.Errorf("no attestations found for release %s in %s/%s", tagName, baseRepo.RepoOwner(), baseRepo.RepoName()) + } + + // Filter attestations by subject digest + filteredAttestations, err = shared.FilterAttestationsByFileDigest(filteredAttestations, fileDigest.Digest()) + if err != nil { + return fmt.Errorf("error parsing attestations for digest %s: %w", fileDigest.DigestWithAlg(), err) + } + + if len(filteredAttestations) == 0 { + return fmt.Errorf("attestation for %s does not contain subject %s", tagName, fileDigest.DigestWithAlg()) + } + + // Verify attestation + verified, err := config.AttVerifier.VerifyAttestation(releaseRefDigest, filteredAttestations[0]) + if err != nil { + return fmt.Errorf("failed to verify attestation for tag %s: %w", tagName, err) + } + + // If an exporter is provided with the --json flag, write the results to the terminal in JSON format + if opts.Exporter != nil { + return opts.Exporter.Write(config.IO, verified) + } + + io := config.IO + cs := io.ColorScheme() + fmt.Fprintf(io.Out, "Calculated digest for %s: %s\n", fileName, fileDigest.DigestWithAlg()) + fmt.Fprintf(io.Out, "Resolved tag %s to %s\n", opts.TagName, releaseRefDigest.DigestWithAlg()) + fmt.Fprint(io.Out, "Loaded attestation from GitHub API\n\n") + fmt.Fprintf(io.Out, cs.Green("%s Verification succeeded! %s is present in release %s\n"), cs.SuccessIcon(), fileName, opts.TagName) + + return nil +} + +func getFileName(filePath string) string { + // Get the file name from the file path + _, fileName := filepath.Split(filePath) + return fileName +} diff --git a/pkg/cmd/release/verify-asset/verify_asset_test.go b/pkg/cmd/release/verify-asset/verify_asset_test.go new file mode 100644 index 000000000..732de9fd2 --- /dev/null +++ b/pkg/cmd/release/verify-asset/verify_asset_test.go @@ -0,0 +1,267 @@ +package verifyasset + +import ( + "bytes" + "net/http" + "testing" + + "github.com/cli/cli/v2/pkg/cmd/attestation/api" + "github.com/cli/cli/v2/pkg/cmd/attestation/test" + "github.com/cli/cli/v2/pkg/cmd/attestation/test/data" + "github.com/cli/cli/v2/pkg/cmd/attestation/verification" + "github.com/cli/cli/v2/pkg/cmd/release/shared" + "github.com/cli/cli/v2/pkg/cmdutil" + "github.com/cli/cli/v2/pkg/httpmock" + "github.com/cli/cli/v2/pkg/iostreams" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/cli/cli/v2/internal/ghrepo" +) + +func TestNewCmdVerifyAsset_Args(t *testing.T) { + tests := []struct { + name string + args []string + wantTag string + wantFile string + wantErr string + }{ + { + name: "valid args", + args: []string{"v1.2.3", "../../attestation/test/data/github_release_artifact.zip"}, + wantTag: "v1.2.3", + wantFile: test.NormalizeRelativePath("../../attestation/test/data/github_release_artifact.zip"), + }, + { + name: "valid flag with no tag", + + args: []string{"../../attestation/test/data/github_release_artifact.zip"}, + wantFile: test.NormalizeRelativePath("../../attestation/test/data/github_release_artifact.zip"), + }, + { + name: "no args", + args: []string{}, + wantErr: "you must specify an asset filepath", + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + testIO, _, _, _ := iostreams.Test() + + f := &cmdutil.Factory{ + IOStreams: testIO, + HttpClient: func() (*http.Client, error) { + return nil, nil + }, + BaseRepo: func() (ghrepo.Interface, error) { + return ghrepo.FromFullName("owner/repo") + }, + } + + var cfg *VerifyAssetConfig + cmd := NewCmdVerifyAsset(f, func(c *VerifyAssetConfig) error { + cfg = c + return nil + }) + cmd.SetArgs(tt.args) + cmd.SetIn(&bytes.Buffer{}) + cmd.SetOut(&bytes.Buffer{}) + cmd.SetErr(&bytes.Buffer{}) + + _, err := cmd.ExecuteC() + + if tt.wantErr != "" { + require.Error(t, err) + assert.Contains(t, err.Error(), tt.wantErr) + } else { + require.NoError(t, err) + assert.Equal(t, tt.wantTag, cfg.Opts.TagName) + assert.Equal(t, tt.wantFile, cfg.Opts.AssetFilePath) + } + }) + } +} + +func Test_verifyAssetRun_Success(t *testing.T) { + ios, _, _, _ := iostreams.Test() + tagName := "v6" + + fakeHTTP := &httpmock.Registry{} + defer fakeHTTP.Verify(t) + + fakeSHA := "1234567890abcdef1234567890abcdef12345678" + shared.StubFetchRefSHA(t, fakeHTTP, "owner", "repo", tagName, fakeSHA) + + baseRepo, err := ghrepo.FromFullName("owner/repo") + require.NoError(t, err) + + result := &verification.AttestationProcessingResult{ + Attestation: &api.Attestation{ + Bundle: data.GitHubReleaseBundle(t), + BundleURL: "https://example.com", + }, + VerificationResult: nil, + } + + releaseAssetPath := test.NormalizeRelativePath("../../attestation/test/data/github_release_artifact.zip") + + cfg := &VerifyAssetConfig{ + Opts: &VerifyAssetOptions{ + AssetFilePath: releaseAssetPath, + TagName: tagName, + BaseRepo: baseRepo, + Exporter: nil, + }, + IO: ios, + HttpClient: &http.Client{Transport: fakeHTTP}, + AttClient: api.NewTestClient(), + AttVerifier: shared.NewMockVerifier(result), + } + + err = verifyAssetRun(cfg) + require.NoError(t, err) +} + +func Test_verifyAssetRun_FailedNoAttestations(t *testing.T) { + ios, _, _, _ := iostreams.Test() + tagName := "v1" + + fakeHTTP := &httpmock.Registry{} + defer fakeHTTP.Verify(t) + fakeSHA := "1234567890abcdef1234567890abcdef12345678" + shared.StubFetchRefSHA(t, fakeHTTP, "owner", "repo", tagName, fakeSHA) + + baseRepo, err := ghrepo.FromFullName("owner/repo") + require.NoError(t, err) + + releaseAssetPath := test.NormalizeRelativePath("../../attestation/test/data/github_release_artifact.zip") + + cfg := &VerifyAssetConfig{ + Opts: &VerifyAssetOptions{ + AssetFilePath: releaseAssetPath, + TagName: tagName, + BaseRepo: baseRepo, + Exporter: nil, + }, + IO: ios, + HttpClient: &http.Client{Transport: fakeHTTP}, + AttClient: api.NewFailTestClient(), + AttVerifier: nil, + } + + err = verifyAssetRun(cfg) + require.ErrorContains(t, err, "no attestations found for tag v1") +} + +func Test_verifyAssetRun_FailedTagNotInAttestation(t *testing.T) { + ios, _, _, _ := iostreams.Test() + + // Tag name does not match the one present in the attestation which + // will be returned by the mock client. Simulates a scenario where + // multiple releases may point to the same commit SHA, but not all + // of them are attested. + tagName := "v1.2.3" + + fakeHTTP := &httpmock.Registry{} + defer fakeHTTP.Verify(t) + fakeSHA := "1234567890abcdef1234567890abcdef12345678" + shared.StubFetchRefSHA(t, fakeHTTP, "owner", "repo", tagName, fakeSHA) + + baseRepo, err := ghrepo.FromFullName("owner/repo") + require.NoError(t, err) + + releaseAssetPath := test.NormalizeRelativePath("../../attestation/test/data/github_release_artifact.zip") + + cfg := &VerifyAssetConfig{ + Opts: &VerifyAssetOptions{ + AssetFilePath: releaseAssetPath, + TagName: tagName, + BaseRepo: baseRepo, + Exporter: nil, + }, + IO: ios, + HttpClient: &http.Client{Transport: fakeHTTP}, + AttClient: api.NewTestClient(), + AttVerifier: nil, + } + + err = verifyAssetRun(cfg) + require.ErrorContains(t, err, "no attestations found for release v1.2.3") +} + +func Test_verifyAssetRun_FailedInvalidAsset(t *testing.T) { + ios, _, _, _ := iostreams.Test() + tagName := "v6" + + fakeHTTP := &httpmock.Registry{} + defer fakeHTTP.Verify(t) + fakeSHA := "1234567890abcdef1234567890abcdef12345678" + shared.StubFetchRefSHA(t, fakeHTTP, "owner", "repo", tagName, fakeSHA) + + baseRepo, err := ghrepo.FromFullName("owner/repo") + require.NoError(t, err) + + releaseAssetPath := test.NormalizeRelativePath("../../attestation/test/data/github_release_artifact_invalid.zip") + + cfg := &VerifyAssetConfig{ + Opts: &VerifyAssetOptions{ + AssetFilePath: releaseAssetPath, + TagName: tagName, + BaseRepo: baseRepo, + Exporter: nil, + }, + IO: ios, + HttpClient: &http.Client{Transport: fakeHTTP}, + AttClient: api.NewTestClient(), + AttVerifier: nil, + } + + err = verifyAssetRun(cfg) + require.ErrorContains(t, err, "attestation for v6 does not contain subject") +} + +func Test_verifyAssetRun_NoSuchAsset(t *testing.T) { + ios, _, _, _ := iostreams.Test() + tagName := "v6" + + fakeHTTP := &httpmock.Registry{} + fakeSHA := "1234567890abcdef1234567890abcdef12345678" + shared.StubFetchRefSHA(t, fakeHTTP, "owner", "repo", tagName, fakeSHA) + + baseRepo, err := ghrepo.FromFullName("owner/repo") + require.NoError(t, err) + + cfg := &VerifyAssetConfig{ + Opts: &VerifyAssetOptions{ + AssetFilePath: "artifact.zip", + TagName: tagName, + BaseRepo: baseRepo, + Exporter: nil, + }, + IO: ios, + HttpClient: &http.Client{Transport: fakeHTTP}, + AttClient: api.NewTestClient(), + AttVerifier: nil, + } + + err = verifyAssetRun(cfg) + require.ErrorContains(t, err, "failed to open local artifact") +} + +func Test_getFileName(t *testing.T) { + tests := []struct { + input string + want string + }{ + {"foo/bar/baz.txt", "baz.txt"}, + {"baz.txt", "baz.txt"}, + {"/tmp/foo.tar.gz", "foo.tar.gz"}, + } + for _, tt := range tests { + t.Run(tt.input, func(t *testing.T) { + got := getFileName(tt.input) + assert.Equal(t, tt.want, got) + }) + } +} diff --git a/pkg/cmd/release/verify/verify.go b/pkg/cmd/release/verify/verify.go new file mode 100644 index 000000000..8c04fe682 --- /dev/null +++ b/pkg/cmd/release/verify/verify.go @@ -0,0 +1,233 @@ +package verify + +import ( + "context" + "fmt" + "net/http" + + "github.com/MakeNowJust/heredoc" + v1 "github.com/in-toto/attestation/go/v1" + "google.golang.org/protobuf/encoding/protojson" + + "github.com/cli/cli/v2/internal/ghrepo" + "github.com/cli/cli/v2/internal/tableprinter" + "github.com/cli/cli/v2/pkg/cmd/attestation/api" + "github.com/cli/cli/v2/pkg/cmd/attestation/artifact" + att_io "github.com/cli/cli/v2/pkg/cmd/attestation/io" + "github.com/cli/cli/v2/pkg/cmd/attestation/verification" + "github.com/cli/cli/v2/pkg/cmd/release/shared" + "github.com/cli/cli/v2/pkg/iostreams" + + "github.com/cli/cli/v2/pkg/cmdutil" + "github.com/spf13/cobra" +) + +type VerifyOptions struct { + TagName string + BaseRepo ghrepo.Interface + Exporter cmdutil.Exporter +} + +type VerifyConfig struct { + HttpClient *http.Client + IO *iostreams.IOStreams + Opts *VerifyOptions + AttClient api.Client + AttVerifier shared.Verifier +} + +func NewCmdVerify(f *cmdutil.Factory, runF func(config *VerifyConfig) error) *cobra.Command { + opts := &VerifyOptions{} + + cmd := &cobra.Command{ + Use: "verify []", + Short: "Verify the attestation for a GitHub Release.", + Hidden: true, + Args: cobra.MaximumNArgs(1), + Long: heredoc.Doc(` + Verify that a GitHub Release is accompanied by a valid cryptographically signed attestation. + + ## Understanding Verification + + An attestation is a claim made by GitHub regarding a release and its assets. + + ## What This Command Does + + This command checks that the specified release (or the latest release, if no tag is given) has a valid attestation. + It fetches the attestation for the release and prints out metadata about all assets referenced in the attestation, including their digests. + `), + Example: heredoc.Doc(` + # Verify the latest release + gh release verify + + # Verify a specific release by tag + gh release verify v1.2.3 + + # Verify a specific release by tag and output the attestation in JSON format + gh release verify v1.2.3 --format json + `), + RunE: func(cmd *cobra.Command, args []string) error { + if len(args) > 0 { + opts.TagName = args[0] + } + + baseRepo, err := f.BaseRepo() + if err != nil { + return fmt.Errorf("failed to determine base repository: %w", err) + } + + opts.BaseRepo = baseRepo + + httpClient, err := f.HttpClient() + if err != nil { + return err + } + + io := f.IOStreams + attClient := api.NewLiveClient(httpClient, baseRepo.RepoHost(), att_io.NewHandler(io)) + + attVerifier := &shared.AttestationVerifier{ + AttClient: attClient, + HttpClient: httpClient, + IO: io, + } + + config := &VerifyConfig{ + Opts: opts, + HttpClient: httpClient, + AttClient: attClient, + AttVerifier: attVerifier, + IO: io, + } + + if runF != nil { + return runF(config) + } + return verifyRun(config) + }, + } + cmdutil.AddFormatFlags(cmd, &opts.Exporter) + + return cmd +} + +func verifyRun(config *VerifyConfig) error { + ctx := context.Background() + opts := config.Opts + baseRepo := opts.BaseRepo + tagName := opts.TagName + + if tagName == "" { + release, err := shared.FetchLatestRelease(ctx, config.HttpClient, baseRepo) + if err != nil { + return err + } + tagName = release.TagName + } + + // Retrieve the ref for the release tag + ref, err := shared.FetchRefSHA(ctx, config.HttpClient, baseRepo, tagName) + if err != nil { + return err + } + + releaseRefDigest := artifact.NewDigestedArtifactForRelease(ref, "sha1") + + // Find all the attestations for the release tag SHA + attestations, err := config.AttClient.GetByDigest(api.FetchParams{ + Digest: releaseRefDigest.DigestWithAlg(), + PredicateType: shared.ReleasePredicateType, + Owner: baseRepo.RepoOwner(), + Repo: baseRepo.RepoOwner() + "/" + baseRepo.RepoName(), + // TODO: Allow this value to be set via a flag. + // The limit is set to 100 to ensure we fetch all attestations for a given SHA. + // While multiple attestations can exist for a single SHA, + // only one attestation is associated with each release tag. + Limit: 100, + }) + if err != nil { + return fmt.Errorf("no attestations for tag %s (%s)", tagName, releaseRefDigest.DigestWithAlg()) + } + + // Filter attestations by tag name + filteredAttestations, err := shared.FilterAttestationsByTag(attestations, tagName) + if err != nil { + return fmt.Errorf("error parsing attestations for tag %s: %w", tagName, err) + } + + if len(filteredAttestations) == 0 { + return fmt.Errorf("no attestations found for release %s in %s", tagName, baseRepo.RepoName()) + } + + if len(filteredAttestations) > 1 { + return fmt.Errorf("duplicate attestations found for release %s in %s", tagName, baseRepo.RepoName()) + } + + // Verify attestation + verified, err := config.AttVerifier.VerifyAttestation(releaseRefDigest, filteredAttestations[0]) + if err != nil { + return fmt.Errorf("failed to verify attestations for tag %s: %w", tagName, err) + } + + // If an exporter is provided with the --json flag, write the results to the terminal in JSON format + if opts.Exporter != nil { + return opts.Exporter.Write(config.IO, verified) + } + + io := config.IO + cs := io.ColorScheme() + fmt.Fprintf(io.Out, "Resolved tag %s to %s\n", tagName, releaseRefDigest.DigestWithAlg()) + fmt.Fprint(io.Out, "Loaded attestation from GitHub API\n") + fmt.Fprintf(io.Out, cs.Green("%s Release %s verified!\n"), cs.SuccessIcon(), tagName) + fmt.Fprintln(io.Out) + + if err := printVerifiedSubjects(io, verified); err != nil { + return err + } + + return nil +} + +func printVerifiedSubjects(io *iostreams.IOStreams, att *verification.AttestationProcessingResult) error { + cs := io.ColorScheme() + w := io.Out + + statement := att.Attestation.Bundle.GetDsseEnvelope().Payload + var statementData v1.Statement + + err := protojson.Unmarshal([]byte(statement), &statementData) + if err != nil { + return err + } + + // If there aren't at least two subjects, there are no assets to display + if len(statementData.Subject) < 2 { + return nil + } + + fmt.Fprintln(w, cs.Bold("Assets")) + table := tableprinter.New(io, tableprinter.WithHeader("Name", "Digest")) + + for _, s := range statementData.Subject { + name := s.Name + digest := s.Digest + + if name != "" { + digestStr := "" + for key, value := range digest { + digestStr = key + ":" + value + } + + table.AddField(name) + table.AddField(digestStr) + table.EndRow() + } + } + err = table.Render() + if err != nil { + return err + } + fmt.Fprintln(w) + + return nil +} diff --git a/pkg/cmd/release/verify/verify_test.go b/pkg/cmd/release/verify/verify_test.go new file mode 100644 index 000000000..40009fc7d --- /dev/null +++ b/pkg/cmd/release/verify/verify_test.go @@ -0,0 +1,165 @@ +package verify + +import ( + "bytes" + "net/http" + "testing" + + "github.com/cli/cli/v2/internal/ghrepo" + "github.com/cli/cli/v2/pkg/cmd/attestation/api" + "github.com/cli/cli/v2/pkg/cmd/attestation/test/data" + "github.com/cli/cli/v2/pkg/cmd/attestation/verification" + "github.com/cli/cli/v2/pkg/cmd/release/shared" + "github.com/cli/cli/v2/pkg/cmdutil" + "github.com/cli/cli/v2/pkg/httpmock" + "github.com/cli/cli/v2/pkg/iostreams" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +func TestNewCmdVerify_Args(t *testing.T) { + tests := []struct { + name string + args []string + wantTag string + wantErr string + }{ + { + name: "valid tag arg", + args: []string{"v1.2.3"}, + wantTag: "v1.2.3", + }, + { + name: "no tag arg", + args: []string{}, + wantTag: "", + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + testIO, _, _, _ := iostreams.Test() + f := &cmdutil.Factory{ + IOStreams: testIO, + HttpClient: func() (*http.Client, error) { + return nil, nil + }, + BaseRepo: func() (ghrepo.Interface, error) { + return ghrepo.FromFullName("owner/repo") + }, + } + + var cfg *VerifyConfig + cmd := NewCmdVerify(f, func(c *VerifyConfig) error { + cfg = c + return nil + }) + cmd.SetArgs(tt.args) + cmd.SetIn(&bytes.Buffer{}) + cmd.SetOut(&bytes.Buffer{}) + cmd.SetErr(&bytes.Buffer{}) + + _, err := cmd.ExecuteC() + + require.NoError(t, err) + assert.Equal(t, tt.wantTag, cfg.Opts.TagName) + }) + } +} + +func Test_verifyRun_Success(t *testing.T) { + ios, _, _, _ := iostreams.Test() + tagName := "v6" + + fakeHTTP := &httpmock.Registry{} + defer fakeHTTP.Verify(t) + + fakeSHA := "1234567890abcdef1234567890abcdef12345678" + shared.StubFetchRefSHA(t, fakeHTTP, "owner", "repo", tagName, fakeSHA) + + baseRepo, err := ghrepo.FromFullName("owner/repo") + require.NoError(t, err) + + result := &verification.AttestationProcessingResult{ + Attestation: &api.Attestation{ + Bundle: data.GitHubReleaseBundle(t), + BundleURL: "https://example.com", + }, + VerificationResult: nil, + } + + cfg := &VerifyConfig{ + Opts: &VerifyOptions{ + TagName: tagName, + BaseRepo: baseRepo, + Exporter: nil, + }, + IO: ios, + HttpClient: &http.Client{Transport: fakeHTTP}, + AttClient: api.NewTestClient(), + AttVerifier: shared.NewMockVerifier(result), + } + + err = verifyRun(cfg) + require.NoError(t, err) +} + +func Test_verifyRun_FailedNoAttestations(t *testing.T) { + ios, _, _, _ := iostreams.Test() + tagName := "v1" + + fakeHTTP := &httpmock.Registry{} + defer fakeHTTP.Verify(t) + fakeSHA := "1234567890abcdef1234567890abcdef12345678" + shared.StubFetchRefSHA(t, fakeHTTP, "owner", "repo", tagName, fakeSHA) + + baseRepo, err := ghrepo.FromFullName("owner/repo") + require.NoError(t, err) + + cfg := &VerifyConfig{ + Opts: &VerifyOptions{ + TagName: tagName, + BaseRepo: baseRepo, + Exporter: nil, + }, + IO: ios, + HttpClient: &http.Client{Transport: fakeHTTP}, + AttClient: api.NewFailTestClient(), + AttVerifier: nil, + } + + err = verifyRun(cfg) + require.ErrorContains(t, err, "no attestations for tag v1") +} + +func Test_verifyRun_FailedTagNotInAttestation(t *testing.T) { + ios, _, _, _ := iostreams.Test() + + // Tag name does not match the one present in the attestation which + // will be returned by the mock client. Simulates a scenario where + // multiple releases may point to the same commit SHA, but not all + // of them are attested. + tagName := "v1.2.3" + + fakeHTTP := &httpmock.Registry{} + defer fakeHTTP.Verify(t) + fakeSHA := "1234567890abcdef1234567890abcdef12345678" + shared.StubFetchRefSHA(t, fakeHTTP, "owner", "repo", tagName, fakeSHA) + + baseRepo, err := ghrepo.FromFullName("owner/repo") + require.NoError(t, err) + + cfg := &VerifyConfig{ + Opts: &VerifyOptions{ + TagName: tagName, + BaseRepo: baseRepo, + Exporter: nil, + }, + IO: ios, + HttpClient: &http.Client{Transport: fakeHTTP}, + AttClient: api.NewTestClient(), + AttVerifier: nil, + } + + err = verifyRun(cfg) + require.ErrorContains(t, err, "no attestations found for release v1.2.3") +} diff --git a/pkg/cmd/workflow/run/run.go b/pkg/cmd/workflow/run/run.go index def3cf9e4..2acd1d4cc 100644 --- a/pkg/cmd/workflow/run/run.go +++ b/pkg/cmd/workflow/run/run.go @@ -330,7 +330,7 @@ func runRun(opts *RunOptions) error { fmt.Fprintln(out) fmt.Fprintf(out, "To see runs for this workflow, try: %s\n", - cs.Boldf("gh run list --workflow=%s", workflow.Base())) + cs.Boldf("gh run list --workflow=%q", workflow.Base())) } return nil diff --git a/pkg/cmd/workflow/run/run_test.go b/pkg/cmd/workflow/run/run_test.go index ee1bc5a1e..b121a573d 100644 --- a/pkg/cmd/workflow/run/run_test.go +++ b/pkg/cmd/workflow/run/run_test.go @@ -447,7 +447,7 @@ jobs: "ref": "trunk", }, httpStubs: stubs, - wantOut: "✓ Created workflow_dispatch event for workflow.yml at trunk\n\nTo see runs for this workflow, try: gh run list --workflow=workflow.yml\n", + wantOut: "✓ Created workflow_dispatch event for workflow.yml at trunk\n\nTo see runs for this workflow, try: gh run list --workflow=\"workflow.yml\"\n", }, { name: "nontty good JSON", @@ -494,7 +494,7 @@ jobs: "ref": "good-branch", }, httpStubs: stubs, - wantOut: "✓ Created workflow_dispatch event for workflow.yml at good-branch\n\nTo see runs for this workflow, try: gh run list --workflow=workflow.yml\n", + wantOut: "✓ Created workflow_dispatch event for workflow.yml at good-branch\n\nTo see runs for this workflow, try: gh run list --workflow=\"workflow.yml\"\n", }, { // TODO this test is somewhat silly; it's more of a placeholder in case I decide to handle the API error more elegantly @@ -634,7 +634,7 @@ jobs: "inputs": map[string]interface{}{}, "ref": "trunk", }, - wantOut: "✓ Created workflow_dispatch event for minimal.yml at trunk\n\nTo see runs for this workflow, try: gh run list --workflow=minimal.yml\n", + wantOut: "✓ Created workflow_dispatch event for minimal.yml at trunk\n\nTo see runs for this workflow, try: gh run list --workflow=\"minimal.yml\"\n", }, { name: "prompt", @@ -682,7 +682,7 @@ jobs: }, "ref": "trunk", }, - wantOut: "✓ Created workflow_dispatch event for workflow.yml at trunk\n\nTo see runs for this workflow, try: gh run list --workflow=workflow.yml\n", + wantOut: "✓ Created workflow_dispatch event for workflow.yml at trunk\n\nTo see runs for this workflow, try: gh run list --workflow=\"workflow.yml\"\n", }, { name: "prompt, workflow choice input", @@ -731,7 +731,7 @@ jobs: }, "ref": "trunk", }, - wantOut: "✓ Created workflow_dispatch event for workflow.yml at trunk\n\nTo see runs for this workflow, try: gh run list --workflow=workflow.yml\n", + wantOut: "✓ Created workflow_dispatch event for workflow.yml at trunk\n\nTo see runs for this workflow, try: gh run list --workflow=\"workflow.yml\"\n", }, { name: "prompt, workflow choice missing input", diff --git a/pkg/cmdutil/args_test.go b/pkg/cmdutil/args_test.go index 4e880dd27..58f0dc0b6 100644 --- a/pkg/cmdutil/args_test.go +++ b/pkg/cmdutil/args_test.go @@ -210,17 +210,10 @@ func createTestDir(t *testing.T) (cleanupFn func()) { rootDir := t.TempDir() // Move workspace to temporary directory - cwd, err := os.Getwd() - if err != nil { - t.Fatal(err) - } - err = os.Chdir(rootDir) - if err != nil { - t.Fatal(err) - } + t.Chdir(rootDir) // Make subdirectories - err = os.Mkdir(filepath.Join(rootDir, "subDir1"), 0755) + err := os.Mkdir(filepath.Join(rootDir, "subDir1"), 0755) if err != nil { t.Fatal(err) } @@ -253,10 +246,6 @@ func createTestDir(t *testing.T) (cleanupFn func()) { cleanupFn = func() { os.RemoveAll(rootDir) - err = os.Chdir(cwd) - if err != nil { - t.Fatal(err) - } } return cleanupFn }