Skip to content

[0.57.x] Fixing CVE (#953) #84

[0.57.x] Fixing CVE (#953)

[0.57.x] Fixing CVE (#953) #84

Workflow file for this run

name: kapp-release
on:
push:
tags:
- "v*"
jobs:
kappreleaser:
name: kapp release
runs-on: ubuntu-latest
# Set permissions of github token. See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#permissions
permissions:
contents: write
steps:
- name: Checkout
uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@v2
with:
go-version: 1.22.3
- name: Retrieve version
run: |
echo "TAG_NAME=$(echo ${{ github.ref }} | grep -Eo 'v[0-9].*')" >> $GITHUB_OUTPUT
id: version
- name: Run GoReleaser
# GoReleaser v4.2.0
uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b
if: startsWith(github.ref, 'refs/tags/')
with:
version: 1.16.2
args: release --rm-dist --debug ${{ env.SKIP_PUBLISH }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GORELEASER_CURRENT_TAG: ${{ steps.version.outputs.TAG_NAME }}
- uses: actions/github-script@v4
id: get-checksums-from-draft-release
if: startsWith(github.ref, 'refs/tags/')
with:
github-token: ${{secrets.GITHUB_TOKEN}}
result-encoding: string
script: |
var crypto = require('crypto');
const { owner, repo } = context.repo;
// https://docs.github.com/en/rest/reference/repos#list-releases
// https://octokit.github.io/rest.js/v18#repos-list-releases
var releases = await github.repos.listReleases({
owner: owner,
repo: repo
});
var crypto = require('crypto')
var fs = require('fs')
const url = require('url');
const https = require('https');
checksums = {}
for (const r of releases["data"]) {
if (r.draft && `refs/tags/${r.tag_name}` == "${{ github.ref }}") {
for (const asset of r.assets) {
var release_asset = await github.repos.getReleaseAsset({ headers: {accept: `application/octet-stream`}, accept: `application/octet-stream`, owner: owner, repo: repo, asset_id: asset.id });
const hash = crypto.createHash('sha256');
let http_promise = new Promise((resolve, reject) => {
https.get(release_asset.url, (stream) => {
stream.on('data', function (data) {
hash.update(data);
});
stream.on('end', function () {
checksums[asset.name]= hash.digest('hex');
resolve(`${asset.name}`);
});
});
});
await http_promise;
}
}
}
console.log(checksums)
return `${checksums['kapp-darwin-amd64']} ./kapp-darwin-amd64
${checksums['kapp-darwin-arm64']} ./kapp-darwin-arm64
${checksums['kapp-linux-amd64']} ./kapp-linux-amd64
${checksums['kapp-linux-arm64']} ./kapp-linux-arm64
${checksums['kapp-windows-amd64.exe']} ./kapp-windows-amd64.exe`
- name: verify uploaded artifacts
if: startsWith(github.ref, 'refs/tags/')
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
CURRENT_TAG: ${{ steps.version.outputs.TAG_NAME }}
run: |
set -e -x
VERSION=`echo "$CURRENT_TAG" | grep -Eo '[0-9].*'`
./hack/build-binaries.sh "$VERSION" > ./go-checksums
cat ./go-checksums
diff ./go-checksums <(cat <<EOF
${{steps.get-checksums-from-draft-release.outputs.result}}
EOF
)
- name: Run Test cases
run: |
# Setup minikube
curl -LO https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64
install minikube-linux-amd64 /usr/local/bin/minikube
minikube start --driver=docker --memory 4096
eval $(minikube docker-env --shell=bash)
# Ensure that there is no existing kapp installed
rm -f /tmp/bin/kapp
# Build kapp binary
set -e -x
VERSION=`echo ${{ github.ref }} | grep -Eo '[0-9].*'`
./hack/build.sh
# Add binary to the path
mkdir bin
mv kapp bin
PATH=$PATH:$PWD/bin
echo $PATH
# Run test cases
./hack/test-external.sh