From 3ac73df25f49391b98ba5c984453ac308996e85c Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Fri, 7 Oct 2022 06:21:48 +0000 Subject: [PATCH 1/2] Update to Go 1.19 Signed-off-by: Ian Lewis --- .github/actions/detect-workflow/Dockerfile | 2 +- .github/actions/detect-workflow/go.mod | 2 +- .github/workflows/builder_go_slsa3.yml | 2 +- .github/workflows/builder_nodejs_slsa3.yml | 2 +- .../workflows/generator_container_slsa3.yml | 2 +- .github/workflows/generator_generic_slsa3.yml | 2 +- ...-submit.e2e.go.config-ldflags-main-dir.yml | 2 +- .github/workflows/pre-submit.lint.yml | 16 ++-- .github/workflows/pre-submit.units.yml | 2 +- .github/workflows/release.yml | 4 +- github/oidc_test.go | 76 +++++++++++++------ go.mod | 2 +- internal/builders/generic/attest_test.go | 45 +++++++++-- internal/builders/go/e2e-presubmits/go.mod | 2 +- internal/builders/go/main_test.go | 1 - internal/builders/go/pkg/testdata/go/go.mod | 2 +- 16 files changed, 112 insertions(+), 52 deletions(-) diff --git a/.github/actions/detect-workflow/Dockerfile b/.github/actions/detect-workflow/Dockerfile index a314e5846d..37f93a7473 100644 --- a/.github/actions/detect-workflow/Dockerfile +++ b/.github/actions/detect-workflow/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.18.5@sha256:5540a6a6b3b612c382accc545b3f6702de21e77b15d89ad947116c94b5f42993 as builder +FROM golang:1.19.4@sha256:547083b65790caddf19707ac4c350c82fb7a1f52c0e0c520ee7db09695dc5f86 as builder WORKDIR /app COPY . /app diff --git a/.github/actions/detect-workflow/go.mod b/.github/actions/detect-workflow/go.mod index 3788598d70..9a9f89be9e 100644 --- a/.github/actions/detect-workflow/go.mod +++ b/.github/actions/detect-workflow/go.mod @@ -1,6 +1,6 @@ module github.com/slsa-framework/slsa-github-generator/.github/actions/detect-workflow -go 1.18 +go 1.19 require github.com/slsa-framework/slsa-github-generator v1.4.0 diff --git a/.github/workflows/builder_go_slsa3.yml b/.github/workflows/builder_go_slsa3.yml index a88ae01cea..e7c3b68fa5 100644 --- a/.github/workflows/builder_go_slsa3.yml +++ b/.github/workflows/builder_go_slsa3.yml @@ -118,7 +118,7 @@ jobs: with: repository: "${{ needs.detect-env.outputs.repository }}" ref: "${{ needs.detect-env.outputs.ref }}" - go-version: 1.18 + go-version: 1.19 # Note: This must be the non-randomized binary name, so that it can be downloaded from the release assets. binary: "${{ env.BUILDER_BINARY }}" compile-builder: "${{ inputs.compile-builder }}" diff --git a/.github/workflows/builder_nodejs_slsa3.yml b/.github/workflows/builder_nodejs_slsa3.yml index 244ab4061f..5f96a07d2a 100644 --- a/.github/workflows/builder_nodejs_slsa3.yml +++ b/.github/workflows/builder_nodejs_slsa3.yml @@ -167,7 +167,7 @@ jobs: with: repository: "${{ needs.detect-env.outputs.repository }}" ref: "${{ needs.detect-env.outputs.ref }}" - go-version: 1.18 + go-version: 1.19 # Note: This must be the non-randomized binary name, so that it can be downloaded from the release assets. binary: "${{ env.BUILDER_BINARY }}" compile-builder: "${{ inputs.compile-builder }}" diff --git a/.github/workflows/generator_container_slsa3.yml b/.github/workflows/generator_container_slsa3.yml index 20050783e7..fa1d2f3748 100644 --- a/.github/workflows/generator_container_slsa3.yml +++ b/.github/workflows/generator_container_slsa3.yml @@ -119,7 +119,7 @@ jobs: with: repository: "${{ needs.detect-env.outputs.repository }}" ref: "${{ needs.detect-env.outputs.ref }}" - go-version: 1.18 + go-version: 1.19 binary: "${{ env.BUILDER_BINARY }}" compile-builder: "${{ inputs.compile-generator }}" # NOTE: We are using the generic generator. diff --git a/.github/workflows/generator_generic_slsa3.yml b/.github/workflows/generator_generic_slsa3.yml index da6656aec7..7e7e309e16 100644 --- a/.github/workflows/generator_generic_slsa3.yml +++ b/.github/workflows/generator_generic_slsa3.yml @@ -147,7 +147,7 @@ jobs: with: repository: "${{ needs.detect-env.outputs.repository }}" ref: "${{ needs.detect-env.outputs.ref }}" - go-version: 1.18 + go-version: 1.19 binary: "${{ env.BUILDER_BINARY }}" compile-builder: "${{ inputs.compile-generator }}" directory: "${{ env.BUILDER_DIR }}" diff --git a/.github/workflows/pre-submit.e2e.go.config-ldflags-main-dir.yml b/.github/workflows/pre-submit.e2e.go.config-ldflags-main-dir.yml index 39ac443791..2e5a758f49 100644 --- a/.github/workflows/pre-submit.e2e.go.config-ldflags-main-dir.yml +++ b/.github/workflows/pre-submit.e2e.go.config-ldflags-main-dir.yml @@ -34,7 +34,7 @@ jobs: actions: read # For the entry point. uses: ./.github/workflows/builder_go_slsa3.yml with: - go-version: 1.18 + go-version: 1.19 config-file: .github/workflows/configs-go/config-ldflags-main-dir.yml evaluated-envs: "VERSION:${{needs.args.outputs.version}},COMMIT:${{needs.args.outputs.commit}},BRANCH:${{needs.args.outputs.branch}}" compile-builder: true diff --git a/.github/workflows/pre-submit.lint.yml b/.github/workflows/pre-submit.lint.yml index c7696e65be..939d4e3a51 100644 --- a/.github/workflows/pre-submit.lint.yml +++ b/.github/workflows/pre-submit.lint.yml @@ -13,10 +13,10 @@ jobs: - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0 - uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # v3.4.0 with: - go-version: "1.18" + go-version: 1.19 - env: - GOLANGCI_LINT_VERSION: "1.46.2" - GOLANGCI_LINT_CHECKSUM: "242cd4f2d6ac0556e315192e8555784d13da5d1874e51304711570769c4f2b9b" + GOLANGCI_LINT_VERSION: "1.50.1" + GOLANGCI_LINT_CHECKSUM: "4ba1dc9dbdf05b7bdc6f0e04bdfe6f63aa70576f51817be1b2540bbce017b69a" run: | set -euo pipefail @@ -24,7 +24,7 @@ jobs: curl -sSLo golangci-lint.tar.gz "https://github.com/golangci/golangci-lint/releases/download/v${GOLANGCI_LINT_VERSION}/golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64.tar.gz" echo "golangci-lint checksum is $(sha256sum golangci-lint.tar.gz | awk '{ print $1 }')" echo "expected checksum is $GOLANGCI_LINT_CHECKSUM" - echo "$GOLANGCI_LINT_CHECKSUM golangci-lint.tar.gz" | sha256sum --strict --check --status || exit -2 + echo "$GOLANGCI_LINT_CHECKSUM golangci-lint.tar.gz" | sha256sum --strict --check --status || exit -2 tar xf golangci-lint.tar.gz mv golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64/golangci-lint /usr/local/bin @@ -37,11 +37,17 @@ jobs: - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0 - env: SHELLCHECK_VERSION: "0.8.0" + SHELLCHECK_CHECKSUM: "ab6ee1b178f014d1b86d1e24da20d1139656c8b0ed34d2867fbb834dad02bf0a" run: | set -euo pipefail # Install shellcheck - wget -qO- "https://github.com/koalaman/shellcheck/releases/download/v${SHELLCHECK_VERSION}/shellcheck-v${SHELLCHECK_VERSION}.linux.x86_64.tar.xz" | tar -xJf - + curl -sSLo shellcheck.tar.gz "https://github.com/koalaman/shellcheck/releases/download/v${SHELLCHECK_VERSION}/shellcheck-v${SHELLCHECK_VERSION}.linux.x86_64.tar.xz" + echo "shellcheck checksum is $(sha256sum shellcheck.tar.gz | awk '{ print $1 }')" + echo "expected checksum is $SHELLCHECK_CHECKSUM" + echo "$SHELLCHECK_CHECKSUM shellcheck.tar.gz" | sha256sum --strict --check --status || exit -2 + + tar xf shellcheck.tar.gz mv "shellcheck-v$SHELLCHECK_VERSION/shellcheck" /usr/local/bin # Run shellcheck and output github actions commands. diff --git a/.github/workflows/pre-submit.units.yml b/.github/workflows/pre-submit.units.yml index b8799e7eee..d494f7454f 100644 --- a/.github/workflows/pre-submit.units.yml +++ b/.github/workflows/pre-submit.units.yml @@ -24,7 +24,7 @@ jobs: - name: setup-go uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # v3.4.0 with: - go-version: "1.18" + go-version: 1.19 - name: unit tests run: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index bee24731ac..a2ec793a82 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -61,7 +61,7 @@ jobs: actions: read # For the entrypoint. uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@main with: - go-version: 1.18 + go-version: 1.19 config-file: .github/workflows/configs-generic/config-release.yml compile-builder: true @@ -74,6 +74,6 @@ jobs: actions: read # For the entrypoint. uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@main with: - go-version: 1.18 + go-version: 1.19 config-file: .github/workflows/configs-go/config-release.yml compile-builder: true diff --git a/github/oidc_test.go b/github/oidc_test.go index 5bfa657371..99bc4fc7d6 100644 --- a/github/oidc_test.go +++ b/github/oidc_test.go @@ -68,13 +68,41 @@ func TestNewOIDCClient(t *testing.T) { func TestToken(t *testing.T) { now := time.Date(2022, 4, 14, 12, 24, 0, 0, time.UTC) + errClaimsFunc := func(got error) { + want := &errClaims{} + if !errors.As(got, &want) { + t.Fatalf("unexpected error: %v", cmp.Diff(got, want, cmpopts.EquateErrors())) + } + } + + errVerifyFunc := func(got error) { + want := &errVerify{} + if !errors.As(got, &want) { + t.Fatalf("unexpected error: %v", cmp.Diff(got, want, cmpopts.EquateErrors())) + } + } + + errTokenFunc := func(got error) { + want := &errToken{} + if !errors.As(got, &want) { + t.Fatalf("unexpected error: %v", cmp.Diff(got, want, cmpopts.EquateErrors())) + } + } + + errRequestErrorFunc := func(got error) { + want := &errRequestError{} + if !errors.As(got, &want) { + t.Fatalf("unexpected error: %v", cmp.Diff(got, want, cmpopts.EquateErrors())) + } + } + testCases := []struct { name string audience []string token *OIDCToken status int raw string - err error + err func(error) }{ { name: "basic token", @@ -98,7 +126,7 @@ func TestToken(t *testing.T) { RepositoryOwnerID: "4321", ActorID: "4567", }, - err: &errClaims{}, + err: errClaimsFunc, }, { name: "no workflow ref claim", @@ -110,7 +138,7 @@ func TestToken(t *testing.T) { RepositoryOwnerID: "4321", ActorID: "4567", }, - err: &errClaims{}, + err: errClaimsFunc, }, { name: "no owner id claim", @@ -122,7 +150,7 @@ func TestToken(t *testing.T) { RepositoryID: "1234", ActorID: "4567", }, - err: &errClaims{}, + err: errClaimsFunc, }, { name: "no actor id claim", @@ -134,7 +162,7 @@ func TestToken(t *testing.T) { RepositoryID: "1234", RepositoryOwnerID: "4321", }, - err: &errClaims{}, + err: errClaimsFunc, }, { name: "expired token", @@ -147,7 +175,7 @@ func TestToken(t *testing.T) { RepositoryOwnerID: "4321", ActorID: "4567", }, - err: &errVerify{}, + err: errVerifyFunc, }, { name: "bad audience", @@ -160,7 +188,7 @@ func TestToken(t *testing.T) { RepositoryOwnerID: "4321", ActorID: "4567", }, - err: &errVerify{}, + err: errVerifyFunc, }, { name: "bad issuer", @@ -174,49 +202,49 @@ func TestToken(t *testing.T) { RepositoryOwnerID: "4321", ActorID: "4567", }, - err: &errVerify{}, - }, - { - name: "invalid response", - audience: []string{"hoge"}, - raw: `not json`, - status: http.StatusOK, - err: &errToken{}, + err: errVerifyFunc, }, { name: "invalid parts", audience: []string{"hoge"}, raw: `{"value": "part1"}`, status: http.StatusOK, - err: &errToken{}, + err: errVerifyFunc, }, { name: "invalid base64", audience: []string{"hoge"}, raw: `{"value": "part1.part2.part3"}`, status: http.StatusOK, - err: &errToken{}, + err: errVerifyFunc, }, { - name: "invalid json", + name: "invalid json part", audience: []string{"hoge"}, raw: fmt.Sprintf(`{"value": "part1.%s.part3"}`, base64.RawURLEncoding.EncodeToString([]byte("not json"))), status: http.StatusOK, - err: &errToken{}, + err: errVerifyFunc, + }, + { + name: "invalid response", + audience: []string{"hoge"}, + raw: `not json`, + status: http.StatusOK, + err: errTokenFunc, }, { name: "error response", audience: []string{"hoge"}, raw: "", status: http.StatusServiceUnavailable, - err: &errRequestError{}, + err: errRequestErrorFunc, }, { name: "redirect response", audience: []string{"hoge"}, raw: "", status: http.StatusFound, - err: &errRequestError{}, + err: errRequestErrorFunc, }, } @@ -234,15 +262,13 @@ func TestToken(t *testing.T) { token, err := c.Token(context.Background(), tc.audience) if err != nil { if tc.err != nil { - if !errors.As(err, &tc.err) { - t.Fatalf("unexpected error: %v", cmp.Diff(err, tc.err, cmpopts.EquateErrors())) - } + tc.err(err) } else { t.Fatalf("unexpected error: %v", cmp.Diff(err, tc.err, cmpopts.EquateErrors())) } } else { if tc.err != nil { - t.Fatalf("unexpected error: %v", cmp.Diff(err, tc.err, cmpopts.EquateErrors())) + tc.err(err) } else { // Successful response, as expected. Check token. if want, got := tc.token, token; !tokenEqual(s.URL, want, got) { diff --git a/go.mod b/go.mod index f294db20cb..1aca70065c 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/slsa-framework/slsa-github-generator -go 1.18 +go 1.19 require ( github.com/coreos/go-oidc/v3 v3.4.0 diff --git a/internal/builders/generic/attest_test.go b/internal/builders/generic/attest_test.go index b92b485b9d..c9622056e7 100644 --- a/internal/builders/generic/attest_test.go +++ b/internal/builders/generic/attest_test.go @@ -20,11 +20,39 @@ import ( // TestParseSubjects tests the parseSubjects function. func TestParseSubjects(t *testing.T) { + errNoNameFunc := func(got error) { + want := &errNoName{} + if !errors.As(got, &want) { + t.Fatalf("unexpected error: %v", cmp.Diff(got, want, cmpopts.EquateErrors())) + } + } + + errShaFunc := func(got error) { + want := &errSha{} + if !errors.As(got, &want) { + t.Fatalf("unexpected error: %v", cmp.Diff(got, want, cmpopts.EquateErrors())) + } + } + + errDuplicateSubjectFunc := func(got error) { + want := &errDuplicateSubject{} + if !errors.As(got, &want) { + t.Fatalf("unexpected error: %v", cmp.Diff(got, want, cmpopts.EquateErrors())) + } + } + + errBase64Func := func(got error) { + want := &errBase64{} + if !errors.As(got, &want) { + t.Fatalf("unexpected error: %v", cmp.Diff(got, want, cmpopts.EquateErrors())) + } + } + testCases := []struct { name string str string expected []intoto.Subject - err error + err func(error) }{ { name: "single", @@ -113,36 +141,37 @@ func TestParseSubjects(t *testing.T) { name: "sha only", // echo "2e0390eb024a52963db7b95e84a9c2b12c004054a7bad9a97ec0c7c89d4681d2" | base64 -w0 str: "MmUwMzkwZWIwMjRhNTI5NjNkYjdiOTVlODRhOWMyYjEyYzAwNDA1NGE3YmFkOWE5N2VjMGM3Yzg5ZDQ2ODFkMgo=", - err: &errNoName{}, + // err: &errNoName{}, + err: errNoNameFunc, }, { name: "invalid hash", // echo "abcdef hoge" | base64 -w0 str: "YWJjZGVmIGhvZ2UK", - err: &errSha{}, + err: errShaFunc, }, { name: "duplicate name", // echo -e "2e0390eb024a52963db7b95e84a9c2b12c004054a7bad9a97ec0c7c89d4681d2 hoge\n2e0390eb024a52963db7b95e84a9c2b12c004054a7bad9a97ec0c7c89d4681d2 hoge" | base64 -w0 str: "MmUwMzkwZWIwMjRhNTI5NjNkYjdiOTVlODRhOWMyYjEyYzAwNDA1NGE3YmFkOWE5N2VjMGM3Yzg5ZDQ2ODFkMiBob2dlCjJlMDM5MGViMDI0YTUyOTYzZGI3Yjk1ZTg0YTljMmIxMmMwMDQwNTRhN2JhZDlhOTdlYzBjN2M4OWQ0NjgxZDIgaG9nZQo=", - err: &errDuplicateSubject{}, + err: errDuplicateSubjectFunc, }, { name: "not base64", str: "this is not base64", - err: &errBase64{}, + err: errBase64Func, }, } for _, tc := range testCases { t.Run(tc.name, func(t *testing.T) { if s, err := parseSubjects(tc.str); err != nil { - if tc.err != nil && !errors.As(err, &tc.err) { - t.Fatalf("unexpected error: %v", cmp.Diff(err, tc.err, cmpopts.EquateErrors())) + if tc.err != nil { + tc.err(err) } } else { if tc.err != nil { - t.Fatalf("expected %#v but received %#v", tc.err, s) + tc.err(err) } if want, got := tc.expected, s; !cmp.Equal(want, got) { diff --git a/internal/builders/go/e2e-presubmits/go.mod b/internal/builders/go/e2e-presubmits/go.mod index 5b9af807e6..bef7394676 100644 --- a/internal/builders/go/e2e-presubmits/go.mod +++ b/internal/builders/go/e2e-presubmits/go.mod @@ -1,6 +1,6 @@ module slsa-framework/example-package -go 1.18 +go 1.19 require github.com/pborman/uuid v1.2.1 diff --git a/internal/builders/go/main_test.go b/internal/builders/go/main_test.go index 0d7f2d2dbe..7145f6fd4e 100644 --- a/internal/builders/go/main_test.go +++ b/internal/builders/go/main_test.go @@ -273,7 +273,6 @@ func Test_runBuild(t *testing.T) { tt := tt // Re-initializing variable so it is not changed while executing the closure below t.Run(tt.name, func(t *testing.T) { // *** WARNING: do not enable t.Parallel(), because we're writing to ***. - file, err := os.CreateTemp("", "") if err != nil { t.Fatalf("unable to create a temp env file: %s", err) diff --git a/internal/builders/go/pkg/testdata/go/go.mod b/internal/builders/go/pkg/testdata/go/go.mod index f64b4f6f40..5e56a47970 100644 --- a/internal/builders/go/pkg/testdata/go/go.mod +++ b/internal/builders/go/pkg/testdata/go/go.mod @@ -1,3 +1,3 @@ module github.com/slsa-framework/slsa-github-generator/internal/builders/go/pkg/testdata/go -go 1.18 +go 1.19 From a1d88ba60749db450a30e4e796217746773bcf9a Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Thu, 22 Dec 2022 02:25:30 +0000 Subject: [PATCH 2/2] Ignore vendor and node_modules Signed-off-by: Ian Lewis --- .github/workflows/scripts/verify-base-images.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scripts/verify-base-images.sh b/.github/workflows/scripts/verify-base-images.sh index 762712c335..bef054b6f4 100755 --- a/.github/workflows/scripts/verify-base-images.sh +++ b/.github/workflows/scripts/verify-base-images.sh @@ -16,7 +16,7 @@ set -euo pipefail # NOTE: Use read to avoid whitespace issues. -find . -name Dockerfile -print0 | while IFS= read -r -d '' f; do +find . \( ! -name vendor -o -prune \) \( ! -name node_modules -o -prune \) -type f -name Dockerfile -print0 | while IFS= read -r -d '' f; do echo "Checking $f" grep "^FROM " "$f" | while IFS= read -r line; do image_full=$(echo "$line" | awk '{ print $2 }')