Merge pull request #154 from nicholasSUSE/slsa-charts-bypass

Slsa charts bypass
rancher · Dec 9, 2024 · 5066d7b · 5066d7b
2 parents cafb872 + 898d638
commit 5066d7b
Show file tree

Hide file tree

Showing 17 changed files with 2,102 additions and 1,267 deletions.
diff --git a/.github/workflows/pull-request.yaml b/.github/workflows/pull-request.yaml
@@ -11,7 +11,7 @@ jobs:
 
       - uses: actions/setup-go@v4
         with:
-          go-version: '1.22'
+          go-version: '1.23'
 
       - name: Run unit tests
         run: go test ./...
@@ -20,16 +20,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-
       - uses: actions/setup-go@v5
         with:
           go-version: '1.23'
-
-      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v6
-        with:
-          version: v1.60
-          args: --timeout 5m
+      - name: Install golint
+        run: go install golang.org/x/lint/golint@latest
+      - name: Run golint
+        run: golint ./...
 
   build:
     runs-on: ubuntu-latest

diff --git a/go.mod b/go.mod
diff --git a/go.sum b/go.sum
diff --git a/main.go b/main.go
@@ -152,7 +152,7 @@ func main() {
 			BRANCH_VERSION="x.y" make <command>
 
 		The branch version line to compare against.
-		Available inputs: (2.5; 2.6; 2.7; 2.8; 2.9).
+		Available inputs: (2.5; 2.6; 2.7; 2.8; 2.9; 2.10; 2.11; 2.12).
 		Default Environment Variable:
 		`,
 		Required: true,
@@ -267,6 +267,7 @@ func main() {
 			Name:   "regsync",
 			Usage:  "Create a regsync config file containing all images used for the particular Rancher version",
 			Action: generateRegSyncConfigFile,
+			Flags:  []cli.Flag{},
 		},
 		{
 			Name:   "index",

diff --git a/pkg/charts/chart.go b/pkg/charts/chart.go
@@ -30,6 +30,7 @@ type Chart struct {
 	UpstreamChartVersion *string
 }
 
+// GetUpstreamVersion returns the upstream version of the chart
 func (c *Chart) GetUpstreamVersion() string {
 	if c.UpstreamChartVersion == nil {
 		return ""

diff --git a/pkg/charts/parse.go b/pkg/charts/parse.go
@@ -42,6 +42,7 @@ func GetPackages(repoRoot, specificPackage string) ([]*Package, error) {
 	return packages, nil
 }
 
+// ListPackages returns a list of packages found within the repository. If there is a specific package provided, it will return just that Package in the list
 func ListPackages(repoRoot string, specificPackage string) ([]string, error) {
 	var packageList []string
 	rootFs := filesystem.GetFilesystem(repoRoot)

diff --git a/pkg/helm/export.go b/pkg/helm/export.go
@@ -16,13 +16,14 @@ import (
 	helmLoader "helm.sh/helm/v3/pkg/chart/loader"
 )
 
+// TODO remove this if it is unused
 const (
-	NumPatchDigits = 2
+	numPatchDigits = 2
 )
 
 var (
-	PatchNumMultiplier = uint64(math.Pow10(2))
-	MaxPatchNum        = PatchNumMultiplier - 1
+	patchNumMultiplier = uint64(math.Pow10(2))
+	maxPatchNum        = patchNumMultiplier - 1
 )
 
 // ExportHelmChart creates a Helm chart archive and an unarchived Helm chart at RepositoryAssetDirpath and RepositoryChartDirPath
@@ -95,13 +96,13 @@ func parseChartVersion(packageVersion *int, version *semver.Version, upstreamCha
 
 	// Add packageVersion as string, preventing errors due to leading 0s
 	if packageVersion != nil {
-		if uint64(*packageVersion) >= MaxPatchNum {
-			return "", fmt.Errorf("maximum number for packageVersion is %d, found %d", MaxPatchNum, packageVersion)
+		if uint64(*packageVersion) >= maxPatchNum {
+			return "", fmt.Errorf("maximum number for packageVersion is %d, found %d", maxPatchNum, packageVersion)
 		}
 		if uint64(*packageVersion) < 1 {
 			return "", fmt.Errorf("minimum number for packageVersion is 1, found %d", packageVersion)
 		}
-		metadataSemver.Patch = PatchNumMultiplier*metadataSemver.Patch + uint64(*packageVersion)
+		metadataSemver.Patch = patchNumMultiplier*metadataSemver.Patch + uint64(*packageVersion)
 	}
 
 	// Add buildMetadataFlag for forked charts

diff --git a/pkg/options/validate.go b/pkg/options/validate.go
@@ -94,18 +94,23 @@ func (r ReleaseOptions) SortBySemver() {
 }
 
 // CompareVersions compares two semantic versions and determines ascending ordering
-func CompareVersions(a string, b string) bool {
+func CompareVersions(a string, b string) int {
 	v1, err := version.NewVersion(a)
 	if err != nil {
-		return false
+		return 0
 	}
 
 	v2, err := version.NewVersion(b)
 	if err != nil {
-		return false
+		return 0
 	}
 
-	return v1.LessThanOrEqual(v2)
+	if v1.LessThan(v2) {
+		return -1
+	} else if v1.GreaterThan(v2) {
+		return 1
+	}
+	return 0
 }
 
 // WriteToFile marshals the struct to yaml and writes it into the path specified

diff --git a/pkg/path/path.go b/pkg/path/path.go
@@ -72,6 +72,9 @@ const (
 	// VersionRulesFile is the file that contains the version rules for the current branch on charts-build-scripts
 	VersionRulesFile = "version_rules.json"
 
-	// SlsaYamlFile is the file that contains the list of images already synced and signed for SLSA.
-	SlsaYamlFile = "slsa.yaml"
+	// RegsyncYamlFile file is the file that contains the regsync configuration
+	RegsyncYamlFile = "regsync.yaml"
+
+	// SignedImagesFile is the file that contains the signed images that were bypassed in the last release
+	SignedImagesFile = "signed-images.txt"
 )
diff --git a/pkg/puller/cache.go b/pkg/puller/cache.go
@@ -9,6 +9,7 @@ import (
 	"github.com/sirupsen/logrus"
 )
 
+// RootCache is the cache at the root of the repository
 var RootCache cacher = &noopCache{}
 
 // InitRootCache initializes a cache at the repository's root to be used, if it does not currently exist

diff --git a/pkg/puller/gitrepository.go b/pkg/puller/gitrepository.go
@@ -53,13 +53,15 @@ type GithubRepository struct {
 	branch *string `yaml:"branch"`
 }
 
+// CacheKey returns the key to use for caching
 func (r GithubRepository) CacheKey() string {
 	if !r.IsCacheable() {
 		return ""
 	}
 	return filepath.Join(".gitrepos", r.String())
 }
 
+// IsCacheable returns whether this repository can be cached
 func (r GithubRepository) IsCacheable() bool {
 	return r.Commit != nil
 }

diff --git a/pkg/puller/oci.go b/pkg/puller/oci.go
@@ -10,11 +10,12 @@ import (
 	"helm.sh/helm/v3/pkg/getter"
 )
 
+// Registry holds the URL that represents the link to the chart registry including the chart version
 type Registry struct {
-	// URL represents the link to the chart registry including the chart version
 	URL string `yaml:"url"`
 }
 
+// Pull pulls the chart from the registry into the filesystem
 func (r Registry) Pull(rootFs, fs billy.Filesystem, path string) error {
 	logrus.Infof("Pulling %s from upstream into %s", r.URL, path)
 
@@ -50,12 +51,15 @@ func (r Registry) Pull(rootFs, fs billy.Filesystem, path string) error {
 	return nil
 }
 
+// GetOptions returns the options for the upstream
 func (r Registry) GetOptions() options.UpstreamOptions {
 	return options.UpstreamOptions{
 		URL: r.URL,
 	}
 }
 
+// IsWithinPackage returns whether the upstream is within the package
 func (r Registry) IsWithinPackage() bool {
+	// TODO check if this is needed
 	return false
 }