actions/codecov-action
1
0
Fork 0
mirror of https://github.com/codecov/codecov-action.git synced 2025-12-23 20:27:02 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: remove openpgp dep due to licensing and use gpg (#1218)

Browse Source
This commit is contained in:
Tom Hu
2024-01-19 09:23:04 -08:00
committed by GitHub
parent 22b99ac1d7
commit 240e6ae968
6 changed files with 561 additions and 5682 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6043
dist/index.js vendored
View File

File diff suppressed because one or more lines are too long

2
dist/index.js.map vendored
View File

File diff suppressed because one or more lines are too long

92
package-lock.json generated
View File

@@ -12,7 +12,7 @@
"@actions/core": "^1.10.1", "@actions/core": "^1.10.1",
"@actions/exec": "^1.1.1", "@actions/exec": "^1.1.1",
"@actions/github": "^6.0.0", "@actions/github": "^6.0.0",
"openpgp": "5.11", "gpg": "^0.6.0",
"undici": "5.28.2" "undici": "5.28.2"
}, },
"devDependencies": { "devDependencies": {
@@ -1928,17 +1928,6 @@
"node": ">=8" "node": ">=8"
} }
}, },
"node_modules/asn1.js": {
"version": "5.4.1",
"resolved": "https://registry.npmjs.org/asn1.js/-/asn1.js-5.4.1.tgz",
"integrity": "sha512-+I//4cYPccV8LdmBLiX8CYvf9Sp3vQsrqu2QNXRcrbiWvcx/UdlFiqUJJzxRQxgsZmvhXhn4cSKeSmoFjVdupA==",
"dependencies": {
"bn.js": "^4.0.0",
"inherits": "^2.0.1",
"minimalistic-assert": "^1.0.0",
"safer-buffer": "^2.1.0"
}
},
"node_modules/babel-jest": { "node_modules/babel-jest": {
"version": "29.7.0", "version": "29.7.0",
"resolved": "https://registry.npmjs.org/babel-jest/-/babel-jest-29.7.0.tgz", "resolved": "https://registry.npmjs.org/babel-jest/-/babel-jest-29.7.0.tgz",
@@ -2066,11 +2055,6 @@
"resolved": "https://registry.npmjs.org/before-after-hook/-/before-after-hook-2.2.3.tgz", "resolved": "https://registry.npmjs.org/before-after-hook/-/before-after-hook-2.2.3.tgz",
"integrity": "sha512-NzUnlZexiaH/46WDhANlyR2bXRopNg4F/zuSA3OpZnllCUgRaOF2znDioDWrmbNVsuZk6l9pMquQB38cfBZwkQ==" "integrity": "sha512-NzUnlZexiaH/46WDhANlyR2bXRopNg4F/zuSA3OpZnllCUgRaOF2znDioDWrmbNVsuZk6l9pMquQB38cfBZwkQ=="
}, },
"node_modules/bn.js": {
"version": "4.12.0",
"resolved": "https://registry.npmjs.org/bn.js/-/bn.js-4.12.0.tgz",
"integrity": "sha512-c98Bf3tPniI+scsdk237ku1Dc3ujXQTSgyiPUDEOe7tRkhrqridvh8klBv0HCEso1OLOYcHuCv/cS6DNxKH+ZA=="
},
"node_modules/brace-expansion": { "node_modules/brace-expansion": {
"version": "1.1.11", "version": "1.1.11",
"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz", "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz",
@@ -2948,6 +2932,14 @@
"url": "https://github.com/sponsors/sindresorhus" "url": "https://github.com/sponsors/sindresorhus"
} }
}, },
"node_modules/gpg": {
"version": "0.6.0",
"resolved": "https://registry.npmjs.org/gpg/-/gpg-0.6.0.tgz",
"integrity": "sha512-u0BpbalUehzMbaMxtzRAFn/gMmtnaVo2Y0yCp7X6csPnumyaDrXF4uvEWPhj3b1sqrblvKvNEXFSfOQrvGEiQw==",
"engines": {
"node": ">= 0.10.0"
}
},
"node_modules/graceful-fs": { "node_modules/graceful-fs": {
"version": "4.2.11", "version": "4.2.11",
"resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-4.2.11.tgz", "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-4.2.11.tgz",
@@ -3062,7 +3054,8 @@
"node_modules/inherits": { "node_modules/inherits": {
"version": "2.0.4", "version": "2.0.4",
"resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz", "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz",
"integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==" "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==",
"dev": true
}, },
"node_modules/is-arrayish": { "node_modules/is-arrayish": {
"version": "0.2.1", "version": "0.2.1",
@@ -4001,11 +3994,6 @@
"node": ">=6" "node": ">=6"
} }
}, },
"node_modules/minimalistic-assert": {
"version": "1.0.1",
"resolved": "https://registry.npmjs.org/minimalistic-assert/-/minimalistic-assert-1.0.1.tgz",
"integrity": "sha512-UtJcAD4yEaGtjPezWuO9wC4nwUnVH/8/Im3yEHQP4b67cXlD/Qr9hdITCU1xDbSEXg2XKNaP8jsReV7vQd00/A=="
},
"node_modules/minimatch": { "node_modules/minimatch": {
"version": "3.1.2", "version": "3.1.2",
"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz", "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
@@ -4098,17 +4086,6 @@
"url": "https://github.com/sponsors/sindresorhus" "url": "https://github.com/sponsors/sindresorhus"
} }
}, },
"node_modules/openpgp": {
"version": "5.11.0",
"resolved": "https://registry.npmjs.org/openpgp/-/openpgp-5.11.0.tgz",
"integrity": "sha512-hytHsxIPtRhuh6uAmoBUThHSwHSX3imLu7x4453T+xkVqIw49rl22MRD4KQIAQdCDoVdouejzYgcuLmMA/2OAA==",
"dependencies": {
"asn1.js": "^5.0.0"
},
"engines": {
"node": ">= 8.0.0"
}
},
"node_modules/optionator": { "node_modules/optionator": {
"version": "0.9.3", "version": "0.9.3",
"resolved": "https://registry.npmjs.org/optionator/-/optionator-0.9.3.tgz", "resolved": "https://registry.npmjs.org/optionator/-/optionator-0.9.3.tgz",
@@ -4540,11 +4517,6 @@
"queue-microtask": "^1.2.2" "queue-microtask": "^1.2.2"
} }
}, },
"node_modules/safer-buffer": {
"version": "2.1.2",
"resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz",
"integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg=="
},
"node_modules/semver": { "node_modules/semver": {
"version": "7.5.4", "version": "7.5.4",
"resolved": "https://registry.npmjs.org/semver/-/semver-7.5.4.tgz", "resolved": "https://registry.npmjs.org/semver/-/semver-7.5.4.tgz",
@@ -6568,17 +6540,6 @@
"integrity": "sha512-HGyxoOTYUyCM6stUe6EJgnd4EoewAI7zMdfqO+kGjnlZmBDz/cR5pf8r/cR4Wq60sL/p0IkcjUEEPwS3GFrIyw==", "integrity": "sha512-HGyxoOTYUyCM6stUe6EJgnd4EoewAI7zMdfqO+kGjnlZmBDz/cR5pf8r/cR4Wq60sL/p0IkcjUEEPwS3GFrIyw==",
"dev": true "dev": true
}, },
"asn1.js": {
"version": "5.4.1",
"resolved": "https://registry.npmjs.org/asn1.js/-/asn1.js-5.4.1.tgz",
"integrity": "sha512-+I//4cYPccV8LdmBLiX8CYvf9Sp3vQsrqu2QNXRcrbiWvcx/UdlFiqUJJzxRQxgsZmvhXhn4cSKeSmoFjVdupA==",
"requires": {
"bn.js": "^4.0.0",
"inherits": "^2.0.1",
"minimalistic-assert": "^1.0.0",
"safer-buffer": "^2.1.0"
}
},
"babel-jest": { "babel-jest": {
"version": "29.7.0", "version": "29.7.0",
"resolved": "https://registry.npmjs.org/babel-jest/-/babel-jest-29.7.0.tgz", "resolved": "https://registry.npmjs.org/babel-jest/-/babel-jest-29.7.0.tgz",
@@ -6681,11 +6642,6 @@
"resolved": "https://registry.npmjs.org/before-after-hook/-/before-after-hook-2.2.3.tgz", "resolved": "https://registry.npmjs.org/before-after-hook/-/before-after-hook-2.2.3.tgz",
"integrity": "sha512-NzUnlZexiaH/46WDhANlyR2bXRopNg4F/zuSA3OpZnllCUgRaOF2znDioDWrmbNVsuZk6l9pMquQB38cfBZwkQ==" "integrity": "sha512-NzUnlZexiaH/46WDhANlyR2bXRopNg4F/zuSA3OpZnllCUgRaOF2znDioDWrmbNVsuZk6l9pMquQB38cfBZwkQ=="
}, },
"bn.js": {
"version": "4.12.0",
"resolved": "https://registry.npmjs.org/bn.js/-/bn.js-4.12.0.tgz",
"integrity": "sha512-c98Bf3tPniI+scsdk237ku1Dc3ujXQTSgyiPUDEOe7tRkhrqridvh8klBv0HCEso1OLOYcHuCv/cS6DNxKH+ZA=="
},
"brace-expansion": { "brace-expansion": {
"version": "1.1.11", "version": "1.1.11",
"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz", "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz",
@@ -7310,6 +7266,11 @@
"slash": "^3.0.0" "slash": "^3.0.0"
} }
}, },
"gpg": {
"version": "0.6.0",
"resolved": "https://registry.npmjs.org/gpg/-/gpg-0.6.0.tgz",
"integrity": "sha512-u0BpbalUehzMbaMxtzRAFn/gMmtnaVo2Y0yCp7X6csPnumyaDrXF4uvEWPhj3b1sqrblvKvNEXFSfOQrvGEiQw=="
},
"graceful-fs": { "graceful-fs": {
"version": "4.2.11", "version": "4.2.11",
"resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-4.2.11.tgz", "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-4.2.11.tgz",
@@ -7394,7 +7355,8 @@
"inherits": { "inherits": {
"version": "2.0.4", "version": "2.0.4",
"resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz", "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz",
"integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==" "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==",
"dev": true
}, },
"is-arrayish": { "is-arrayish": {
"version": "0.2.1", "version": "0.2.1",
@@ -8111,11 +8073,6 @@
"integrity": "sha512-OqbOk5oEQeAZ8WXWydlu9HJjz9WVdEIvamMCcXmuqUYjTknH/sqsWvhQ3vgwKFRR1HpjvNBKQ37nbJgYzGqGcg==", "integrity": "sha512-OqbOk5oEQeAZ8WXWydlu9HJjz9WVdEIvamMCcXmuqUYjTknH/sqsWvhQ3vgwKFRR1HpjvNBKQ37nbJgYzGqGcg==",
"dev": true "dev": true
}, },
"minimalistic-assert": {
"version": "1.0.1",
"resolved": "https://registry.npmjs.org/minimalistic-assert/-/minimalistic-assert-1.0.1.tgz",
"integrity": "sha512-UtJcAD4yEaGtjPezWuO9wC4nwUnVH/8/Im3yEHQP4b67cXlD/Qr9hdITCU1xDbSEXg2XKNaP8jsReV7vQd00/A=="
},
"minimatch": { "minimatch": {
"version": "3.1.2", "version": "3.1.2",
"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz", "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
@@ -8187,14 +8144,6 @@
"mimic-fn": "^2.1.0" "mimic-fn": "^2.1.0"
} }
}, },
"openpgp": {
"version": "5.11.0",
"resolved": "https://registry.npmjs.org/openpgp/-/openpgp-5.11.0.tgz",
"integrity": "sha512-hytHsxIPtRhuh6uAmoBUThHSwHSX3imLu7x4453T+xkVqIw49rl22MRD4KQIAQdCDoVdouejzYgcuLmMA/2OAA==",
"requires": {
"asn1.js": "^5.0.0"
}
},
"optionator": { "optionator": {
"version": "0.9.3", "version": "0.9.3",
"resolved": "https://registry.npmjs.org/optionator/-/optionator-0.9.3.tgz", "resolved": "https://registry.npmjs.org/optionator/-/optionator-0.9.3.tgz",
@@ -8479,11 +8428,6 @@
"queue-microtask": "^1.2.2" "queue-microtask": "^1.2.2"
} }
}, },
"safer-buffer": {
"version": "2.1.2",
"resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz",
"integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg=="
},
"semver": { "semver": {
"version": "7.5.4", "version": "7.5.4",
"resolved": "https://registry.npmjs.org/semver/-/semver-7.5.4.tgz", "resolved": "https://registry.npmjs.org/semver/-/semver-7.5.4.tgz",

2
package.json
View File

@@ -26,7 +26,7 @@
"@actions/core": "^1.10.1", "@actions/core": "^1.10.1",
"@actions/exec": "^1.1.1", "@actions/exec": "^1.1.1",
"@actions/github": "^6.0.0", "@actions/github": "^6.0.0",
"openpgp": "5.11", "gpg": "^0.6.0",
"undici": "5.28.2" "undici": "5.28.2"
}, },
"devDependencies": { "devDependencies": {

102
src/validate.ts
View File

@@ -1,9 +1,9 @@
import * as crypto from 'crypto'; import * as crypto from 'crypto';
import * as fs from 'fs'; import * as fs from 'fs';
import * as gpg from 'gpg';
import * as path from 'path'; import * as path from 'path';
import * as core from '@actions/core'; import * as core from '@actions/core';
import * as openpgp from 'openpgp';
import {request} from 'undici'; import {request} from 'undici';
import { import {
@@ -22,12 +22,6 @@ const verify = async (
try { try {
const uploaderName = getUploaderName(platform); const uploaderName = getUploaderName(platform);
// Read in public key
const publicKeyArmored = await fs.readFileSync(
path.join(__dirname, 'pgp_keys.asc'),
'utf-8',
);
// Get SHASUM and SHASUM signature files // Get SHASUM and SHASUM signature files
console.log(`${getBaseUrl(platform, version)}.SHA256SUM`); console.log(`${getBaseUrl(platform, version)}.SHA256SUM`);
const shasumRes = await request( const shasumRes = await request(
@@ -37,6 +31,10 @@ const verify = async (
if (verbose) { if (verbose) {
console.log(`Received SHA256SUM ${shasum}`); console.log(`Received SHA256SUM ${shasum}`);
} }
await fs.writeFileSync(
path.join(__dirname, `${uploaderName}.SHA256SUM`),
shasum,
);
const shaSigRes = await request( const shaSigRes = await request(
`${getBaseUrl(platform, version)}.SHA256SUM.sig`, `${getBaseUrl(platform, version)}.SHA256SUM.sig`,
@@ -45,45 +43,69 @@ const verify = async (
if (verbose) { if (verbose) {
console.log(`Received SHA256SUM signature ${shaSig}`); console.log(`Received SHA256SUM signature ${shaSig}`);
} }
await fs.writeFileSync(
path.join(__dirname, `${uploaderName}.SHA256SUM.sig`),
shaSig,
);
// Verify shasum const validateSha = async () => {
const verified = await openpgp.verify({ const calculateHash = async (filename: string) => {
message: await openpgp.createMessage({text: shasum}), const stream = fs.createReadStream(filename);
signature: await openpgp.readSignature({armoredSignature: shaSig}), const uploaderSha = crypto.createHash(`sha256`);
verificationKeys: await openpgp.readKeys({armoredKeys: publicKeyArmored}), stream.pipe(uploaderSha);
});
const valid = await verified.signatures[0].verified; return new Promise((resolve, reject) => {
if (valid) { stream.on('end', () => resolve(
core.info('==> SHASUM file signed by key id ' + `${uploaderSha.digest('hex')} ${uploaderName}`,
verified.signatures[0].keyID.toHex(), ));
stream.on('error', reject);
});
};
const hash = await calculateHash(
path.join(__dirname, `${uploaderName}`),
); );
} else { if (hash === shasum) {
setFailure('Codecov: Error validating SHASUM signature', failCi); core.info(`==> Uploader SHASUM verified (${hash})`);
} } else {
setFailure(
'Codecov: Uploader shasum does not match -- ' +
`uploader hash: ${hash}, public hash: ${shasum}`,
failCi,
);
}
};
const calculateHash = async (filename: string) => { const verifySignature = () => {
const stream = fs.createReadStream(filename); gpg.call('', [
const uploaderSha = crypto.createHash(`sha256`); '--logger-fd',
stream.pipe(uploaderSha); '1',
'--verify',
return new Promise((resolve, reject) => { path.join(__dirname, `${uploaderName}.SHA256SUM.sig`),
stream.on('end', () => resolve( path.join(__dirname, `${uploaderName}.SHA256SUM`),
`${uploaderSha.digest('hex')} ${uploaderName}`, ], async (err, verifyResult) => {
)); if (err) {
stream.on('error', reject); setFailure('Codecov: Error importing pgp key', failCi);
}
core.info(verifyResult);
await validateSha();
}); });
}; };
const hash = await calculateHash(filename); // Import gpg key
if (hash === shasum) { gpg.call('', [
core.info(`==> Uploader SHASUM verified (${hash})`); '--logger-fd',
} else { '1',
setFailure( '--no-default-keyring',
'Codecov: Uploader shasum does not match -- ' + '--import',
`uploader hash: ${hash}, public hash: ${shasum}`, path.join(__dirname, 'pgp_keys.asc'),
failCi, ], async (err, importResult) => {
); if (err) {
} setFailure('Codecov: Error importing pgp key', failCi);
}
core.info(importResult);
verifySignature();
});
} catch (err) { } catch (err) {
setFailure(`Codecov: Error validating uploader: ${err.message}`, failCi); setFailure(`Codecov: Error validating uploader: ${err.message}`, failCi);
} }

2
src/version.ts
View File

@@ -10,7 +10,7 @@ const versionInfo = async (
} }
try { try {
const metadataRes = await request(`https://uploader.codecov.io/${platform}/latest`, { const metadataRes = await request(`https://cli.codecov.io/${platform}/latest`, {
headers: {'Accept': 'application/json'}, headers: {'Accept': 'application/json'},
}); });
const metadata = await metadataRes.body.json(); const metadata = await metadataRes.body.json();