From 5813db3f92d9d024f39fc138a9703a1857201cfc Mon Sep 17 00:00:00 2001 From: Johnny Bieren Date: Wed, 18 Dec 2024 13:05:32 -0500 Subject: [PATCH] fix(RELEASE-1089): linting issues in sign-base64-blob Signed-off-by: Johnny Bieren --- .github/workflows/lint.yaml | 7 ++-- tasks/sign-base64-blob/README.md | 3 ++ tasks/sign-base64-blob/sign-base64-blob.yaml | 26 +++++++------- .../tests/test-sign-base64-blob.yaml | 35 ++++++++++--------- 4 files changed, 39 insertions(+), 32 deletions(-) diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index d6617c47a..e60eb9aec 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -59,10 +59,13 @@ jobs: - name: Run Checkton id: checkton uses: chmeliik/checkton@v0.2.2 - # Migrating to the konflux-ci org with: fail-on-findings: true - find-copies-harder: true + find-copies-harder: false + # Set to false to disable the differential check + differential: false + # Add a regex to include only the files you want to check + include-regex: "tasks/sign-base64-blob/.*\\.yaml" check-jsonschema: name: Validate json schema file runs-on: ubuntu-latest diff --git a/tasks/sign-base64-blob/README.md b/tasks/sign-base64-blob/README.md index 0e233e7f6..f35d98c91 100644 --- a/tasks/sign-base64-blob/README.md +++ b/tasks/sign-base64-blob/README.md @@ -25,6 +25,9 @@ data: configMapName: ``` +## Changes in 2.4.1 +* Fix shellcheck/checkton linting issues in the task and tests + ## Changes in 2.4.0 * No longer examine `.data.sign.request` to obtain the Signing pipeline name. Use the default - blob-signing-pipeline diff --git a/tasks/sign-base64-blob/sign-base64-blob.yaml b/tasks/sign-base64-blob/sign-base64-blob.yaml index 660644efd..83dbbb136 100644 --- a/tasks/sign-base64-blob/sign-base64-blob.yaml +++ b/tasks/sign-base64-blob/sign-base64-blob.yaml @@ -4,7 +4,7 @@ kind: Task metadata: name: sign-base64-blob labels: - app.kubernetes.io/version: "2.4.0" + app.kubernetes.io/version: "2.4.1" annotations: tekton.dev/pipelines.minVersion: "0.12.1" tekton.dev/tags: release @@ -40,7 +40,7 @@ spec: image: quay.io/konflux-ci/release-service-utils:e633d51cd41d73e4b3310face21bb980af7a662f script: | - #!/usr/bin/env sh + #!/usr/bin/env bash set -ex set -o pipefail @@ -52,8 +52,8 @@ spec: default_pipeline_image="quay.io/redhat-isv/operator-pipelines-images:9ea90b42456fcdf66edf4b15c0c0487ba5fa3ee3" pipeline_image=$(jq -r --arg default_pipeline_image ${default_pipeline_image} \ - '.sign.pipelineImage // $default_pipeline_image' ${DATA_FILE}) - config_map_name=$(jq -r '.sign.configMapName // "signing-config-map"' ${DATA_FILE}) + '.sign.pipelineImage // $default_pipeline_image' "${DATA_FILE}") + config_map_name=$(jq -r '.sign.configMapName // "signing-config-map"' "${DATA_FILE}") pipelinerun_label="internal-services.appstudio.openshift.io/pipelinerun-uid" echo "Creating InternalRequest to sign blob:" @@ -61,16 +61,16 @@ spec: echo "- requester=$(params.requester)" internal-request -r "blob-signing-pipeline" \ - -p pipeline_image=${pipeline_image} \ - -p blob=$(params.blob) \ - -p requester=$(params.requester) \ - -p config_map_name=${config_map_name} \ - -t $(params.requestTimeout) \ - -l ${pipelinerun_label}=$(params.pipelineRunUid) \ - > $(workspaces.data.path)/ir-result.txt || \ - (grep "^\[" $(workspaces.data.path)/ir-result.txt | jq . && exit 1) + -p pipeline_image="${pipeline_image}" \ + -p blob="$(params.blob)" \ + -p requester="$(params.requester)" \ + -p config_map_name="${config_map_name}" \ + -t "$(params.requestTimeout)" \ + -l ${pipelinerun_label}="$(params.pipelineRunUid)" \ + > "$(workspaces.data.path)/ir-result.txt" || \ + (grep "^\[" "$(workspaces.data.path)/ir-result.txt" | jq . && exit 1) - internalRequest=$(awk 'NR==1{ print $2 }' $(workspaces.data.path)/ir-result.txt | xargs) + internalRequest=$(awk 'NR==1{ print $2 }' "$(workspaces.data.path)/ir-result.txt" | xargs) echo "done (${internalRequest})" payload=$(kubectl get internalrequest $internalRequest -o=jsonpath='{.status.results.signed_payload}') diff --git a/tasks/sign-base64-blob/tests/test-sign-base64-blob.yaml b/tasks/sign-base64-blob/tests/test-sign-base64-blob.yaml index fdf2524d1..d93fbbae2 100644 --- a/tasks/sign-base64-blob/tests/test-sign-base64-blob.yaml +++ b/tasks/sign-base64-blob/tests/test-sign-base64-blob.yaml @@ -19,10 +19,10 @@ spec: - name: setup-values image: quay.io/konflux-ci/release-service-utils:e633d51cd41d73e4b3310face21bb980af7a662f script: | - #!/usr/bin/env sh + #!/usr/bin/env bash set -eux - cat > $(workspaces.data.path)/data.json << EOF + cat > "$(workspaces.data.path)/data.json" << EOF { "sign": { "configMapName": "signing-config-map" @@ -30,8 +30,8 @@ spec: } EOF - mkdir -p $(workspaces.data.path)/binaries - touch $(workspaces.data.path)/binaries/foo_SHA256SUMS + mkdir -p "$(workspaces.data.path)/binaries" + touch "$(workspaces.data.path)/binaries/foo_SHA256SUMS" - name: run-task taskRef: name: sign-base64-blob @@ -60,46 +60,47 @@ spec: - name: check-result image: quay.io/konflux-ci/release-service-utils:e633d51cd41d73e4b3310face21bb980af7a662f script: | - #!/usr/bin/env sh + #!/usr/bin/env bash set -eux - internalRequest="$(kubectl get internalrequest --sort-by=.metadata.creationTimestamp --no-headers)" - params=$(kubectl get internalrequest ${internalRequest} -o jsonpath="{.spec.params}") + internalRequest="$(kubectl get internalrequest --sort-by=.metadata.creationTimestamp --no-headers \ + -o custom-columns=":metadata.name")" + params=$(kubectl get internalrequest "${internalRequest}" -o jsonpath="{.spec.params}") - if [ $(jq -r '.blob' <<< "${params}") != "test-blob" ]; then + if [ "$(jq -r '.blob' <<< "${params}")" != "test-blob" ]; then echo "blob does not match" exit 1 fi - if [ $(jq -r '.config_map_name' <<< "${params}") != "signing-config-map" ] + if [ "$(jq -r '.config_map_name' <<< "${params}")" != "signing-config-map" ] then echo "config_map_name does not match" exit 1 fi - if [ $(jq -r '.requester' <<< "${params}") != "testuser" ] + if [ "$(jq -r '.requester' <<< "${params}")" != "testuser" ] then echo "requester does not match" exit 1 fi - if [ $(jq -r '.pipeline_image' <<< "${params}") != \ + if [ "$(jq -r '.pipeline_image' <<< "${params}")" != \ "quay.io/redhat-isv/operator-pipelines-images:9ea90b42456fcdf66edf4b15c0c0487ba5fa3ee3" ] then echo "pipeline_image does not match" exit 1 fi - binaries_path=$(workspaces.data.path)/binaries - created_file=$(ls $binaries_path | grep sig) - if [ $created_file != "foo_SHA256SUMS.sig" ] + binaries_path="$(workspaces.data.path)/binaries" + created_file=$(find "$binaries_path" -maxdepth 1 -name "sig"*) + if [ "$created_file" != "foo_SHA256SUMS.sig" ] then echo "Unexpected filename for the signed file" exit 1 fi - file_content=$(cat $binaries_path/foo_SHA256SUMS.sig) - if [ $file_content != "dummy-payload" ] + file_content=$(cat "$binaries_path/foo_SHA256SUMS.sig") + if [ "$file_content" != "dummy-payload" ] then echo "Payload is not correct" exit 1 @@ -113,7 +114,7 @@ spec: - name: delete-crs image: quay.io/konflux-ci/release-service-utils:e633d51cd41d73e4b3310face21bb980af7a662f script: | - #!/usr/bin/env sh + #!/usr/bin/env bash set -eux kubectl delete internalrequests --all