fix(RELEASE-1089): linting issues in sign-base64-blob

tasks/sign-base64-blob/README.md

@@ -25,6 +25,9 @@ data:
         configMapName: <configmap name>
 ```
 
+## Changes in 2.4.1
+* Fix shellcheck/checkton linting issues in the task and tests
+
 ## Changes in 2.4.0
 * No longer examine `.data.sign.request` to obtain the Signing pipeline name. Use the default - blob-signing-pipeline
 

tasks/sign-base64-blob/sign-base64-blob.yaml

@@ -4,7 +4,7 @@ kind: Task
 metadata:
   name: sign-base64-blob
   labels:
-    app.kubernetes.io/version: "2.4.0"
+    app.kubernetes.io/version: "2.4.1"
   annotations:
     tekton.dev/pipelines.minVersion: "0.12.1"
     tekton.dev/tags: release
@@ -40,7 +40,7 @@ spec:
       image:
         quay.io/konflux-ci/release-service-utils:e633d51cd41d73e4b3310face21bb980af7a662f
       script: |
-        #!/usr/bin/env sh
+        #!/usr/bin/env bash
         set -ex
         set -o pipefail
 
@@ -52,32 +52,33 @@ spec:
 
         default_pipeline_image="quay.io/redhat-isv/operator-pipelines-images:9ea90b42456fcdf66edf4b15c0c0487ba5fa3ee3"
         pipeline_image=$(jq -r --arg default_pipeline_image ${default_pipeline_image} \
-            '.sign.pipelineImage // $default_pipeline_image' ${DATA_FILE})
-        config_map_name=$(jq -r '.sign.configMapName // "signing-config-map"' ${DATA_FILE})
+            '.sign.pipelineImage // $default_pipeline_image' "${DATA_FILE}")
+        config_map_name=$(jq -r '.sign.configMapName // "signing-config-map"' "${DATA_FILE}")
         pipelinerun_label="internal-services.appstudio.openshift.io/pipelinerun-uid"
 
         echo "Creating InternalRequest to sign blob:"
         echo "- blob=$(params.blob)"
         echo "- requester=$(params.requester)"
 
         internal-request -r "blob-signing-pipeline" \
-            -p pipeline_image=${pipeline_image} \
-            -p blob=$(params.blob) \
-            -p requester=$(params.requester) \
-            -p config_map_name=${config_map_name} \
-            -t $(params.requestTimeout) \
-            -l ${pipelinerun_label}=$(params.pipelineRunUid) \
-            > $(workspaces.data.path)/ir-result.txt || \
-            (grep "^\[" $(workspaces.data.path)/ir-result.txt | jq . && exit 1)
+            -p pipeline_image="${pipeline_image}" \
+            -p blob="$(params.blob)" \
+            -p requester="$(params.requester)" \
+            -p config_map_name="${config_map_name}" \
+            -t "$(params.requestTimeout)" \
+            -l ${pipelinerun_label}="$(params.pipelineRunUid)" \
+            > "$(workspaces.data.path)/ir-result.txt" || \
+            (grep "^\[" "$(workspaces.data.path)/ir-result.txt" | jq . && exit 1)
 
-        internalRequest=$(awk 'NR==1{ print $2 }' $(workspaces.data.path)/ir-result.txt | xargs)
+        internalRequest=$(awk 'NR==1{ print $2 }' "$(workspaces.data.path)/ir-result.txt" | xargs)
         echo "done (${internalRequest})"
 
-        payload=$(kubectl get internalrequest $internalRequest -o=jsonpath='{.status.results.signed_payload}')
-        decoded_payload=$(echo -n $payload | base64 -d)
+        payload=$(kubectl get internalrequest "$internalRequest" -o=jsonpath='{.status.results.signed_payload}')
+        decoded_payload=$(echo -n "$payload" | base64 -d)
 
         # Build .sig file
-        checksum_file_name=$(ls $(workspaces.data.path)/$(params.binariesPath) | grep SHA256SUMS)
+        checksum_file_name=$(find "$(workspaces.data.path)/$(params.binariesPath)" -maxdepth 1 -name '*SHA256SUMS*' \
+          -printf '%f\n')
         echo -n "$decoded_payload" \
         | gpg --dearmor \
         | tee "$(workspaces.data.path)/$(params.binariesPath)/${checksum_file_name}.sig"

tasks/sign-base64-blob/tests/test-sign-base64-blob.yaml

@@ -19,19 +19,19 @@ spec:
           - name: setup-values
             image: quay.io/konflux-ci/release-service-utils:e633d51cd41d73e4b3310face21bb980af7a662f
             script: |
-              #!/usr/bin/env sh
+              #!/usr/bin/env bash
               set -eux
 
-              cat > $(workspaces.data.path)/data.json << EOF
+              cat > "$(workspaces.data.path)/data.json" << EOF
               {
                 "sign": {
                   "configMapName": "signing-config-map"
                 }
               }
               EOF
 
-              mkdir -p $(workspaces.data.path)/binaries
-              touch $(workspaces.data.path)/binaries/foo_SHA256SUMS
+              mkdir -p "$(workspaces.data.path)/binaries"
+              touch "$(workspaces.data.path)/binaries/foo_SHA256SUMS"
     - name: run-task
       taskRef:
         name: sign-base64-blob
@@ -60,46 +60,47 @@ spec:
           - name: check-result
             image: quay.io/konflux-ci/release-service-utils:e633d51cd41d73e4b3310face21bb980af7a662f
             script: |
-              #!/usr/bin/env sh
+              #!/usr/bin/env bash
               set -eux
 
-              internalRequest="$(kubectl get internalrequest --sort-by=.metadata.creationTimestamp --no-headers)"
-              params=$(kubectl get internalrequest ${internalRequest} -o jsonpath="{.spec.params}")
+              internalRequest="$(kubectl get internalrequest --sort-by=.metadata.creationTimestamp --no-headers \
+                -o custom-columns=":metadata.name")"
+              params=$(kubectl get internalrequest "${internalRequest}" -o jsonpath="{.spec.params}")
 
-              if [ $(jq -r '.blob' <<< "${params}") != "test-blob" ]; then
+              if [ "$(jq -r '.blob' <<< "${params}")" != "test-blob" ]; then
                 echo "blob does not match"
                 exit 1
               fi
 
-              if [ $(jq -r '.config_map_name' <<< "${params}") != "signing-config-map" ]
+              if [ "$(jq -r '.config_map_name' <<< "${params}")" != "signing-config-map" ]
               then
                 echo "config_map_name does not match"
                 exit 1
               fi
 
-              if [ $(jq -r '.requester' <<< "${params}") != "testuser" ]
+              if [ "$(jq -r '.requester' <<< "${params}")" != "testuser" ]
               then
                 echo "requester does not match"
                 exit 1
               fi
 
-              if [ $(jq -r '.pipeline_image' <<< "${params}") != \
+              if [ "$(jq -r '.pipeline_image' <<< "${params}")" != \
                  "quay.io/redhat-isv/operator-pipelines-images:9ea90b42456fcdf66edf4b15c0c0487ba5fa3ee3" ]
               then
                 echo "pipeline_image does not match"
                 exit 1
               fi
 
-              binaries_path=$(workspaces.data.path)/binaries
-              created_file=$(ls $binaries_path | grep sig)
-              if [ $created_file != "foo_SHA256SUMS.sig" ]
+              binaries_path="$(workspaces.data.path)/binaries"
+              created_file=$(find "$binaries_path" -maxdepth 1 -name '*sig*' -printf '%f\n')
+              if [ "$created_file" != "foo_SHA256SUMS.sig" ]
               then
                 echo "Unexpected filename for the signed file"
                 exit 1
               fi
 
-              file_content=$(cat $binaries_path/foo_SHA256SUMS.sig)
-              if [ $file_content != "dummy-payload" ]
+              file_content=$(cat "$binaries_path/foo_SHA256SUMS.sig")
+              if [ "$file_content" != "dummy-payload" ]
               then
                 echo "Payload is not correct"
                 exit 1
@@ -113,7 +114,7 @@ spec:
           - name: delete-crs
             image: quay.io/konflux-ci/release-service-utils:e633d51cd41d73e4b3310face21bb980af7a662f
             script: |
-              #!/usr/bin/env sh
+              #!/usr/bin/env bash
               set -eux
 
               kubectl delete internalrequests --all