-
-
Notifications
You must be signed in to change notification settings - Fork 1.9k
Use Tempfile for auto-attestation bundles to avoid file conflicts and cleanup issues #9327
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -121,7 +121,12 @@ def send_push_request_with_attestation(name, args) | |
| Gem.read_binary(attestation) | ||
| end | ||
| else | ||
| [Gem.read_binary(attest!(name))] | ||
| bundle_path = attest!(name) | ||
| begin | ||
| [Gem.read_binary(bundle_path)] | ||
| ensure | ||
| File.unlink(bundle_path) if bundle_path && File.exist?(bundle_path) | ||
| end | ||
| end | ||
| bundles = "[" + attestations.join(",") + "]" | ||
|
|
||
|
|
@@ -136,8 +141,14 @@ def send_push_request_with_attestation(name, args) | |
|
|
||
| def attest!(name) | ||
| require "open3" | ||
| require "tempfile" | ||
|
|
||
| # Create a temporary file for the bundle | ||
| basename = File.basename(name, ".*") | ||
| tempfile = Tempfile.new([basename, ".sigstore.json"]) | ||
| bundle = tempfile.path | ||
| tempfile.close(false) # Close but don't unlink - we need the file for sigstore-cli | ||
|
Comment on lines
+146
to
+150
|
||
|
|
||
| bundle = "#{name}.sigstore.json" | ||
| env = defined?(Bundler.unbundled_env) ? Bundler.unbundled_env : ENV.to_h | ||
| out, st = Open3.capture2e( | ||
| env, | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -123,7 +123,8 @@ def test_execute_attestation_auto | |
| @fetcher.data["#{Gem.host}/api/v1/gems"] = HTTPResponseFactory.create(body: @response, code: 200, msg: "OK") | ||
|
|
||
| attestation_path = "#{@path}.sigstore.json" | ||
| File.write(attestation_path, "auto-attestation") | ||
| attestation_content = "auto-attestation" | ||
| File.write(attestation_path, attestation_content) | ||
| @cmd.options[:args] = [@path] | ||
|
|
||
| @cmd.stub(:attest!, attestation_path) do | ||
|
|
@@ -133,7 +134,7 @@ def test_execute_attestation_auto | |
| assert_equal Gem::Net::HTTP::Post, @fetcher.last_request.class | ||
| content_length = @fetcher.last_request["Content-Length"].to_i | ||
| assert_equal content_length, @fetcher.last_request.body.length | ||
| assert_attestation_multipart Gem.read_binary(attestation_path) | ||
| assert_attestation_multipart attestation_content | ||
|
Comment on lines
130
to
+137
|
||
| end | ||
|
|
||
| def test_execute_attestation_fallback | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The
ensurecleanup usesFile.unlink(...)without rescuing errors. If unlink fails (Windows file locking, permissions, race betweenexist?and unlink), the push could error out even though the request was constructed successfully. Prefer a non-raising cleanup (FileUtils.rm_f) or rescueSystemCallErroraround the unlink so cleanup failure doesn’t break the command.