Certs (#1470)

* adding cert * update readme * typo * make exec * spaces * adding better way * adding example * make shell happy * fix space * adding notes * bad var * duh
2024-11-06 01:05:54 -05:00 · 2021-04-26 09:00:42 -05:00 · 2021-04-26 09:00:42 -05:00 · e0e4a67f3a
commit e0e4a67f3a
parent b94bec19c9
4 changed files with 113 additions and 9 deletions
--- a/1
+++ b/1
@ -337,6 +337,7 @@ RUN wget --tries=5 -q -O /etc/apk/keys/sgerrand.rsa.pub https://alpine-pkgs.sger
    && wget --tries=5 -q https://github.com/sgerrand/alpine-pkg-glibc/releases/download/${GLIBC_VERSION}/glibc-${GLIBC_VERSION}.apk \
    && apk add --no-cache \
    bash \
+    ca-certificates \
    glibc-${GLIBC_VERSION}.apk \
    gnupg \
    php7 php7-phar php7-json php7-mbstring php-xmlwriter \
--- a/README.md
+++ b/README.md
@ -245,6 +245,7 @@ But if you wish to select or exclude specific linters, we give you full control
 | **RUBY_CONFIG_FILE**               | `.ruby-lint.yml`                | Filename for [rubocop configuration](https://docs.rubocop.org/rubocop/configuration.html) (ex: `.ruby-lint.yml`, `.rubocop.yml`)                                                                                     |
 | **SUPPRESS_POSSUM**                | `false`                         | If set to `true`, will hide the ASCII possum at top of log output. Default is `false`                                                                                                                                |
 | **SNAKEMAKE_SNAKEFMT_CONFIG_FILE** | `.snakefmt.toml`                | Filename for [Snakemake configuration](https://github.com/snakemake/snakefmt#configuration) (ex: `pyproject.toml`, `.snakefmt.toml`)                                                                                 |
+| **SSL_CERT_SECRET**                | `none`                          | SSL cert to add to the **Super-Linter** trust store. This is needed for users on `self-hosted` runners or need to inject the cert for security standards (ex. ${{ secrets.SSL_CERT }})                               |
 | **SQL_CONFIG_FILE**                | `.sql-config.json`              | Filename for [SQL-Lint configuration](https://sql-lint.readthedocs.io/en/latest/files/configuration.html) (ex: `sql-config.json` , `.config.json`)                                                                   |
 | **TYPESCRIPT_ES_CONFIG_FILE**      | `.eslintrc.yml`                 | Filename for [eslint configuration](https://eslint.org/docs/user-guide/configuring#configuration-file-formats) (ex: `.eslintrc.yml`, `.eslintrc.json`)                                                               |
 | **VALIDATE_ALL_CODEBASE**          | `true`                          | Will parse the entire repository and find all files to validate across all types. **NOTE:** When set to `false`, only **new** or **edited** files will be parsed for validation.                                     |
@ -367,6 +368,20 @@ You can checkout this repository using [Container Remote Development](https://co

 We will also support [GitHub Codespaces](https://github.com/features/codespaces/) once it becomes available

+### SSL Certs
+
+If you need to inject a SSL cert into the trust store, you will need to first copy the cert to **GitHub Secrets**
+Once you have copied the plain text certificate into **GitHub Secrets**, you can use the variable `SSL_CERT_SECRET` to point the **Super-Linter** to the files contents.
+Once found, it will load the certificate contents to a file, and to the trust store.
+- Example workflow:
+```yml
+- name: Lint Code Base
+  uses: github/super-linter@v3
+  env:
+    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    SSL_CERT_SECRET: ${{ secrets.ROOT_CA }}
+```
+
 ## Limitations

 Below are a list of the known limitations for the **GitHub Super-Linter**:
--- a/lib/functions/updateSSL.sh
+++ b/lib/functions/updateSSL.sh
@ -0,0 +1,79 @@
+#!/usr/bin/env bash
+
+################################################################################
+################################################################################
+########### Super-Linter linting Functions @admiralawkbar ######################
+################################################################################
+################################################################################
+########################## FUNCTION CALLS BELOW ################################
+################################################################################
+################################################################################
+#### Function CheckSSLCert #####################################################
+function CheckSSLCert() {
+  if [ -z "${SSL_CERT_SECRET}" ]; then
+    # No cert was passed
+    debug "User did not provide a SSL secret, moving on..."
+  else
+    # User has provided a cert file to upload
+    debug "User passed SSL secret:[${SSL_CERT_SECRET}]"
+    InstallSSLCert
+  fi
+}
+################################################################################
+#### Function InstallSSLCert ###################################################
+function InstallSSLCert() {
+  #############
+  # Base Vars #
+  #############
+  CERT_FILE='/tmp/cert.crt'
+  CERT_ROOT='/usr/local/share/ca-certificates'
+  FILE_NAME=$(basename "${CERT_FILE}" 2>&1)
+
+  #########################
+  # Echo secret into file #
+  #########################
+  echo "${SSL_CERT_SECRET}" >>"${CERT_FILE}"
+
+  ########################################
+  # Put the cert in the correct location #
+  ########################################
+  COPY_CMD=$(mv "${CERT_FILE}" "${CERT_ROOT}/${FILE_NAME}" 2>&1)
+
+  #######################
+  # Load the error code #
+  #######################
+  ERROR_CODE=$?
+
+  ##############################
+  # Check the shell for errors #
+  ##############################
+  if [ "${ERROR_CODE}" -ne 0 ]; then
+    error "ERROR! Failed to move cert into location!"
+    fatal "ERROR:[${COPY_CMD}]"
+  else
+    info "Moved cert into location, adding to trust store..."
+  fi
+
+  ##############################################
+  # Update ca-certificates to pull in the cert #
+  ##############################################
+  UPDATE_CMD=$(update-ca-certificates 2>&1)
+
+  #######################
+  # Load the error code #
+  #######################
+  ERROR_CODE=$?
+
+  ##############################
+  # Check the shell for errors #
+  ##############################
+  if [ "${ERROR_CODE}" -ne 0 ]; then
+    # ERROR
+    error "ERROR! Failed to add cert to trust store!"
+    fatal "ERROR:[${UPDATE_CMD}]"
+  else
+    # Success
+    info "Successfully added cert to trust store"
+  fi
+}
+################################################################################
--- a/lib/linter.sh
+++ b/lib/linter.sh
@ -44,21 +44,23 @@ export LOG_ERROR
 # Source Function Files #
 #########################
 # shellcheck source=/dev/null
+source /action/lib/functions/buildFileList.sh # Source the function script(s)
+# shellcheck source=/dev/null
+source /action/lib/functions/detectFiles.sh # Source the function script(s)
+# shellcheck source=/dev/null
+source /action/lib/functions/linterRules.sh # Source the function script(s)
+# shellcheck source=/dev/null
+source /action/lib/functions/linterVersions.sh # Source the function script(s)
+# shellcheck source=/dev/null
 source /action/lib/functions/log.sh # Source the function script(s)
 # shellcheck source=/dev/null
-source /action/lib/functions/buildFileList.sh # Source the function script(s)
+source /action/lib/functions/tapLibrary.sh # Source the function script(s)
+# shellcheck source=/dev/null
+source /action/lib/functions/updateSSL.sh # Source the function script(s)
 # shellcheck source=/dev/null
 source /action/lib/functions/validation.sh # Source the function script(s)
 # shellcheck source=/dev/null
 source /action/lib/functions/worker.sh # Source the function script(s)
-# shellcheck source=/dev/null
-source /action/lib/functions/tapLibrary.sh # Source the function script(s)
-# shellcheck source=/dev/null
-source /action/lib/functions/linterRules.sh # Source the function script(s)
-# shellcheck source=/dev/null
-source /action/lib/functions/detectFiles.sh # Source the function script(s)
-# shellcheck source=/dev/null
-source /action/lib/functions/linterVersions.sh # Source the function script(s)

 ###########
 # GLOBALS #
@ -149,6 +151,8 @@ SNAKEMAKE_SNAKEFMT_FILE_NAME="${SNAKEMAKE_SNAKEFMT_CONFIG_FILE:-.snakefmt.toml}"
 # shellcheck disable=SC2034  # Variable is referenced indirectly
 SUPPRESS_POSSUM="${SUPPRESS_POSSUM:-false}"
 # shellcheck disable=SC2034  # Variable is referenced indirectly
+SSL_CERT_SECRET="${SSL_CERT_SECRET}"
+# shellcheck disable=SC2034  # Variable is referenced indirectly
 SQL_FILE_NAME="${SQL_CONFIG_FILE:-.sql-config.json}"
 # shellcheck disable=SC2034  # Variable is referenced indirectly
 TERRAFORM_FILE_NAME=".tflint.hcl"
@ -859,6 +863,11 @@ for i in "${!LINTER_COMMANDS_ARRAY[@]}"; do
 done
 debug "---------------------------------------------"

+#################################
+# Check for SSL cert and update #
+#################################
+CheckSSLCert
+
 ###########################################
 # Build the list of files for each linter #
 ###########################################