mirror of
https://github.com/super-linter/super-linter.git
synced 2024-11-25 07:31:05 -05:00
fix: initialize GitHub domain variable (#5216)
- Initialize GITHUB_DOMAIN as documented in the README - Configure other URLs according to GITHUB_DOMAIN - Automatically fetch SSH key fingerprints for GITHUB_DOMAINS
This commit is contained in:
parent
83eca1df43
commit
6fd6830fb4
7 changed files with 125 additions and 26 deletions
2
.github/workflows/cd.yml
vendored
2
.github/workflows/cd.yml
vendored
|
@ -94,6 +94,8 @@ jobs:
|
||||||
|
|
||||||
- name: Run Test Suite
|
- name: Run Test Suite
|
||||||
run: make test
|
run: make test
|
||||||
|
env:
|
||||||
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
|
||||||
- name: Login to GHCR
|
- name: Login to GHCR
|
||||||
uses: docker/login-action@v3.0.0
|
uses: docker/login-action@v3.0.0
|
||||||
|
|
2
.github/workflows/ci.yml
vendored
2
.github/workflows/ci.yml
vendored
|
@ -130,6 +130,8 @@ jobs:
|
||||||
|
|
||||||
- name: Run Test Suite
|
- name: Run Test Suite
|
||||||
run: make test
|
run: make test
|
||||||
|
env:
|
||||||
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
|
||||||
preview-release-notes:
|
preview-release-notes:
|
||||||
if: github.event_name == 'pull_request'
|
if: github.event_name == 'pull_request'
|
||||||
|
|
17
Makefile
17
Makefile
|
@ -73,6 +73,10 @@ endif
|
||||||
|
|
||||||
GITHUB_TOKEN_PATH := "$(CURDIR)/.github-personal-access-token"
|
GITHUB_TOKEN_PATH := "$(CURDIR)/.github-personal-access-token"
|
||||||
|
|
||||||
|
ifeq ($(GITHUB_TOKEN),)
|
||||||
|
GITHUB_TOKEN="$(shell cat "${GITHUB_TOKEN_PATH}")"
|
||||||
|
endif
|
||||||
|
|
||||||
DEV_CONTAINER_URL := "super-linter/dev-container:latest"
|
DEV_CONTAINER_URL := "super-linter/dev-container:latest"
|
||||||
|
|
||||||
|
|
||||||
|
@ -224,7 +228,7 @@ lint-subset-files-enable-expensive-io-checks: ## Lint a small subset of files in
|
||||||
$(SUPER_LINTER_TEST_CONTAINER_URL)
|
$(SUPER_LINTER_TEST_CONTAINER_URL)
|
||||||
|
|
||||||
.phony: test-lib
|
.phony: test-lib
|
||||||
test-lib: test-build-file-list test-github-event test-validation ## Test super-linter
|
test-lib: test-build-file-list test-github-event test-setup-ssh test-validation ## Test super-linter
|
||||||
|
|
||||||
.phony: test-build-file-list
|
.phony: test-build-file-list
|
||||||
test-build-file-list: ## Test buildFileList
|
test-build-file-list: ## Test buildFileList
|
||||||
|
@ -242,6 +246,15 @@ test-github-event: ## Test githubEvent
|
||||||
--entrypoint /tmp/lint/test/lib/githubEventTest.sh \
|
--entrypoint /tmp/lint/test/lib/githubEventTest.sh \
|
||||||
$(SUPER_LINTER_TEST_CONTAINER_URL)
|
$(SUPER_LINTER_TEST_CONTAINER_URL)
|
||||||
|
|
||||||
|
.phony: test-setup-ssh
|
||||||
|
test-setup-ssh: ## Test setupSSH
|
||||||
|
@docker run \
|
||||||
|
-e GITHUB_TOKEN=${GITHUB_TOKEN} \
|
||||||
|
-v "$(CURDIR):/tmp/lint" \
|
||||||
|
-w /tmp/lint \
|
||||||
|
--entrypoint /tmp/lint/test/lib/setupSSHTest.sh \
|
||||||
|
$(SUPER_LINTER_TEST_CONTAINER_URL)
|
||||||
|
|
||||||
.phony: test-validation
|
.phony: test-validation
|
||||||
test-validation: ## Test validation
|
test-validation: ## Test validation
|
||||||
docker run \
|
docker run \
|
||||||
|
@ -329,5 +342,5 @@ release-please-dry-run: build-dev-container-image check-github-token ## Run rele
|
||||||
--manifest-file .github/release-please/.release-please-manifest.json \
|
--manifest-file .github/release-please/.release-please-manifest.json \
|
||||||
--repo-url super-linter/super-linter \
|
--repo-url super-linter/super-linter \
|
||||||
--target-branch ${RELEASE_PLEASE_TARGET_BRANCH} \
|
--target-branch ${RELEASE_PLEASE_TARGET_BRANCH} \
|
||||||
--token "$(shell cat "${GITHUB_TOKEN_PATH}")" \
|
--token "${GITHUB_TOKEN}" \
|
||||||
--trace
|
--trace
|
||||||
|
|
|
@ -176,7 +176,7 @@ You can configure super-linter using the following environment variables:
|
||||||
| **FILTER_REGEX_INCLUDE** | `all` | Regular expression defining which files will be processed by linters (ex: `.*src/.*`) |
|
| **FILTER_REGEX_INCLUDE** | `all` | Regular expression defining which files will be processed by linters (ex: `.*src/.*`) |
|
||||||
| **GITHUB_ACTIONS_CONFIG_FILE** | `actionlint.yml` | Filename for [Actionlint configuration](https://github.com/rhysd/actionlint/blob/main/docs/config.md) (ex: `actionlint.yml`) |
|
| **GITHUB_ACTIONS_CONFIG_FILE** | `actionlint.yml` | Filename for [Actionlint configuration](https://github.com/rhysd/actionlint/blob/main/docs/config.md) (ex: `actionlint.yml`) |
|
||||||
| **GITHUB_ACTIONS_COMMAND_ARGS** | `null` | Additional arguments passed to `actionlint` command. Useful to [ignore some errors](https://github.com/rhysd/actionlint/blob/main/docs/usage.md#ignore-some-errors) |
|
| **GITHUB_ACTIONS_COMMAND_ARGS** | `null` | Additional arguments passed to `actionlint` command. Useful to [ignore some errors](https://github.com/rhysd/actionlint/blob/main/docs/usage.md#ignore-some-errors) |
|
||||||
| **GITHUB_CUSTOM_API_URL** | `https://api.github.com` | Specify a custom GitHub API URL in case GitHub Enterprise is used: e.g. `https://github.myenterprise.com/api/v3` |
|
| **GITHUB_CUSTOM_API_URL** | `https://api.${GITHUB_DOMAIN}` | Specify a custom GitHub API URL in case GitHub Enterprise is used: e.g. `https://github.myenterprise.com/api/v3` |
|
||||||
| **GITHUB_DOMAIN** | `github.com` | Specify a custom GitHub domain in case GitHub Enterprise is used: e.g. `github.myenterprise.com` |
|
| **GITHUB_DOMAIN** | `github.com` | Specify a custom GitHub domain in case GitHub Enterprise is used: e.g. `github.myenterprise.com` |
|
||||||
| **GITLEAKS_CONFIG_FILE** | `.gitleaks.toml` | Filename for [GitLeaks configuration](https://github.com/zricethezav/gitleaks#configuration) (ex: `.gitleaks.toml`) |
|
| **GITLEAKS_CONFIG_FILE** | `.gitleaks.toml` | Filename for [GitLeaks configuration](https://github.com/zricethezav/gitleaks#configuration) (ex: `.gitleaks.toml`) |
|
||||||
| **IGNORE_GENERATED_FILES** | `false` | If set to `true`, super-linter will ignore all the files with `@generated` marker but without `@not-generated` marker. |
|
| **IGNORE_GENERATED_FILES** | `false` | If set to `true`, super-linter will ignore all the files with `@generated` marker but without `@not-generated` marker. |
|
||||||
|
|
|
@ -11,23 +11,42 @@ function SetupSshAgent() {
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function GetGitHubSshRsaKeyFingerprint() {
|
||||||
|
local GET_SSH_RSA_KEY_FINGERPRINT_CMD
|
||||||
|
if ! GET_SSH_RSA_KEY_FINGERPRINT_CMD=$(
|
||||||
|
curl -f -s --show-error -X GET \
|
||||||
|
--url "${GITHUB_META_URL}" \
|
||||||
|
-H 'Accept: application/vnd.github.v3+json' \
|
||||||
|
-H "Authorization: Bearer ${GITHUB_TOKEN}" \
|
||||||
|
-H "X-GitHub-Api-Version: 2022-11-28" 2>&1
|
||||||
|
); then
|
||||||
|
fatal "Failed to get GitHub RSA key fingerprint from ${GITHUB_META_URL}: ${GET_SSH_RSA_KEY_FINGERPRINT_CMD}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
local SSH_RSA_KEY_FINGERPRINT
|
||||||
|
SSH_RSA_KEY_FINGERPRINT="SHA256:$(jq -r '.ssh_key_fingerprints.SHA256_RSA' <<<"${GET_SSH_RSA_KEY_FINGERPRINT_CMD}")"
|
||||||
|
echo "${SSH_RSA_KEY_FINGERPRINT}"
|
||||||
|
}
|
||||||
|
export -f GetGitHubSshRsaKeyFingerprint
|
||||||
|
|
||||||
function SetupGithubComSshKeys() {
|
function SetupGithubComSshKeys() {
|
||||||
if [[ -n "${SSH_KEY}" || "${SSH_SETUP_GITHUB}" == "true" ]]; then
|
if [[ -n "${SSH_KEY}" || "${SSH_SETUP_GITHUB}" == "true" ]]; then
|
||||||
info "Adding github.com SSH keys"
|
info "Adding ${GITHUB_DOMAIN} SSH keys"
|
||||||
# Fetched out of band from
|
# Fetched out of band from
|
||||||
# https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints
|
# https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints
|
||||||
GITHUB_RSA_FINGERPRINT="SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s"
|
GITHUB_RSA_FINGERPRINT="$(GetGitHubSshRsaKeyFingerprint)"
|
||||||
ssh-keyscan -t rsa github.com >/tmp/github.pub 2>/dev/null
|
debug "${GITHUB_DOMAIN} key RSA key fingerprint: ${GITHUB_RSA_FINGERPRINT}"
|
||||||
|
ssh-keyscan -t rsa "${GITHUB_DOMAIN}" >/tmp/github.pub 2>/dev/null
|
||||||
if [[ "${SSH_INSECURE_NO_VERIFY_GITHUB_KEY}" == "true" ]]; then
|
if [[ "${SSH_INSECURE_NO_VERIFY_GITHUB_KEY}" == "true" ]]; then
|
||||||
warn "Skipping github.com key verification and adding without checking fingerprint"
|
warn "Skipping ${GITHUB_DOMAIN} key verification and adding without checking fingerprint"
|
||||||
mkdir -p ~/.ssh
|
mkdir -p ~/.ssh
|
||||||
cat /tmp/github.pub >>~/.ssh/known_hosts
|
cat /tmp/github.pub >>~/.ssh/known_hosts
|
||||||
elif [[ "$(ssh-keygen -lf /tmp/github.pub)" == "2048 ${GITHUB_RSA_FINGERPRINT} github.com (RSA)" ]]; then
|
elif [[ "$(ssh-keygen -lf /tmp/github.pub)" == "3072 ${GITHUB_RSA_FINGERPRINT} ${GITHUB_DOMAIN} (RSA)" ]]; then
|
||||||
info "Successfully verified github.com key"
|
info "Successfully verified ${GITHUB_DOMAIN} key"
|
||||||
mkdir -p ~/.ssh
|
mkdir -p ~/.ssh
|
||||||
cat /tmp/github.pub >>~/.ssh/known_hosts
|
cat /tmp/github.pub >>~/.ssh/known_hosts
|
||||||
else
|
else
|
||||||
error "Could not verify github.com key. SSH requests to github.com will likely fail."
|
error "Could not verify ${GITHUB_DOMAIN} key. SSH requests to ${GITHUB_DOMAIN} will likely fail."
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
|
@ -140,13 +140,14 @@ DEFAULT_SUPER_LINTER_WORKSPACE="/tmp/lint" # Fa
|
||||||
DEFAULT_WORKSPACE="${DEFAULT_WORKSPACE:-${DEFAULT_SUPER_LINTER_WORKSPACE}}" # Default workspace if running locally
|
DEFAULT_WORKSPACE="${DEFAULT_WORKSPACE:-${DEFAULT_SUPER_LINTER_WORKSPACE}}" # Default workspace if running locally
|
||||||
FILTER_REGEX_INCLUDE="${FILTER_REGEX_INCLUDE:-""}"
|
FILTER_REGEX_INCLUDE="${FILTER_REGEX_INCLUDE:-""}"
|
||||||
FILTER_REGEX_EXCLUDE="${FILTER_REGEX_EXCLUDE:-""}"
|
FILTER_REGEX_EXCLUDE="${FILTER_REGEX_EXCLUDE:-""}"
|
||||||
|
GITHUB_DOMAIN="${GITHUB_DOMAIN:-"github.com"}"
|
||||||
|
GITHUB_DOMAIN="${GITHUB_DOMAIN%/}" # Remove trailing slash if present
|
||||||
# GitHub API root url
|
# GitHub API root url
|
||||||
GITHUB_API_URL="${GITHUB_CUSTOM_API_URL:-"https://api.github.com"}"
|
GITHUB_API_URL="${GITHUB_CUSTOM_API_URL:-"https://api.${GITHUB_DOMAIN}"}"
|
||||||
# Remove trailing slash if present
|
GITHUB_API_URL="${GITHUB_API_URL%/}" # Remove trailing slash if present
|
||||||
GITHUB_API_URL="${GITHUB_API_URL%/}"
|
GITHUB_SERVER_URL="https://${GITHUB_DOMAIN}"
|
||||||
GITHUB_SERVER_URL="${GITHUB_DOMAIN:-"https://github.com"}"
|
# shellcheck disable=SC2034 # Variable is referenced indirectly
|
||||||
# Extract domain name from URL
|
GITHUB_META_URL="${GITHUB_API_URL}/meta"
|
||||||
GITHUB_SERVER_URL=$(echo "$GITHUB_SERVER_URL" | cut -d '/' -f 3)
|
|
||||||
LINTER_RULES_PATH="${LINTER_RULES_PATH:-.github/linters}" # Linter rules directory
|
LINTER_RULES_PATH="${LINTER_RULES_PATH:-.github/linters}" # Linter rules directory
|
||||||
# shellcheck disable=SC2034 # Variable is referenced in other scripts
|
# shellcheck disable=SC2034 # Variable is referenced in other scripts
|
||||||
RAW_FILE_ARRAY=() # Array of all files that were changed
|
RAW_FILE_ARRAY=() # Array of all files that were changed
|
||||||
|
@ -532,6 +533,12 @@ GetGitHubVars() {
|
||||||
else
|
else
|
||||||
info "Successfully found GITHUB_RUN_ID ${GITHUB_RUN_ID}"
|
info "Successfully found GITHUB_RUN_ID ${GITHUB_RUN_ID}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
GITHUB_STATUS_URL="${GITHUB_API_URL}/repos/${GITHUB_REPOSITORY}/statuses/${GITHUB_SHA}"
|
||||||
|
debug "GitHub Status URL: ${GITHUB_STATUS_URL}"
|
||||||
|
|
||||||
|
GITHUB_STATUS_TARGET_URL="${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}"
|
||||||
|
debug "GitHub Status target URL: ${GITHUB_STATUS_TARGET_URL}"
|
||||||
else
|
else
|
||||||
debug "Skip GITHUB_TOKEN, GITHUB_REPOSITORY, and GITHUB_RUN_ID validation because we don't need these variables for GitHub Actions status reports. MULTI_STATUS: ${MULTI_STATUS}"
|
debug "Skip GITHUB_TOKEN, GITHUB_REPOSITORY, and GITHUB_RUN_ID validation because we don't need these variables for GitHub Actions status reports. MULTI_STATUS: ${MULTI_STATUS}"
|
||||||
fi
|
fi
|
||||||
|
@ -574,19 +581,17 @@ CallStatusAPI() {
|
||||||
STATUS="success"
|
STATUS="success"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
debug "Status URL: ${GITHUB_API_URL}/repos/${GITHUB_REPOSITORY}/statuses/${GITHUB_SHA}"
|
|
||||||
|
|
||||||
##############################################
|
##############################################
|
||||||
# Call the status API to create status check #
|
# Call the status API to create status check #
|
||||||
##############################################
|
##############################################
|
||||||
if ! SEND_STATUS_CMD=$(
|
if ! SEND_STATUS_CMD=$(
|
||||||
curl -f -s --show-error -X POST \
|
curl -f -s --show-error -X POST \
|
||||||
--url "${GITHUB_API_URL}/repos/${GITHUB_REPOSITORY}/statuses/${GITHUB_SHA}" \
|
--url "${GITHUB_STATUS_URL}" \
|
||||||
-H 'accept: application/vnd.github.v3+json' \
|
-H 'accept: application/vnd.github.v3+json' \
|
||||||
-H "authorization: Bearer ${GITHUB_TOKEN}" \
|
-H "authorization: Bearer ${GITHUB_TOKEN}" \
|
||||||
-H 'content-type: application/json' \
|
-H 'content-type: application/json' \
|
||||||
-d "{ \"state\": \"${STATUS}\",
|
-d "{ \"state\": \"${STATUS}\",
|
||||||
\"target_url\": \"https://${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}\",
|
\"target_url\": \"${GITHUB_STATUS_TARGET_URL}\",
|
||||||
\"description\": \"${MESSAGE}\", \"context\": \"--> Linted: ${LANGUAGE}\"
|
\"description\": \"${MESSAGE}\", \"context\": \"--> Linted: ${LANGUAGE}\"
|
||||||
}" 2>&1
|
}" 2>&1
|
||||||
); then
|
); then
|
||||||
|
@ -718,12 +723,6 @@ trap 'cleanup' 0 1 2 3 6 14 15
|
||||||
##########
|
##########
|
||||||
Header
|
Header
|
||||||
|
|
||||||
############################################
|
|
||||||
# Create SSH agent and add key if provided #
|
|
||||||
############################################
|
|
||||||
SetupSshAgent
|
|
||||||
SetupGithubComSshKeys
|
|
||||||
|
|
||||||
################################################
|
################################################
|
||||||
# Need to update the loops for the image style #
|
# Need to update the loops for the image style #
|
||||||
################################################
|
################################################
|
||||||
|
@ -744,6 +743,12 @@ GetGitHubVars
|
||||||
# all cases when initializing variables
|
# all cases when initializing variables
|
||||||
ConfigureGitSafeDirectories
|
ConfigureGitSafeDirectories
|
||||||
|
|
||||||
|
############################################
|
||||||
|
# Create SSH agent and add key if provided #
|
||||||
|
############################################
|
||||||
|
SetupSshAgent
|
||||||
|
SetupGithubComSshKeys
|
||||||
|
|
||||||
########################################################
|
########################################################
|
||||||
# Initialize variables that depend on GitHub variables #
|
# Initialize variables that depend on GitHub variables #
|
||||||
########################################################
|
########################################################
|
||||||
|
|
58
test/lib/setupSSHTest.sh
Executable file
58
test/lib/setupSSHTest.sh
Executable file
|
@ -0,0 +1,58 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
set -o errexit
|
||||||
|
set -o nounset
|
||||||
|
set -o pipefail
|
||||||
|
|
||||||
|
# shellcheck disable=SC2034
|
||||||
|
LOG_TRACE="true"
|
||||||
|
# shellcheck disable=SC2034
|
||||||
|
LOG_DEBUG="true"
|
||||||
|
# shellcheck disable=SC2034
|
||||||
|
LOG_VERBOSE="true"
|
||||||
|
# shellcheck disable=SC2034
|
||||||
|
LOG_NOTICE="true"
|
||||||
|
# shellcheck disable=SC2034
|
||||||
|
LOG_WARN="true"
|
||||||
|
# shellcheck disable=SC2034
|
||||||
|
LOG_ERROR="true"
|
||||||
|
|
||||||
|
# shellcheck source=/dev/null
|
||||||
|
source "lib/functions/log.sh"
|
||||||
|
|
||||||
|
# shellcheck disable=SC2034
|
||||||
|
CREATE_LOG_FILE=false
|
||||||
|
|
||||||
|
GITHUB_DOMAIN="github.com"
|
||||||
|
# shellcheck disable=SC2034
|
||||||
|
GITHUB_META_URL="https://api.${GITHUB_DOMAIN}/meta"
|
||||||
|
|
||||||
|
# shellcheck source=/dev/null
|
||||||
|
source "lib/functions/setupSSH.sh"
|
||||||
|
|
||||||
|
function GetGitHubSshRsaKeyFingerprintTest() {
|
||||||
|
local SSH_RSA_KEY_FINGERPRINT
|
||||||
|
SSH_RSA_KEY_FINGERPRINT=$(GetGitHubSshRsaKeyFingerprint)
|
||||||
|
|
||||||
|
debug "SSH_RSA_KEY_FINGERPRINT: ${SSH_RSA_KEY_FINGERPRINT}"
|
||||||
|
local EXPECTED_GITHUB_RSA_KEY_FINGERPRINT
|
||||||
|
EXPECTED_GITHUB_RSA_KEY_FINGERPRINT="$(ssh-keygen -lf /dev/stdin <<<"$(ssh-keyscan -t rsa github.com)" | cut -d ' ' -f2)"
|
||||||
|
debug "Expected output: ${EXPECTED_GITHUB_RSA_KEY_FINGERPRINT}"
|
||||||
|
|
||||||
|
if [ "${SSH_RSA_KEY_FINGERPRINT}" != "${EXPECTED_GITHUB_RSA_KEY_FINGERPRINT}" ]; then
|
||||||
|
fatal "SSH_RSA_KEY_FINGERPRINT is not equal to ${EXPECTED_GITHUB_RSA_KEY_FINGERPRINT}: ${SSH_RSA_KEY_FINGERPRINT}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
FUNCTION_NAME="${FUNCNAME[0]}"
|
||||||
|
notice "${FUNCTION_NAME} PASS"
|
||||||
|
}
|
||||||
|
|
||||||
|
function SetupGithubComSshKeysTest() {
|
||||||
|
SSH_KEY="test_ssh_key" SSH_INSECURE_NO_VERIFY_GITHUB_KEY="false" SetupGithubComSshKeys
|
||||||
|
|
||||||
|
FUNCTION_NAME="${FUNCNAME[0]}"
|
||||||
|
notice "${FUNCTION_NAME} PASS"
|
||||||
|
}
|
||||||
|
|
||||||
|
GetGitHubSshRsaKeyFingerprintTest
|
||||||
|
SetupGithubComSshKeysTest
|
Loading…
Reference in a new issue