Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactor some pipelines to more safely use pipeline expansions #554

Merged
merged 3 commits into from
Jul 17, 2023
Merged

Refactor some pipelines to more safely use pipeline expansions #554

merged 3 commits into from
Jul 17, 2023

Conversation

kaniini
Copy link
Contributor

@kaniini kaniini commented Jul 17, 2023

No description provided.

@kaniini
pipelines: fetch: harden variable expansions
5d57f53 
Previously, it was possible to do something like:

  pipeline:
    - uses: fetch
      with:
        uri: http://example.com/release.tgz; exit 0
        expected-sha256: ...

Which would allow the checksum validation to be skipped.

Found by Cure53.

Signed-off-by: Ariadne Conill <ariadne@dereferenced.org>
@kaniini
pipelines: patch: refactor series/patches handling
8b02373 
The patches variable is ultimately just an inline list of patches to apply.
Convert it to a series file and unify the patching pipeline.

Signed-off-by: Ariadne Conill <ariadne@dereferenced.org>
@kaniini
pipelines: git-checkout: harden variable expansions
aecd84f 
Previously, it was possible to have a block such as

pipeline:
  - uses: git-checkout
    with:
      repository: https://example.com/foo.git; exit 1

Or

pipeline:
  - uses: git-checkout
    with:
      repository: https://example.com/foo.git
      depth: "; exit 1"

Harden the variable expansions to prevent this.
Found by Cure53.

Signed-off-by: Ariadne Conill <ariadne@dereferenced.org>
@kaniini kaniini requested a review from a team as a code owner July 17, 2023 15:52
@kaniini kaniini requested review from luhring and removed request for a team July 17, 2023 15:52
@kaniini kaniini merged commit f0aae91 into main Jul 17, 2023
@kaniini kaniini deleted the fix/pipeline-expansions branch July 17, 2023 16:22
@luhring
Copy link
Contributor

luhring commented Jul 17, 2023

Maybe we should have some sort of checker (e.g. shellcheck) that validates our pipeline shell scripts continuously in CI?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mattmoor mattmoor mattmoor left review comments

@joshrwolf joshrwolf joshrwolf approved these changes

@jdolitsky jdolitsky jdolitsky approved these changes

@luhring luhring Awaiting requested review from luhring luhring was automatically assigned from chainguard-dev/images-maintainers

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@kaniini @luhring @jdolitsky @mattmoor @joshrwolf