mirror of
https://github.com/SonarSource/sonarqube-scan-action.git
synced 2026-07-13 18:31:16 +03:00
Compare commits
3 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| bc1610626e | |||
| 2dfea3d9ad | |||
| 7cdc154593 |
@@ -34,7 +34,7 @@ jobs:
|
||||
exit 1
|
||||
fi
|
||||
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
|
||||
|
||||
|
||||
@@ -34,7 +34,7 @@ jobs:
|
||||
exit 1
|
||||
fi
|
||||
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
|
||||
|
||||
|
||||
@@ -17,7 +17,7 @@ jobs:
|
||||
os: [github-ubuntu-latest-s, macos-latest]
|
||||
runs-on: ${{ matrix.os }}
|
||||
steps:
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Run action without args
|
||||
@@ -37,7 +37,7 @@ jobs:
|
||||
os: [github-ubuntu-latest-s, github-windows-latest-s, macos-latest]
|
||||
runs-on: ${{ matrix.os }}
|
||||
steps:
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Run action with args
|
||||
@@ -66,7 +66,7 @@ jobs:
|
||||
]
|
||||
runs-on: ${{ matrix.os }}
|
||||
steps:
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Run action with args
|
||||
@@ -93,7 +93,7 @@ jobs:
|
||||
os: [github-ubuntu-latest-s, github-windows-latest-s, macos-latest]
|
||||
runs-on: ${{ matrix.os }}
|
||||
steps:
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Run action with args
|
||||
@@ -121,7 +121,7 @@ jobs:
|
||||
os: [github-ubuntu-latest-s, github-windows-latest-s, macos-latest]
|
||||
runs-on: ${{ matrix.os }}
|
||||
steps:
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Run action with args
|
||||
@@ -148,7 +148,7 @@ jobs:
|
||||
os: [github-ubuntu-latest-s, github-windows-latest-s, macos-latest]
|
||||
runs-on: ${{ matrix.os }}
|
||||
steps:
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Run action with args
|
||||
@@ -178,7 +178,7 @@ jobs:
|
||||
os: [github-ubuntu-latest-s, github-windows-latest-s, macos-latest]
|
||||
runs-on: ${{ matrix.os }}
|
||||
steps:
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
- run: mkdir -p ./baseDir
|
||||
@@ -198,7 +198,7 @@ jobs:
|
||||
'scannerVersion' input
|
||||
runs-on: github-ubuntu-latest-s # assumes default RUNNER_ARCH for linux is X64
|
||||
steps:
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Run action with scannerVersion
|
||||
@@ -222,7 +222,7 @@ jobs:
|
||||
'scannerBinariesUrl' input with invalid URL
|
||||
runs-on: github-ubuntu-latest-s # assumes default RUNNER_ARCH for linux is X64
|
||||
steps:
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Run action with scannerBinariesUrl
|
||||
@@ -250,7 +250,7 @@ jobs:
|
||||
'scannerBinariesUrl' does not allow command injection via semicolons
|
||||
runs-on: github-ubuntu-latest-s
|
||||
steps:
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Run action with scannerBinariesUrl
|
||||
@@ -271,7 +271,7 @@ jobs:
|
||||
'scannerBinariesUrl' does not allow command injection via spaces and quotes
|
||||
runs-on: github-ubuntu-latest-s
|
||||
steps:
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Run action with scannerBinariesUrl
|
||||
@@ -292,7 +292,7 @@ jobs:
|
||||
Don't fail on Gradle project
|
||||
runs-on: github-ubuntu-latest-s
|
||||
steps:
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Run action on Gradle project
|
||||
@@ -313,7 +313,7 @@ jobs:
|
||||
Don't fail on Kotlin Gradle project
|
||||
runs-on: github-ubuntu-latest-s
|
||||
steps:
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Run action on Kotlin Gradle project
|
||||
@@ -334,7 +334,7 @@ jobs:
|
||||
Don't fail on Maven project
|
||||
runs-on: github-ubuntu-latest-s
|
||||
steps:
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Run action on Maven project
|
||||
@@ -367,7 +367,7 @@ jobs:
|
||||
--health-timeout 5s
|
||||
--health-retries 10
|
||||
steps:
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Run action on sample project
|
||||
@@ -390,7 +390,7 @@ jobs:
|
||||
os: [github-ubuntu-latest-s, github-windows-latest-s, macos-latest]
|
||||
runs-on: ${{ matrix.os }}
|
||||
steps:
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Run action with debug mode
|
||||
@@ -421,11 +421,11 @@ jobs:
|
||||
--health-timeout 5s
|
||||
--health-retries 10
|
||||
steps:
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: SonarQube Cache
|
||||
uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
|
||||
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
|
||||
with:
|
||||
path: ${{ github.workspace }}/.sonar/cache
|
||||
key: ${{ runner.os }}-${{ runner.arch }}-sonar
|
||||
@@ -450,7 +450,7 @@ jobs:
|
||||
os: [github-ubuntu-latest-s, github-windows-latest-s, macos-latest]
|
||||
runs-on: ${{ matrix.os }}
|
||||
steps:
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Run action with deprecated SONARCLOUD_URL
|
||||
@@ -469,7 +469,7 @@ jobs:
|
||||
scannerBinariesUrl redirect (3xx) is followed
|
||||
runs-on: github-ubuntu-latest-s
|
||||
steps:
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Generate SSL certificates for nginx
|
||||
@@ -505,7 +505,7 @@ jobs:
|
||||
os: [github-ubuntu-latest-s, github-windows-latest-s, macos-latest]
|
||||
runs-on: ${{ matrix.os }}
|
||||
steps:
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Run action with SSL certificate
|
||||
@@ -556,7 +556,7 @@ jobs:
|
||||
Analysis takes into account 'SONAR_ROOT_CERT'
|
||||
runs-on: github-ubuntu-latest-s
|
||||
steps:
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Generate server certificate
|
||||
@@ -664,7 +664,7 @@ jobs:
|
||||
truststore.p12 is updated when present
|
||||
runs-on: github-ubuntu-latest-s
|
||||
steps:
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Create SONAR_SSL_FOLDER with a file in it (not-truststore.p12)
|
||||
@@ -793,7 +793,7 @@ jobs:
|
||||
'scannerVersion' input validation
|
||||
runs-on: github-ubuntu-latest-s
|
||||
steps:
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Run action with invalid scannerVersion
|
||||
|
||||
@@ -12,7 +12,7 @@ jobs:
|
||||
name: create_install_path.sh
|
||||
runs-on: github-ubuntu-latest-s
|
||||
steps:
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
|
||||
|
||||
@@ -123,7 +123,7 @@ jobs:
|
||||
SONAR_SCANNER_URL_MACOSX_AARCH64: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-macosx-aarch64.zip'
|
||||
SONAR_SCANNER_SHA_MACOSX_AARCH64: 'DOWNLOAD-SHA-MACOSX-AARCH64'
|
||||
steps:
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
|
||||
|
||||
@@ -252,7 +252,7 @@ jobs:
|
||||
name: download.sh
|
||||
runs-on: github-ubuntu-latest-s
|
||||
steps:
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
|
||||
|
||||
@@ -321,7 +321,7 @@ jobs:
|
||||
name: fetch_latest_version.sh
|
||||
runs-on: github-ubuntu-latest-s
|
||||
steps:
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
|
||||
- name: Test script
|
||||
|
||||
@@ -13,7 +13,7 @@ jobs:
|
||||
contents: read
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
|
||||
- name: Setup Node.js
|
||||
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e #v6.4.0
|
||||
|
||||
@@ -13,7 +13,7 @@ jobs:
|
||||
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
|
||||
- name: Parse semver
|
||||
uses: madhead/semver-utils@4cf918affe9106ea59f86c6250e5ec4570ac4389 # v5.0.0
|
||||
|
||||
@@ -13,7 +13,7 @@ jobs:
|
||||
new-version: ${{ steps.latest-version.outputs.sonar-scanner-version }}
|
||||
steps:
|
||||
- run: sudo apt install -y jq
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
ref: master
|
||||
fetch-depth: 0
|
||||
@@ -49,7 +49,7 @@ jobs:
|
||||
pull-requests: write
|
||||
if: needs.check-version.outputs.should_update == 'true'
|
||||
steps:
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
||||
with:
|
||||
ref: master
|
||||
persist-credentials: true
|
||||
|
||||
Vendored
+19
-4
@@ -14,6 +14,7 @@ import * as fs$2 from 'node:fs/promises';
|
||||
import * as os$1 from 'node:os';
|
||||
import * as path$1 from 'node:path';
|
||||
import { join } from 'node:path';
|
||||
import { randomBytes } from 'node:crypto';
|
||||
import * as fs$1 from 'node:fs';
|
||||
import fs__default from 'node:fs';
|
||||
import 'http';
|
||||
@@ -3900,6 +3901,10 @@ function toSemVer(version) {
|
||||
const SONARSOURCE_KEY_FINGERPRINT = "679F1EE92B19609DE816FDE81DB198F93525EC1A";
|
||||
const DEFAULT_KEYSERVER = "hkps://keyserver.ubuntu.com";
|
||||
const FALLBACK_KEYSERVER = "hkps://keys.openpgp.org";
|
||||
// Linux/macOS sockaddr_un.sun_path limit is 108 bytes including the NUL terminator.
|
||||
// S.gpg-agent.browser is the longest socket GPG creates directly under the home directory.
|
||||
const MAX_GPG_SOCKET_PATH = 107;
|
||||
const LONGEST_GPG_SOCKET = "/S.gpg-agent.browser";
|
||||
|
||||
/**
|
||||
* Verifies the GPG signature of a downloaded file
|
||||
@@ -3990,12 +3995,22 @@ function convertToUnixPath(windowsPath) {
|
||||
* @returns {string} Path to the temporary GPG home directory
|
||||
*/
|
||||
function setupGpgHome() {
|
||||
const tempDir = process.env.RUNNER_TEMP || os$1.tmpdir();
|
||||
const gpgHome = path$1.join(tempDir, `gpg-home-${Date.now()}-${process.pid}`);
|
||||
const dirName = `gpg-${randomBytes(4).toString("hex")}`;
|
||||
|
||||
fs$1.mkdirSync(gpgHome, { recursive: true, mode: 0o700 });
|
||||
const runnertemp = process.env.RUNNER_TEMP;
|
||||
for (const base of [runnertemp, os$1.tmpdir()].filter(Boolean)) {
|
||||
const gpgHome = path$1.join(base, dirName);
|
||||
if (process.platform === "win32" || (gpgHome + LONGEST_GPG_SOCKET).length <= MAX_GPG_SOCKET_PATH) {
|
||||
fs$1.mkdirSync(gpgHome, { recursive: true, mode: 0o700 });
|
||||
return gpgHome;
|
||||
}
|
||||
}
|
||||
|
||||
return gpgHome;
|
||||
throw new Error(
|
||||
`Cannot create a GPG home directory with a short enough path for GPG sockets. ` +
|
||||
`The longest socket path (gpgHome + "${LONGEST_GPG_SOCKET}") must not exceed ${MAX_GPG_SOCKET_PATH} characters. ` +
|
||||
`Consider setting RUNNER_TEMP to a shorter path, was "${runnertemp || '<empty>'}".`
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
Vendored
+1
-1
File diff suppressed because one or more lines are too long
@@ -20,7 +20,9 @@
|
||||
|
||||
import assert from "node:assert/strict";
|
||||
import * as fs from "node:fs";
|
||||
import { afterEach, describe, it, mock } from "node:test";
|
||||
import * as os from "node:os";
|
||||
import * as path from "node:path";
|
||||
import { afterEach, beforeEach, describe, it, mock } from "node:test";
|
||||
import { getProxyFromEnv, setupGpgHome, } from "../gpg-verification.js";
|
||||
|
||||
/**
|
||||
@@ -492,6 +494,76 @@ describe("gpg-verification with mocked exec", () => {
|
||||
});
|
||||
});
|
||||
|
||||
describe("setupGpgHome", () => {
|
||||
let originalRunnerTemp;
|
||||
|
||||
beforeEach(() => {
|
||||
originalRunnerTemp = process.env.RUNNER_TEMP;
|
||||
});
|
||||
|
||||
afterEach(() => {
|
||||
if (originalRunnerTemp === undefined) {
|
||||
delete process.env.RUNNER_TEMP;
|
||||
} else {
|
||||
process.env.RUNNER_TEMP = originalRunnerTemp;
|
||||
}
|
||||
});
|
||||
|
||||
it("should create directory under RUNNER_TEMP when path is short enough", () => {
|
||||
const runnerTemp = fs.mkdtempSync(path.join(os.tmpdir(), "runner-temp-"));
|
||||
tempDirs.push(runnerTemp);
|
||||
process.env.RUNNER_TEMP = runnerTemp;
|
||||
|
||||
const gpgHome = setupGpgHome();
|
||||
tempDirs.push(gpgHome);
|
||||
|
||||
assert.equal(path.dirname(gpgHome), runnerTemp);
|
||||
assert.ok(fs.existsSync(gpgHome));
|
||||
});
|
||||
|
||||
it("should fall back to os.tmpdir() when RUNNER_TEMP is not set", () => {
|
||||
delete process.env.RUNNER_TEMP;
|
||||
|
||||
const gpgHome = setupGpgHome();
|
||||
tempDirs.push(gpgHome);
|
||||
|
||||
assert.equal(path.dirname(gpgHome), os.tmpdir());
|
||||
assert.ok(fs.existsSync(gpgHome));
|
||||
});
|
||||
|
||||
it("should fall back to os.tmpdir() when RUNNER_TEMP path is too long for GPG sockets", () => {
|
||||
// Customer's actual RUNNER_TEMP (93 chars) — pushes the dirmngr socket path over the 107-char Linux limit
|
||||
process.env.RUNNER_TEMP = "/codebuild/output/src2280/src/2bc4e189_61b5_4b91_abc6_9c5c06637b96/actions-runner/_work/_temp";
|
||||
|
||||
const gpgHome = setupGpgHome();
|
||||
tempDirs.push(gpgHome);
|
||||
|
||||
assert.equal(path.dirname(gpgHome), os.tmpdir());
|
||||
assert.ok(fs.existsSync(gpgHome));
|
||||
});
|
||||
|
||||
it("should throw a clear error when all candidate paths are too long", async (t) => {
|
||||
const longPath = "/codebuild/output/src2280/src/2bc4e189_61b5_4b91_abc6_9c5c06637b96/actions-runner/_work/_temp";
|
||||
|
||||
t.mock.module("node:os", {
|
||||
namedExports: {
|
||||
tmpdir: () => longPath,
|
||||
},
|
||||
});
|
||||
|
||||
process.env.RUNNER_TEMP = longPath;
|
||||
|
||||
const { setupGpgHome: freshSetupGpgHome } = await import("../gpg-verification.js?test=both-paths-too-long");
|
||||
|
||||
assert.throws(
|
||||
() => freshSetupGpgHome(),
|
||||
{ message: `Cannot create a GPG home directory with a short enough path for GPG sockets. ` +
|
||||
`The longest socket path (gpgHome + "/S.gpg-agent.browser") must not exceed 107 characters. ` +
|
||||
`Consider setting RUNNER_TEMP to a shorter path, was "${longPath}".` }
|
||||
);
|
||||
});
|
||||
});
|
||||
|
||||
describe("getProxyFromEnv", () => {
|
||||
afterEach(() => {
|
||||
clearProxyEnv();
|
||||
|
||||
@@ -101,9 +101,8 @@ async function withMockedEnv(envVars, testFn) {
|
||||
* @returns {string} The path to the created temporary directory
|
||||
*/
|
||||
function createTempDir() {
|
||||
const tempDir = path.join(os.tmpdir(), `test-runner-temp-${Date.now()}`);
|
||||
fs.mkdirSync(tempDir, { recursive: true });
|
||||
return tempDir;
|
||||
// Use a short prefix so the gpg socket path stays within the 107-char Linux limit
|
||||
return fs.mkdtempSync(path.join(os.tmpdir(), "r"));
|
||||
}
|
||||
|
||||
describe("gpg-verification", () => {
|
||||
@@ -177,10 +176,8 @@ describe("gpg-verification", () => {
|
||||
}
|
||||
});
|
||||
|
||||
it("should create unique directories on multiple calls", async () => {
|
||||
it("should create unique directories on multiple calls", () => {
|
||||
const gpgHome1 = createTrackedGpgHome(tempDirs);
|
||||
// Small delay to ensure different timestamps
|
||||
await new Promise((resolve) => setTimeout(resolve, 10));
|
||||
const gpgHome2 = createTrackedGpgHome(tempDirs);
|
||||
|
||||
assert.notEqual(gpgHome1, gpgHome2);
|
||||
|
||||
@@ -20,6 +20,7 @@
|
||||
|
||||
import * as core from "@actions/core";
|
||||
import * as exec from "@actions/exec";
|
||||
import { randomBytes } from "node:crypto";
|
||||
import * as fs from "node:fs";
|
||||
import * as os from "node:os";
|
||||
import * as path from "node:path";
|
||||
@@ -27,6 +28,10 @@ import * as path from "node:path";
|
||||
const SONARSOURCE_KEY_FINGERPRINT = "679F1EE92B19609DE816FDE81DB198F93525EC1A";
|
||||
const DEFAULT_KEYSERVER = "hkps://keyserver.ubuntu.com";
|
||||
const FALLBACK_KEYSERVER = "hkps://keys.openpgp.org";
|
||||
// Linux/macOS sockaddr_un.sun_path limit is 108 bytes including the NUL terminator.
|
||||
// S.gpg-agent.browser is the longest socket GPG creates directly under the home directory.
|
||||
const MAX_GPG_SOCKET_PATH = 107;
|
||||
const LONGEST_GPG_SOCKET = "/S.gpg-agent.browser";
|
||||
|
||||
/**
|
||||
* Verifies the GPG signature of a downloaded file
|
||||
@@ -117,12 +122,22 @@ export function convertToUnixPath(windowsPath) {
|
||||
* @returns {string} Path to the temporary GPG home directory
|
||||
*/
|
||||
export function setupGpgHome() {
|
||||
const tempDir = process.env.RUNNER_TEMP || os.tmpdir();
|
||||
const gpgHome = path.join(tempDir, `gpg-home-${Date.now()}-${process.pid}`);
|
||||
const dirName = `gpg-${randomBytes(4).toString("hex")}`;
|
||||
|
||||
fs.mkdirSync(gpgHome, { recursive: true, mode: 0o700 });
|
||||
const runnertemp = process.env.RUNNER_TEMP;
|
||||
for (const base of [runnertemp, os.tmpdir()].filter(Boolean)) {
|
||||
const gpgHome = path.join(base, dirName);
|
||||
if (process.platform === "win32" || (gpgHome + LONGEST_GPG_SOCKET).length <= MAX_GPG_SOCKET_PATH) {
|
||||
fs.mkdirSync(gpgHome, { recursive: true, mode: 0o700 });
|
||||
return gpgHome;
|
||||
}
|
||||
}
|
||||
|
||||
return gpgHome;
|
||||
throw new Error(
|
||||
`Cannot create a GPG home directory with a short enough path for GPG sockets. ` +
|
||||
`The longest socket path (gpgHome + "${LONGEST_GPG_SOCKET}") must not exceed ${MAX_GPG_SOCKET_PATH} characters. ` +
|
||||
`Consider setting RUNNER_TEMP to a shorter path, was "${runnertemp || '<empty>'}".`
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
Reference in New Issue
Block a user