actions/superlint
1
0
Fork 0
mirror of https://github.com/super-linter/super-linter.git synced 2024-11-22 00:31:07 -05:00
Code Issues Projects Releases Packages Wiki Activity

fix: initialize GitHub domain variable (#5216)

Browse source 
- Initialize GITHUB_DOMAIN as documented in the README
- Configure other URLs according to GITHUB_DOMAIN
- Automatically fetch SSH key fingerprints for GITHUB_DOMAINS
This commit is contained in:
Marco Ferrari 2024-02-09 19:45:44 +01:00 committed by GitHub
parent 83eca1df43
commit 6fd6830fb4
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
7 changed files with 125 additions and 26 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.github/workflows/cd.yml vendored
View file

@ -94,6 +94,8 @@ jobs:
- name: Run Test Suite - name: Run Test Suite
run: make test run: make test
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Login to GHCR - name: Login to GHCR
uses: docker/login-action@v3.0.0 uses: docker/login-action@v3.0.0

2
.github/workflows/ci.yml vendored
View file

@ -130,6 +130,8 @@ jobs:
- name: Run Test Suite - name: Run Test Suite
run: make test run: make test
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
preview-release-notes: preview-release-notes:
if: github.event_name == 'pull_request' if: github.event_name == 'pull_request'

17
Makefile
View file

@ -73,6 +73,10 @@ endif
GITHUB_TOKEN_PATH := "$(CURDIR)/.github-personal-access-token" GITHUB_TOKEN_PATH := "$(CURDIR)/.github-personal-access-token"
ifeq ($(GITHUB_TOKEN),)
GITHUB_TOKEN="$(shell cat "${GITHUB_TOKEN_PATH}")"
endif
DEV_CONTAINER_URL := "super-linter/dev-container:latest" DEV_CONTAINER_URL := "super-linter/dev-container:latest"
@ -224,7 +228,7 @@ lint-subset-files-enable-expensive-io-checks: ## Lint a small subset of files in
$(SUPER_LINTER_TEST_CONTAINER_URL) $(SUPER_LINTER_TEST_CONTAINER_URL)
.phony: test-lib .phony: test-lib
test-lib: test-build-file-list test-github-event test-validation ## Test super-linter test-lib: test-build-file-list test-github-event test-setup-ssh test-validation ## Test super-linter
.phony: test-build-file-list .phony: test-build-file-list
test-build-file-list: ## Test buildFileList test-build-file-list: ## Test buildFileList
@ -242,6 +246,15 @@ test-github-event: ## Test githubEvent
--entrypoint /tmp/lint/test/lib/githubEventTest.sh \ --entrypoint /tmp/lint/test/lib/githubEventTest.sh \
$(SUPER_LINTER_TEST_CONTAINER_URL) $(SUPER_LINTER_TEST_CONTAINER_URL)
.phony: test-setup-ssh
test-setup-ssh: ## Test setupSSH
@docker run \
-e GITHUB_TOKEN=${GITHUB_TOKEN} \
-v "$(CURDIR):/tmp/lint" \
-w /tmp/lint \
--entrypoint /tmp/lint/test/lib/setupSSHTest.sh \
$(SUPER_LINTER_TEST_CONTAINER_URL)
.phony: test-validation .phony: test-validation
test-validation: ## Test validation test-validation: ## Test validation
docker run \ docker run \
@ -329,5 +342,5 @@ release-please-dry-run: build-dev-container-image check-github-token ## Run rele
--manifest-file .github/release-please/.release-please-manifest.json \ --manifest-file .github/release-please/.release-please-manifest.json \
--repo-url super-linter/super-linter \ --repo-url super-linter/super-linter \
--target-branch ${RELEASE_PLEASE_TARGET_BRANCH} \ --target-branch ${RELEASE_PLEASE_TARGET_BRANCH} \
--token "$(shell cat "${GITHUB_TOKEN_PATH}")" \ --token "${GITHUB_TOKEN}" \
--trace --trace

2
README.md
View file

@ -176,7 +176,7 @@ You can configure super-linter using the following environment variables:
| **FILTER_REGEX_INCLUDE** | `all` | Regular expression defining which files will be processed by linters (ex: `.*src/.*`) | | **FILTER_REGEX_INCLUDE** | `all` | Regular expression defining which files will be processed by linters (ex: `.*src/.*`) |
| **GITHUB_ACTIONS_CONFIG_FILE** | `actionlint.yml` | Filename for [Actionlint configuration](https://github.com/rhysd/actionlint/blob/main/docs/config.md) (ex: `actionlint.yml`) | | **GITHUB_ACTIONS_CONFIG_FILE** | `actionlint.yml` | Filename for [Actionlint configuration](https://github.com/rhysd/actionlint/blob/main/docs/config.md) (ex: `actionlint.yml`) |
| **GITHUB_ACTIONS_COMMAND_ARGS** | `null` | Additional arguments passed to `actionlint` command. Useful to [ignore some errors](https://github.com/rhysd/actionlint/blob/main/docs/usage.md#ignore-some-errors) | | **GITHUB_ACTIONS_COMMAND_ARGS** | `null` | Additional arguments passed to `actionlint` command. Useful to [ignore some errors](https://github.com/rhysd/actionlint/blob/main/docs/usage.md#ignore-some-errors) |
| **GITHUB_CUSTOM_API_URL** | `https://api.github.com` | Specify a custom GitHub API URL in case GitHub Enterprise is used: e.g. `https://github.myenterprise.com/api/v3` | | **GITHUB_CUSTOM_API_URL** | `https://api.${GITHUB_DOMAIN}` | Specify a custom GitHub API URL in case GitHub Enterprise is used: e.g. `https://github.myenterprise.com/api/v3` |
| **GITHUB_DOMAIN** | `github.com` | Specify a custom GitHub domain in case GitHub Enterprise is used: e.g. `github.myenterprise.com` | | **GITHUB_DOMAIN** | `github.com` | Specify a custom GitHub domain in case GitHub Enterprise is used: e.g. `github.myenterprise.com` |
| **GITLEAKS_CONFIG_FILE** | `.gitleaks.toml` | Filename for [GitLeaks configuration](https://github.com/zricethezav/gitleaks#configuration) (ex: `.gitleaks.toml`) | | **GITLEAKS_CONFIG_FILE** | `.gitleaks.toml` | Filename for [GitLeaks configuration](https://github.com/zricethezav/gitleaks#configuration) (ex: `.gitleaks.toml`) |
| **IGNORE_GENERATED_FILES** | `false` | If set to `true`, super-linter will ignore all the files with `@generated` marker but without `@not-generated` marker. | | **IGNORE_GENERATED_FILES** | `false` | If set to `true`, super-linter will ignore all the files with `@generated` marker but without `@not-generated` marker. |

33
lib/functions/setupSSH.sh
View file

@ -11,23 +11,42 @@ function SetupSshAgent() {
fi fi
} }
function GetGitHubSshRsaKeyFingerprint() {
local GET_SSH_RSA_KEY_FINGERPRINT_CMD
if ! GET_SSH_RSA_KEY_FINGERPRINT_CMD=$(
curl -f -s --show-error -X GET \
--url "${GITHUB_META_URL}" \
-H 'Accept: application/vnd.github.v3+json' \
-H "Authorization: Bearer ${GITHUB_TOKEN}" \
-H "X-GitHub-Api-Version: 2022-11-28" 2>&1
); then
fatal "Failed to get GitHub RSA key fingerprint from ${GITHUB_META_URL}: ${GET_SSH_RSA_KEY_FINGERPRINT_CMD}"
fi
local SSH_RSA_KEY_FINGERPRINT
SSH_RSA_KEY_FINGERPRINT="SHA256:$(jq -r '.ssh_key_fingerprints.SHA256_RSA' <<<"${GET_SSH_RSA_KEY_FINGERPRINT_CMD}")"
echo "${SSH_RSA_KEY_FINGERPRINT}"
}
export -f GetGitHubSshRsaKeyFingerprint
function SetupGithubComSshKeys() { function SetupGithubComSshKeys() {
if [[ -n "${SSH_KEY}" || "${SSH_SETUP_GITHUB}" == "true" ]]; then if [[ -n "${SSH_KEY}" || "${SSH_SETUP_GITHUB}" == "true" ]]; then
info "Adding github.com SSH keys" info "Adding ${GITHUB_DOMAIN} SSH keys"
# Fetched out of band from # Fetched out of band from
# https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints # https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints
GITHUB_RSA_FINGERPRINT="SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s" GITHUB_RSA_FINGERPRINT="$(GetGitHubSshRsaKeyFingerprint)"
ssh-keyscan -t rsa github.com >/tmp/github.pub 2>/dev/null debug "${GITHUB_DOMAIN} key RSA key fingerprint: ${GITHUB_RSA_FINGERPRINT}"
ssh-keyscan -t rsa "${GITHUB_DOMAIN}" >/tmp/github.pub 2>/dev/null
if [[ "${SSH_INSECURE_NO_VERIFY_GITHUB_KEY}" == "true" ]]; then if [[ "${SSH_INSECURE_NO_VERIFY_GITHUB_KEY}" == "true" ]]; then
warn "Skipping github.com key verification and adding without checking fingerprint" warn "Skipping ${GITHUB_DOMAIN} key verification and adding without checking fingerprint"
mkdir -p ~/.ssh mkdir -p ~/.ssh
cat /tmp/github.pub >>~/.ssh/known_hosts cat /tmp/github.pub >>~/.ssh/known_hosts
elif [[ "$(ssh-keygen -lf /tmp/github.pub)" == "2048 ${GITHUB_RSA_FINGERPRINT} github.com (RSA)" ]]; then elif [[ "$(ssh-keygen -lf /tmp/github.pub)" == "3072 ${GITHUB_RSA_FINGERPRINT} ${GITHUB_DOMAIN} (RSA)" ]]; then
info "Successfully verified github.com key" info "Successfully verified ${GITHUB_DOMAIN} key"
mkdir -p ~/.ssh mkdir -p ~/.ssh
cat /tmp/github.pub >>~/.ssh/known_hosts cat /tmp/github.pub >>~/.ssh/known_hosts
else else
error "Could not verify github.com key. SSH requests to github.com will likely fail." error "Could not verify ${GITHUB_DOMAIN} key. SSH requests to ${GITHUB_DOMAIN} will likely fail."
fi fi
fi fi
} }

37
lib/linter.sh
View file

@ -140,13 +140,14 @@ DEFAULT_SUPER_LINTER_WORKSPACE="/tmp/lint" # Fa
DEFAULT_WORKSPACE="${DEFAULT_WORKSPACE:-${DEFAULT_SUPER_LINTER_WORKSPACE}}" # Default workspace if running locally DEFAULT_WORKSPACE="${DEFAULT_WORKSPACE:-${DEFAULT_SUPER_LINTER_WORKSPACE}}" # Default workspace if running locally
FILTER_REGEX_INCLUDE="${FILTER_REGEX_INCLUDE:-""}" FILTER_REGEX_INCLUDE="${FILTER_REGEX_INCLUDE:-""}"
FILTER_REGEX_EXCLUDE="${FILTER_REGEX_EXCLUDE:-""}" FILTER_REGEX_EXCLUDE="${FILTER_REGEX_EXCLUDE:-""}"
GITHUB_DOMAIN="${GITHUB_DOMAIN:-"github.com"}"
GITHUB_DOMAIN="${GITHUB_DOMAIN%/}" # Remove trailing slash if present
# GitHub API root url # GitHub API root url
GITHUB_API_URL="${GITHUB_CUSTOM_API_URL:-"https://api.github.com"}" GITHUB_API_URL="${GITHUB_CUSTOM_API_URL:-"https://api.${GITHUB_DOMAIN}"}"
# Remove trailing slash if present GITHUB_API_URL="${GITHUB_API_URL%/}" # Remove trailing slash if present
GITHUB_API_URL="${GITHUB_API_URL%/}" GITHUB_SERVER_URL="https://${GITHUB_DOMAIN}"
GITHUB_SERVER_URL="${GITHUB_DOMAIN:-"https://github.com"}" # shellcheck disable=SC2034 # Variable is referenced indirectly
# Extract domain name from URL GITHUB_META_URL="${GITHUB_API_URL}/meta"
GITHUB_SERVER_URL=$(echo "$GITHUB_SERVER_URL" | cut -d '/' -f 3)
LINTER_RULES_PATH="${LINTER_RULES_PATH:-.github/linters}" # Linter rules directory LINTER_RULES_PATH="${LINTER_RULES_PATH:-.github/linters}" # Linter rules directory
# shellcheck disable=SC2034 # Variable is referenced in other scripts # shellcheck disable=SC2034 # Variable is referenced in other scripts
RAW_FILE_ARRAY=() # Array of all files that were changed RAW_FILE_ARRAY=() # Array of all files that were changed
@ -532,6 +533,12 @@ GetGitHubVars() {
else else
info "Successfully found GITHUB_RUN_ID ${GITHUB_RUN_ID}" info "Successfully found GITHUB_RUN_ID ${GITHUB_RUN_ID}"
fi fi
GITHUB_STATUS_URL="${GITHUB_API_URL}/repos/${GITHUB_REPOSITORY}/statuses/${GITHUB_SHA}"
debug "GitHub Status URL: ${GITHUB_STATUS_URL}"
GITHUB_STATUS_TARGET_URL="${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}"
debug "GitHub Status target URL: ${GITHUB_STATUS_TARGET_URL}"
else else
debug "Skip GITHUB_TOKEN, GITHUB_REPOSITORY, and GITHUB_RUN_ID validation because we don't need these variables for GitHub Actions status reports. MULTI_STATUS: ${MULTI_STATUS}" debug "Skip GITHUB_TOKEN, GITHUB_REPOSITORY, and GITHUB_RUN_ID validation because we don't need these variables for GitHub Actions status reports. MULTI_STATUS: ${MULTI_STATUS}"
fi fi
@ -574,19 +581,17 @@ CallStatusAPI() {
STATUS="success" STATUS="success"
fi fi
debug "Status URL: ${GITHUB_API_URL}/repos/${GITHUB_REPOSITORY}/statuses/${GITHUB_SHA}"
############################################## ##############################################
# Call the status API to create status check # # Call the status API to create status check #
############################################## ##############################################
if ! SEND_STATUS_CMD=$( if ! SEND_STATUS_CMD=$(
curl -f -s --show-error -X POST \ curl -f -s --show-error -X POST \
--url "${GITHUB_API_URL}/repos/${GITHUB_REPOSITORY}/statuses/${GITHUB_SHA}" \ --url "${GITHUB_STATUS_URL}" \
-H 'accept: application/vnd.github.v3+json' \ -H 'accept: application/vnd.github.v3+json' \
-H "authorization: Bearer ${GITHUB_TOKEN}" \ -H "authorization: Bearer ${GITHUB_TOKEN}" \
-H 'content-type: application/json' \ -H 'content-type: application/json' \
-d "{ \"state\": \"${STATUS}\", -d "{ \"state\": \"${STATUS}\",
\"target_url\": \"https://${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}\", \"target_url\": \"${GITHUB_STATUS_TARGET_URL}\",
\"description\": \"${MESSAGE}\", \"context\": \"--> Linted: ${LANGUAGE}\" \"description\": \"${MESSAGE}\", \"context\": \"--> Linted: ${LANGUAGE}\"
}" 2>&1 }" 2>&1
); then ); then
@ -718,12 +723,6 @@ trap 'cleanup' 0 1 2 3 6 14 15
########## ##########
Header Header
############################################
# Create SSH agent and add key if provided #
############################################
SetupSshAgent
SetupGithubComSshKeys
################################################ ################################################
# Need to update the loops for the image style # # Need to update the loops for the image style #
################################################ ################################################
@ -744,6 +743,12 @@ GetGitHubVars
# all cases when initializing variables # all cases when initializing variables
ConfigureGitSafeDirectories ConfigureGitSafeDirectories
############################################
# Create SSH agent and add key if provided #
############################################
SetupSshAgent
SetupGithubComSshKeys
######################################################## ########################################################
# Initialize variables that depend on GitHub variables # # Initialize variables that depend on GitHub variables #
######################################################## ########################################################

58
test/lib/setupSSHTest.sh Executable file
View file

@ -0,0 +1,58 @@
#!/usr/bin/env bash
set -o errexit
set -o nounset
set -o pipefail
# shellcheck disable=SC2034
LOG_TRACE="true"
# shellcheck disable=SC2034
LOG_DEBUG="true"
# shellcheck disable=SC2034
LOG_VERBOSE="true"
# shellcheck disable=SC2034
LOG_NOTICE="true"
# shellcheck disable=SC2034
LOG_WARN="true"
# shellcheck disable=SC2034
LOG_ERROR="true"
# shellcheck source=/dev/null
source "lib/functions/log.sh"
# shellcheck disable=SC2034
CREATE_LOG_FILE=false
GITHUB_DOMAIN="github.com"
# shellcheck disable=SC2034
GITHUB_META_URL="https://api.${GITHUB_DOMAIN}/meta"
# shellcheck source=/dev/null
source "lib/functions/setupSSH.sh"
function GetGitHubSshRsaKeyFingerprintTest() {
local SSH_RSA_KEY_FINGERPRINT
SSH_RSA_KEY_FINGERPRINT=$(GetGitHubSshRsaKeyFingerprint)
debug "SSH_RSA_KEY_FINGERPRINT: ${SSH_RSA_KEY_FINGERPRINT}"
local EXPECTED_GITHUB_RSA_KEY_FINGERPRINT
EXPECTED_GITHUB_RSA_KEY_FINGERPRINT="$(ssh-keygen -lf /dev/stdin <<<"$(ssh-keyscan -t rsa github.com)" | cut -d ' ' -f2)"
debug "Expected output: ${EXPECTED_GITHUB_RSA_KEY_FINGERPRINT}"
if [ "${SSH_RSA_KEY_FINGERPRINT}" != "${EXPECTED_GITHUB_RSA_KEY_FINGERPRINT}" ]; then
fatal "SSH_RSA_KEY_FINGERPRINT is not equal to ${EXPECTED_GITHUB_RSA_KEY_FINGERPRINT}: ${SSH_RSA_KEY_FINGERPRINT}"
fi
FUNCTION_NAME="${FUNCNAME[0]}"
notice "${FUNCTION_NAME} PASS"
}
function SetupGithubComSshKeysTest() {
SSH_KEY="test_ssh_key" SSH_INSECURE_NO_VERIFY_GITHUB_KEY="false" SetupGithubComSshKeys
FUNCTION_NAME="${FUNCNAME[0]}"
notice "${FUNCTION_NAME} PASS"
}
GetGitHubSshRsaKeyFingerprintTest
SetupGithubComSshKeysTest