From 9294602a528a762d643c76c62e57df17948a9358 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Pereira?= Date: Mon, 5 May 2025 16:23:43 -0500 Subject: [PATCH 1/6] Allow usage of sha1sum for OS's that do not have sha256sum MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: João Pereira --- scripts/install_sh/install.sh.txt | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/scripts/install_sh/install.sh.txt b/scripts/install_sh/install.sh.txt index f3415ad..233610f 100644 --- a/scripts/install_sh/install.sh.txt +++ b/scripts/install_sh/install.sh.txt @@ -9,6 +9,20 @@ if test -z "$BASH_VERSION"; then exit 1 fi +# Function to check for required commands +check_command() { + command -v "$1" >/dev/null 2>&1 || { echo >&2 "Error: $1 is required but not installed."; exit 1; } +} + +# Check for required commands +check_command sha256sum || check_command sha1sum + +# Set checksum command based on availability +CHECKSUM_CMD=sha256sum +if ! command -v $CHECKSUM_CMD >/dev/null 2>&1; then + CHECKSUM_CMD=sha1sum +fi + install() { set -euo pipefail @@ -17,10 +31,11 @@ install() { if [ -x "$(command -v wget)" ]; then dl_bin="wget -nv -O-" else + check_command curl dl_bin="curl -s -L" fi - shasum -v 1>/dev/null 2>&1 || (echo "Missing shasum binary" && exit 1) + $CHECKSUM_CMD -v 1>/dev/null 2>&1 || (echo "Missing shasum binary" && exit 1) if [[ `uname` == Darwin ]]; then binary_type=darwin-amd64 @@ -37,7 +52,7 @@ install() { (@ for val in data.values.products: @) echo "Installing (@= val.product @)..." $dl_bin (@= addProtocol(val.github.url) @)/releases/download/(@= val.version @)/(@= val.product @)-${binary_type} > /tmp/(@= val.product @) - echo "${(@= val.product @)_checksum} /tmp/(@= val.product @)" | shasum -c - + echo "${(@= val.product @)_checksum} /tmp/(@= val.product @)" | $CHECKSUM_CMD -c - mv /tmp/(@= val.product @) ${dst_dir}/(@= val.product @) chmod +x ${dst_dir}/(@= val.product @) echo "Installed ${dst_dir}/(@= val.product @) (@= val.version @)" From 852936bd500eb5cbeaa899c63d951041b89e4678 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Pereira?= Date: Mon, 5 May 2025 17:24:47 -0500 Subject: [PATCH 2/6] Automated documentation release for new minor MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: João Pereira --- .github/workflows/published_release.yml | 43 +++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/.github/workflows/published_release.yml b/.github/workflows/published_release.yml index e3119a7..cc678a2 100644 --- a/.github/workflows/published_release.yml +++ b/.github/workflows/published_release.yml @@ -172,7 +172,50 @@ jobs: artifactName: homebrew-formula artifactPath: . + prepare-documentation-update: + runs-on: ubuntu-latest + needs: [process-release-information,update-releases-yaml] + if: endsWith(github.event.client_payload.tagName, '.0') + steps: + - name: Install ytt + uses: carvel-dev/setup-action@v1 + with: + only: ytt + token: ${{ secrets.GITHUB_TOKEN }} + - name: Checkout website + uses: actions/checkout@v4 + with: + fetch-depth: 0 + repository: 'github.com/carvel-dev/carvel' + path: website + - name: Run documentation update + run: | + pushd website/site + docVersion=`echo ${{ github.event.client_payload.tagName }} | awk -F. '{print $1"."$2".x"}'` + ./hack/release-doc.sh ${{ github.event.client_payload.toolName }} ${docVersion} + timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ") + + AUTHOR_EMAIL='carvel-bot@users.noreply.github.com' + AUTHOR_NAME='carvel-bot' + MESSAGE="chore: auto-update documentation for ${{ github.event.client_payload.toolName }} ${docVersion} ${timestamp}" + + remote_repo="git@github.com:${REPOSITORY}" + + tempkey=`basename $0` + TMP_DEPLOY_PRIV_KEY=`mktemp /tmp/${tempkey}.XXXXXX` || exit 1 + echo "${{ secrets.INSTALL_SH_DEPLOY_PRIVATE_KEY }}" > $TMP_DEPLOY_PRIV_KEY + eval $(ssh-agent -s) + ssh-add ${TMP_DEPLOY_PRIV_KEY} + + git config http.sslVerify true + git config --local user.email "${AUTHOR_EMAIL}" + git config --local user.name "${AUTHOR_NAME}" + + git add -A + + git commit -m "${MESSAGE}" $_EMPTY || exit 0 + git push "${remote_repo}" HEAD:develop --follow-tags; prepare-releases-file-for-install-sh: runs-on: ubuntu-latest needs: process-release-information From 7372b53a0dea81e1a7677d684ea4f842f1fcaa2d Mon Sep 17 00:00:00 2001 From: Joao Pereira Date: Wed, 3 Jun 2026 18:58:04 +0100 Subject: [PATCH 3/6] Fix issues found - Ensure the shasum logic is correct - Update all the version of the actions being used to the latest Signed-off-by: Joao Pereira --- .github/workflows/published_release.yml | 38 ++++++++++++++----------- scripts/install_sh/install.sh.txt | 18 ++++++------ 2 files changed, 30 insertions(+), 26 deletions(-) diff --git a/.github/workflows/published_release.yml b/.github/workflows/published_release.yml index cc678a2..b61b1ce 100644 --- a/.github/workflows/published_release.yml +++ b/.github/workflows/published_release.yml @@ -17,7 +17,7 @@ jobs: outputs: yttValuesFile: ${{ steps.get-checksums-from-release.outputs.result }} steps: - - uses: actions/github-script@v5 + - uses: actions/github-script@v9 id: check-if-latest-release with: result-encoding: string @@ -46,7 +46,7 @@ jobs: } return 0 - - uses: actions/github-script@v5 + - uses: actions/github-script@v9 id: get-checksums-from-release if: startsWith(github.ref, 'refs/tags/') && ${{ !env.ACT }} with: @@ -127,7 +127,7 @@ jobs: ${{ steps.get-checksums-from-release.outputs.result }} EOF - name: Upload Release information file - uses: actions/upload-artifact@v4.4.3 + uses: actions/upload-artifact@v7 with: name: ytt-data-values-for-release path: ./release.yml @@ -136,16 +136,16 @@ jobs: needs: process-release-information steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: fetch-depth: 0 - name: Download ytt data values file with release information - uses: actions/download-artifact@v4.1.7 + uses: actions/download-artifact@v8 with: name: ytt-data-values-for-release path: ./tmp/release.yml - name: Install ytt - uses: carvel-dev/setup-action@v1 + uses: carvel-dev/setup-action@v2 with: only: ytt - name: Generate Homebrew File @@ -157,7 +157,7 @@ jobs: cat $filename - name: Upload Homebrew File - uses: actions/upload-artifact@v4.4.3 + uses: actions/upload-artifact@v7 with: name: homebrew-formula path: ./${{ github.event.client_payload.toolName }}.rb @@ -178,18 +178,20 @@ jobs: if: endsWith(github.event.client_payload.tagName, '.0') steps: - name: Install ytt - uses: carvel-dev/setup-action@v1 + uses: carvel-dev/setup-action@v2 with: only: ytt token: ${{ secrets.GITHUB_TOKEN }} - name: Checkout website - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: fetch-depth: 0 - repository: 'github.com/carvel-dev/carvel' + repository: 'carvel-dev/carvel' + ref: develop path: website - name: Run documentation update run: | + set -e -x pushd website/site docVersion=`echo ${{ github.event.client_payload.tagName }} | awk -F. '{print $1"."$2".x"}'` ./hack/release-doc.sh ${{ github.event.client_payload.toolName }} ${docVersion} @@ -199,13 +201,15 @@ jobs: AUTHOR_NAME='carvel-bot' MESSAGE="chore: auto-update documentation for ${{ github.event.client_payload.toolName }} ${docVersion} ${timestamp}" - remote_repo="git@github.com:${REPOSITORY}" + remote_repo="git@github.com:carvel-dev/carvel" tempkey=`basename $0` TMP_DEPLOY_PRIV_KEY=`mktemp /tmp/${tempkey}.XXXXXX` || exit 1 - echo "${{ secrets.INSTALL_SH_DEPLOY_PRIVATE_KEY }}" > $TMP_DEPLOY_PRIV_KEY + trap "rm -f ${TMP_DEPLOY_PRIV_KEY}" EXIT + echo "${{ secrets.INSTALL_SH_DEPLOY_PRIVATE_KEY }}" > "${TMP_DEPLOY_PRIV_KEY}" + chmod 600 "${TMP_DEPLOY_PRIV_KEY}" eval $(ssh-agent -s) - ssh-add ${TMP_DEPLOY_PRIV_KEY} + ssh-add "${TMP_DEPLOY_PRIV_KEY}" git config http.sslVerify true git config --local user.email "${AUTHOR_EMAIL}" @@ -221,16 +225,16 @@ jobs: needs: process-release-information steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: fetch-depth: 0 - name: Download ytt data values file with release information - uses: actions/download-artifact@v4.1.7 + uses: actions/download-artifact@v8 with: name: ytt-data-values-for-release path: ./tmp/release.yml - name: Install ytt - uses: carvel-dev/setup-action@v1 + uses: carvel-dev/setup-action@v2 with: only: ytt token: ${{ secrets.GITHUB_TOKEN }} @@ -240,7 +244,7 @@ jobs: ./scripts/generate_releases_yaml.sh ./tmp/release.yml > ./tmp/releases.yaml mv ./tmp/releases.yaml ./releases.yaml - name: Upload releases.yaml File - uses: actions/upload-artifact@v4.4.3 + uses: actions/upload-artifact@v7 with: name: releases-yaml path: releases.yaml diff --git a/scripts/install_sh/install.sh.txt b/scripts/install_sh/install.sh.txt index 233610f..14dc561 100644 --- a/scripts/install_sh/install.sh.txt +++ b/scripts/install_sh/install.sh.txt @@ -14,13 +14,15 @@ check_command() { command -v "$1" >/dev/null 2>&1 || { echo >&2 "Error: $1 is required but not installed."; exit 1; } } -# Check for required commands -check_command sha256sum || check_command sha1sum - -# Set checksum command based on availability -CHECKSUM_CMD=sha256sum -if ! command -v $CHECKSUM_CMD >/dev/null 2>&1; then - CHECKSUM_CMD=sha1sum +# Determine SHA-256 checksum command based on platform availability. +# shasum -a 256 is the macOS/BSD equivalent of sha256sum. +if command -v sha256sum >/dev/null 2>&1; then + CHECKSUM_CMD="sha256sum" +elif command -v shasum >/dev/null 2>&1; then + CHECKSUM_CMD="shasum -a 256" +else + echo >&2 "Error: no SHA-256 checksum tool found; install sha256sum (Linux) or shasum (macOS/BSD)" + exit 1 fi install() { @@ -35,8 +37,6 @@ install() { dl_bin="curl -s -L" fi - $CHECKSUM_CMD -v 1>/dev/null 2>&1 || (echo "Missing shasum binary" && exit 1) - if [[ `uname` == Darwin ]]; then binary_type=darwin-amd64 (@ for val in data.values.products: @)(@ for asset in val.assets: @)(@ if asset.os == "darwin" and asset.arch=="amd64": @) From 6cbc57a732f3141becd791d746fe631f32e4d959 Mon Sep 17 00:00:00 2001 From: Joao Pereira Date: Fri, 5 Jun 2026 12:44:59 +0100 Subject: [PATCH 4/6] Cache trivy db inside our org Signed-off-by: Joao Pereira --- .github/workflows/cache-trivy-db.yml | 22 ++++++++++++++++++++++ .github/workflows/trivy-scan.yml | 7 +------ 2 files changed, 23 insertions(+), 6 deletions(-) create mode 100644 .github/workflows/cache-trivy-db.yml diff --git a/.github/workflows/cache-trivy-db.yml b/.github/workflows/cache-trivy-db.yml new file mode 100644 index 0000000..c00f160 --- /dev/null +++ b/.github/workflows/cache-trivy-db.yml @@ -0,0 +1,22 @@ +name: Mirror Trivy DB + +on: + schedule: + - cron: '0 0 * * *' # daily + workflow_dispatch: + +jobs: + mirror: + runs-on: ubuntu-latest + permissions: + packages: write + steps: + - name: Install crane + uses: imjasonh/setup-crane@v0.4 + + - name: Log in to GHCR + run: crane auth login ghcr.io -u ${{ github.actor }} -p ${{ secrets.GITHUB_TOKEN }} + + - name: Mirror Trivy DB + run: | + crane copy ghcr.io/aquasecurity/trivy-db:2 ghcr.io/carvel-dev/release-scripts/trivy-db:2 diff --git a/.github/workflows/trivy-scan.yml b/.github/workflows/trivy-scan.yml index 41e9d31..dba79cf 100644 --- a/.github/workflows/trivy-scan.yml +++ b/.github/workflows/trivy-scan.yml @@ -64,11 +64,6 @@ jobs: # Build Binary File ./hack/build.sh - - name: Trivy Cache - uses: yogeshlonkar/trivy-cache-action@v0 - with: - gh-token: ${{ secrets.githubToken }} - - name: Read dismissed CVEs from Github run: | set -o pipefail @@ -92,7 +87,7 @@ jobs: output: 'trivy-results.sarif' exit-code: 1 ignore-unfixed: true - cache-dir: .trivy + db-repository: ghcr.io/carvel-dev/release-scripts/trivy-db:2 - name: Upload Trivy scan results to GitHub Security tab if: always() From 6e94af5f1b974ccb803c91d278d43171a8277210 Mon Sep 17 00:00:00 2001 From: Joao Pereira Date: Fri, 5 Jun 2026 12:49:37 +0100 Subject: [PATCH 5/6] Fix issue related to ssh keys Signed-off-by: Joao Pereira --- .github/workflows/published_release.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/published_release.yml b/.github/workflows/published_release.yml index b61b1ce..23e48ef 100644 --- a/.github/workflows/published_release.yml +++ b/.github/workflows/published_release.yml @@ -206,10 +206,12 @@ jobs: tempkey=`basename $0` TMP_DEPLOY_PRIV_KEY=`mktemp /tmp/${tempkey}.XXXXXX` || exit 1 trap "rm -f ${TMP_DEPLOY_PRIV_KEY}" EXIT + set +x echo "${{ secrets.INSTALL_SH_DEPLOY_PRIVATE_KEY }}" > "${TMP_DEPLOY_PRIV_KEY}" chmod 600 "${TMP_DEPLOY_PRIV_KEY}" eval $(ssh-agent -s) ssh-add "${TMP_DEPLOY_PRIV_KEY}" + set -x git config http.sslVerify true git config --local user.email "${AUTHOR_EMAIL}" From 16332acea3f822d6d65334db70b069f7cfa80990 Mon Sep 17 00:00:00 2001 From: Joao Pereira Date: Fri, 5 Jun 2026 12:57:56 +0100 Subject: [PATCH 6/6] Fix issues: - shell injection protection - missing popd - Variable not set Signed-off-by: Joao Pereira --- .github/workflows/published_release.yml | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/.github/workflows/published_release.yml b/.github/workflows/published_release.yml index 23e48ef..fb2f444 100644 --- a/.github/workflows/published_release.yml +++ b/.github/workflows/published_release.yml @@ -190,24 +190,27 @@ jobs: ref: develop path: website - name: Run documentation update + env: + TAG_NAME: ${{ github.event.client_payload.tagName }} + TOOL_NAME: ${{ github.event.client_payload.toolName }} + DEPLOY_PRIVATE_KEY: ${{ secrets.INSTALL_SH_DEPLOY_PRIVATE_KEY }} run: | set -e -x pushd website/site - docVersion=`echo ${{ github.event.client_payload.tagName }} | awk -F. '{print $1"."$2".x"}'` - ./hack/release-doc.sh ${{ github.event.client_payload.toolName }} ${docVersion} + docVersion=$(echo "${TAG_NAME}" | awk -F. '{print $1"."$2".x"}') + ./hack/release-doc.sh "${TOOL_NAME}" "${docVersion}" timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ") AUTHOR_EMAIL='carvel-bot@users.noreply.github.com' AUTHOR_NAME='carvel-bot' - MESSAGE="chore: auto-update documentation for ${{ github.event.client_payload.toolName }} ${docVersion} ${timestamp}" + MESSAGE="chore: auto-update documentation for ${TOOL_NAME} ${docVersion} ${timestamp}" remote_repo="git@github.com:carvel-dev/carvel" - tempkey=`basename $0` - TMP_DEPLOY_PRIV_KEY=`mktemp /tmp/${tempkey}.XXXXXX` || exit 1 + TMP_DEPLOY_PRIV_KEY=$(mktemp /tmp/deploy-key.XXXXXX) || exit 1 trap "rm -f ${TMP_DEPLOY_PRIV_KEY}" EXIT set +x - echo "${{ secrets.INSTALL_SH_DEPLOY_PRIVATE_KEY }}" > "${TMP_DEPLOY_PRIV_KEY}" + echo "${DEPLOY_PRIVATE_KEY}" > "${TMP_DEPLOY_PRIV_KEY}" chmod 600 "${TMP_DEPLOY_PRIV_KEY}" eval $(ssh-agent -s) ssh-add "${TMP_DEPLOY_PRIV_KEY}" @@ -217,11 +220,12 @@ jobs: git config --local user.email "${AUTHOR_EMAIL}" git config --local user.name "${AUTHOR_NAME}" - git add -A + git add . - git commit -m "${MESSAGE}" $_EMPTY || exit 0 + git commit -m "${MESSAGE}" || exit 0 - git push "${remote_repo}" HEAD:develop --follow-tags; + git push "${remote_repo}" HEAD:develop --follow-tags + popd prepare-releases-file-for-install-sh: runs-on: ubuntu-latest needs: process-release-information