diff --git a/tasks/sign-base64-blob/README.md b/tasks/sign-base64-blob/README.md index 0e233e7f6..f35d98c91 100644 --- a/tasks/sign-base64-blob/README.md +++ b/tasks/sign-base64-blob/README.md @@ -25,6 +25,9 @@ data: configMapName: ``` +## Changes in 2.4.1 +* Fix shellcheck/checkton linting issues in the task and tests + ## Changes in 2.4.0 * No longer examine `.data.sign.request` to obtain the Signing pipeline name. Use the default - blob-signing-pipeline diff --git a/tasks/sign-base64-blob/sign-base64-blob.yaml b/tasks/sign-base64-blob/sign-base64-blob.yaml index 660644efd..9f5a9262a 100644 --- a/tasks/sign-base64-blob/sign-base64-blob.yaml +++ b/tasks/sign-base64-blob/sign-base64-blob.yaml @@ -4,7 +4,7 @@ kind: Task metadata: name: sign-base64-blob labels: - app.kubernetes.io/version: "2.4.0" + app.kubernetes.io/version: "2.4.1" annotations: tekton.dev/pipelines.minVersion: "0.12.1" tekton.dev/tags: release @@ -40,7 +40,7 @@ spec: image: quay.io/konflux-ci/release-service-utils:e633d51cd41d73e4b3310face21bb980af7a662f script: | - #!/usr/bin/env sh + #!/usr/bin/env bash set -ex set -o pipefail @@ -52,8 +52,8 @@ spec: default_pipeline_image="quay.io/redhat-isv/operator-pipelines-images:9ea90b42456fcdf66edf4b15c0c0487ba5fa3ee3" pipeline_image=$(jq -r --arg default_pipeline_image ${default_pipeline_image} \ - '.sign.pipelineImage // $default_pipeline_image' ${DATA_FILE}) - config_map_name=$(jq -r '.sign.configMapName // "signing-config-map"' ${DATA_FILE}) + '.sign.pipelineImage // $default_pipeline_image' "${DATA_FILE}") + config_map_name=$(jq -r '.sign.configMapName // "signing-config-map"' "${DATA_FILE}") pipelinerun_label="internal-services.appstudio.openshift.io/pipelinerun-uid" echo "Creating InternalRequest to sign blob:" @@ -61,23 +61,24 @@ spec: echo "- requester=$(params.requester)" internal-request -r "blob-signing-pipeline" \ - -p pipeline_image=${pipeline_image} \ - -p blob=$(params.blob) \ - -p requester=$(params.requester) \ - -p config_map_name=${config_map_name} \ - -t $(params.requestTimeout) \ - -l ${pipelinerun_label}=$(params.pipelineRunUid) \ - > $(workspaces.data.path)/ir-result.txt || \ - (grep "^\[" $(workspaces.data.path)/ir-result.txt | jq . && exit 1) + -p pipeline_image="${pipeline_image}" \ + -p blob="$(params.blob)" \ + -p requester="$(params.requester)" \ + -p config_map_name="${config_map_name}" \ + -t "$(params.requestTimeout)" \ + -l ${pipelinerun_label}="$(params.pipelineRunUid)" \ + > "$(workspaces.data.path)/ir-result.txt" || \ + (grep "^\[" "$(workspaces.data.path)/ir-result.txt" | jq . && exit 1) - internalRequest=$(awk 'NR==1{ print $2 }' $(workspaces.data.path)/ir-result.txt | xargs) + internalRequest=$(awk 'NR==1{ print $2 }' "$(workspaces.data.path)/ir-result.txt" | xargs) echo "done (${internalRequest})" - payload=$(kubectl get internalrequest $internalRequest -o=jsonpath='{.status.results.signed_payload}') - decoded_payload=$(echo -n $payload | base64 -d) + payload=$(kubectl get internalrequest "$internalRequest" -o=jsonpath='{.status.results.signed_payload}') + decoded_payload=$(echo -n "$payload" | base64 -d) # Build .sig file - checksum_file_name=$(ls $(workspaces.data.path)/$(params.binariesPath) | grep SHA256SUMS) + checksum_file_name=$(find "$(workspaces.data.path)/$(params.binariesPath)" -maxdepth 1 -name '*SHA256SUMS*' \ + -printf '%f\n') echo -n "$decoded_payload" \ | gpg --dearmor \ | tee "$(workspaces.data.path)/$(params.binariesPath)/${checksum_file_name}.sig" diff --git a/tasks/sign-base64-blob/tests/test-sign-base64-blob.yaml b/tasks/sign-base64-blob/tests/test-sign-base64-blob.yaml index fdf2524d1..e7e9f2076 100644 --- a/tasks/sign-base64-blob/tests/test-sign-base64-blob.yaml +++ b/tasks/sign-base64-blob/tests/test-sign-base64-blob.yaml @@ -19,10 +19,10 @@ spec: - name: setup-values image: quay.io/konflux-ci/release-service-utils:e633d51cd41d73e4b3310face21bb980af7a662f script: | - #!/usr/bin/env sh + #!/usr/bin/env bash set -eux - cat > $(workspaces.data.path)/data.json << EOF + cat > "$(workspaces.data.path)/data.json" << EOF { "sign": { "configMapName": "signing-config-map" @@ -30,8 +30,8 @@ spec: } EOF - mkdir -p $(workspaces.data.path)/binaries - touch $(workspaces.data.path)/binaries/foo_SHA256SUMS + mkdir -p "$(workspaces.data.path)/binaries" + touch "$(workspaces.data.path)/binaries/foo_SHA256SUMS" - name: run-task taskRef: name: sign-base64-blob @@ -60,46 +60,47 @@ spec: - name: check-result image: quay.io/konflux-ci/release-service-utils:e633d51cd41d73e4b3310face21bb980af7a662f script: | - #!/usr/bin/env sh + #!/usr/bin/env bash set -eux - internalRequest="$(kubectl get internalrequest --sort-by=.metadata.creationTimestamp --no-headers)" - params=$(kubectl get internalrequest ${internalRequest} -o jsonpath="{.spec.params}") + internalRequest="$(kubectl get internalrequest --sort-by=.metadata.creationTimestamp --no-headers \ + -o custom-columns=":metadata.name")" + params=$(kubectl get internalrequest "${internalRequest}" -o jsonpath="{.spec.params}") - if [ $(jq -r '.blob' <<< "${params}") != "test-blob" ]; then + if [ "$(jq -r '.blob' <<< "${params}")" != "test-blob" ]; then echo "blob does not match" exit 1 fi - if [ $(jq -r '.config_map_name' <<< "${params}") != "signing-config-map" ] + if [ "$(jq -r '.config_map_name' <<< "${params}")" != "signing-config-map" ] then echo "config_map_name does not match" exit 1 fi - if [ $(jq -r '.requester' <<< "${params}") != "testuser" ] + if [ "$(jq -r '.requester' <<< "${params}")" != "testuser" ] then echo "requester does not match" exit 1 fi - if [ $(jq -r '.pipeline_image' <<< "${params}") != \ + if [ "$(jq -r '.pipeline_image' <<< "${params}")" != \ "quay.io/redhat-isv/operator-pipelines-images:9ea90b42456fcdf66edf4b15c0c0487ba5fa3ee3" ] then echo "pipeline_image does not match" exit 1 fi - binaries_path=$(workspaces.data.path)/binaries - created_file=$(ls $binaries_path | grep sig) - if [ $created_file != "foo_SHA256SUMS.sig" ] + binaries_path="$(workspaces.data.path)/binaries" + created_file=$(find "$binaries_path" -maxdepth 1 -name '*sig*' -printf '%f\n') + if [ "$created_file" != "foo_SHA256SUMS.sig" ] then echo "Unexpected filename for the signed file" exit 1 fi - file_content=$(cat $binaries_path/foo_SHA256SUMS.sig) - if [ $file_content != "dummy-payload" ] + file_content=$(cat "$binaries_path/foo_SHA256SUMS.sig") + if [ "$file_content" != "dummy-payload" ] then echo "Payload is not correct" exit 1 @@ -113,7 +114,7 @@ spec: - name: delete-crs image: quay.io/konflux-ci/release-service-utils:e633d51cd41d73e4b3310face21bb980af7a662f script: | - #!/usr/bin/env sh + #!/usr/bin/env bash set -eux kubectl delete internalrequests --all