mirror of
https://github.com/goreleaser/goreleaser.git
synced 2025-01-08 03:31:59 +02:00
312e52a760
* feat: sign with env and output certificate * fix: test * fix: prop name * test: blob upload * test: http upload * test: exec * test: sign
200 lines
5.0 KiB
Go
200 lines
5.0 KiB
Go
package sign
|
|
|
|
import (
|
|
"os"
|
|
"testing"
|
|
|
|
"github.com/goreleaser/goreleaser/internal/artifact"
|
|
"github.com/goreleaser/goreleaser/internal/testlib"
|
|
"github.com/goreleaser/goreleaser/pkg/config"
|
|
"github.com/goreleaser/goreleaser/pkg/context"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func TestDockerSignDescription(t *testing.T) {
|
|
require.NotEmpty(t, DockerPipe{}.String())
|
|
}
|
|
|
|
func TestDockerSignDefault(t *testing.T) {
|
|
ctx := &context.Context{
|
|
Config: config.Project{
|
|
DockerSigns: []config.Sign{{}},
|
|
},
|
|
}
|
|
err := DockerPipe{}.Default(ctx)
|
|
require.NoError(t, err)
|
|
require.Equal(t, ctx.Config.DockerSigns[0].Cmd, "cosign")
|
|
require.Equal(t, ctx.Config.DockerSigns[0].Signature, "")
|
|
require.Equal(t, ctx.Config.DockerSigns[0].Args, []string{"sign", "-key=cosign.key", "$artifact"})
|
|
require.Equal(t, ctx.Config.DockerSigns[0].Artifacts, "none")
|
|
}
|
|
|
|
func TestDockerSignDisabled(t *testing.T) {
|
|
ctx := context.New(config.Project{})
|
|
ctx.Config.DockerSigns = []config.Sign{
|
|
{Artifacts: "none"},
|
|
}
|
|
err := DockerPipe{}.Publish(ctx)
|
|
require.EqualError(t, err, "artifact signing is disabled")
|
|
}
|
|
|
|
func TestDockerSignInvalidArtifacts(t *testing.T) {
|
|
ctx := context.New(config.Project{})
|
|
ctx.Config.DockerSigns = []config.Sign{
|
|
{Artifacts: "foo"},
|
|
}
|
|
err := DockerPipe{}.Publish(ctx)
|
|
require.EqualError(t, err, "invalid list of artifacts to sign: foo")
|
|
}
|
|
|
|
func TestDockerSignArtifacts(t *testing.T) {
|
|
testlib.CheckPath(t, "cosign")
|
|
key := "testdata/cosign/cosign.key"
|
|
cmd := "sh"
|
|
args := []string{"-c", "echo ${artifact} > ${signature} && cosign sign -key=" + key + " -upload=false ${artifact} > ${signature}"}
|
|
password := "password"
|
|
|
|
img1 := "ghcr.io/caarlos0/goreleaser-docker-manifest-actions-example:1.2.1-amd64"
|
|
img2 := "ghcr.io/caarlos0/goreleaser-docker-manifest-actions-example:1.2.1-arm64v8"
|
|
man1 := "ghcr.io/caarlos0/goreleaser-docker-manifest-actions-example:1.2.1"
|
|
|
|
for name, cfg := range map[string]struct {
|
|
Signs []config.Sign
|
|
Expected []string
|
|
}{
|
|
"no signature file": {
|
|
Expected: nil, // no sigs
|
|
Signs: []config.Sign{
|
|
{
|
|
Artifacts: "all",
|
|
Stdin: &password,
|
|
Cmd: "cosign",
|
|
Args: []string{"sign", "-key=" + key, "-upload=false", "${artifact}"},
|
|
},
|
|
},
|
|
},
|
|
"sign all": {
|
|
Expected: []string{
|
|
"testdata/cosign/all_img1.sig",
|
|
"testdata/cosign/all_img2.sig",
|
|
"testdata/cosign/all_man1.sig",
|
|
},
|
|
Signs: []config.Sign{
|
|
{
|
|
Artifacts: "all",
|
|
Stdin: &password,
|
|
Signature: `testdata/cosign/all_${artifactID}.sig`,
|
|
Cmd: cmd,
|
|
Args: args,
|
|
},
|
|
},
|
|
},
|
|
"sign all filtering id": {
|
|
Expected: []string{"testdata/cosign/all_filter_by_id_img2.sig"},
|
|
Signs: []config.Sign{
|
|
{
|
|
Artifacts: "all",
|
|
IDs: []string{"img2"},
|
|
Stdin: &password,
|
|
Signature: "testdata/cosign/all_filter_by_id_${artifactID}.sig",
|
|
Cmd: cmd,
|
|
Args: args,
|
|
},
|
|
},
|
|
},
|
|
"sign images only": {
|
|
Expected: []string{
|
|
"testdata/cosign/images_img1.sig",
|
|
"testdata/cosign/images_img2.sig",
|
|
},
|
|
Signs: []config.Sign{
|
|
{
|
|
Artifacts: "images",
|
|
Stdin: &password,
|
|
Signature: "testdata/cosign/images_${artifactID}.sig",
|
|
Cmd: cmd,
|
|
Args: args,
|
|
},
|
|
},
|
|
},
|
|
"sign manifests only": {
|
|
Expected: []string{"testdata/cosign/manifests_man1.sig"},
|
|
Signs: []config.Sign{
|
|
{
|
|
Artifacts: "manifests",
|
|
Stdin: &password,
|
|
Signature: "testdata/cosign/manifests_${artifactID}.sig",
|
|
Cmd: cmd,
|
|
Args: args,
|
|
},
|
|
},
|
|
},
|
|
// TODO: keyless test?
|
|
} {
|
|
t.Run(name, func(t *testing.T) {
|
|
ctx := context.New(config.Project{})
|
|
ctx.Config.DockerSigns = cfg.Signs
|
|
|
|
t.Cleanup(func() {
|
|
for _, f := range cfg.Expected {
|
|
require.NoError(t, os.Remove(f))
|
|
}
|
|
})
|
|
|
|
ctx.Artifacts.Add(&artifact.Artifact{
|
|
Name: img1,
|
|
Path: img1,
|
|
Type: artifact.DockerImage,
|
|
Extra: map[string]interface{}{
|
|
artifact.ExtraID: "img1",
|
|
},
|
|
})
|
|
ctx.Artifacts.Add(&artifact.Artifact{
|
|
Name: img2,
|
|
Path: img2,
|
|
Type: artifact.DockerImage,
|
|
Extra: map[string]interface{}{
|
|
artifact.ExtraID: "img2",
|
|
},
|
|
})
|
|
ctx.Artifacts.Add(&artifact.Artifact{
|
|
Name: man1,
|
|
Path: man1,
|
|
Type: artifact.DockerManifest,
|
|
Extra: map[string]interface{}{
|
|
artifact.ExtraID: "man1",
|
|
},
|
|
})
|
|
|
|
require.NoError(t, DockerPipe{}.Default(ctx))
|
|
require.NoError(t, DockerPipe{}.Publish(ctx))
|
|
var sigs []string
|
|
for _, sig := range ctx.Artifacts.Filter(artifact.ByType(artifact.Signature)).List() {
|
|
sigs = append(sigs, sig.Name)
|
|
}
|
|
require.Equal(t, cfg.Expected, sigs)
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestDockerSkip(t *testing.T) {
|
|
t.Run("skip", func(t *testing.T) {
|
|
require.True(t, DockerPipe{}.Skip(context.New(config.Project{})))
|
|
})
|
|
|
|
t.Run("skip sign", func(t *testing.T) {
|
|
ctx := context.New(config.Project{})
|
|
ctx.SkipSign = true
|
|
require.True(t, DockerPipe{}.Skip(ctx))
|
|
})
|
|
|
|
t.Run("dont skip", func(t *testing.T) {
|
|
ctx := context.New(config.Project{
|
|
DockerSigns: []config.Sign{
|
|
{},
|
|
},
|
|
})
|
|
require.False(t, DockerPipe{}.Skip(ctx))
|
|
})
|
|
}
|