Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added codecov checksum validation, updated CircleCI machine to Focal. #5907

Merged
merged 3 commits into from
Apr 22, 2021
Merged

Added codecov checksum validation, updated CircleCI machine to Focal. #5907

merged 3 commits into from
Apr 22, 2021

Conversation

zenmonkeykstop
Copy link
Contributor

@zenmonkeykstop zenmonkeykstop commented Apr 19, 2021
edited
Loading

Status

Ready for review

Description of Changes

  • Updates invocations of codecov bash and env scripts in CI to validate checksums against their GitHub repo before running.
  • Updates CircleCI machines to use Ubuntu 20.04 images (instead of Trusty).

Testing

  • CI is passing
  • codecov scripts used in `securedrop/bin/{run-test,dev-shell} are not piped directly into bash

Deployment

CI only, no deployment issues

@zenmonkeykstop zenmonkeykstop requested a review from a team as a code owner April 19, 2021 19:31
@zenmonkeykstop zenmonkeykstop force-pushed the codecov-barndoor-close branch 5 times, most recently from a4b5772 to fb8c356 Compare April 19, 2021 22:17
@zenmonkeykstop zenmonkeykstop force-pushed the codecov-barndoor-close branch from fb8c356 to 49df6e8 Compare April 19, 2021 22:37
@zenmonkeykstop zenmonkeykstop changed the title Added checksum validation for codecov scripts Added codecov checksum validation, updated CircleCI machine to Focal. Apr 19, 2021
conorsch
conorsch suggested changes Apr 21, 2021
View reviewed changes
Copy link
Contributor

@conorsch conorsch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this PR was opened, looks like we have more checksums to validate. Will tack on some changes requested and confirm CI is still passing.

securedrop/bin/dev-shell
ci_env=$(bash <(curl -s https://codecov.io/env))
tmpdir=$(mktemp -d -t codecov-XXXX)
curl -s https://codecov.io/bash > "$tmpdir"/codecov; # env isn't in SHA256SUM yet!!
curl -s https://codecov.io/env > "$tmpdir"/env;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

env isn't in SHA256SUM yet!!

Looks like it is now: https://github.com/codecov/codecov-bash/blob/1b4b96ac38946b20043b3ca3bad88d95462259b6/SHA256SUM

.circleci/config.yml
@@ -97,6 +97,7 @@ version: 2
jobs:
lint:
machine:
image: ubuntu-2004:202010-01
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Machine images are set to 20.04 through all machine-executor jobs in the CI config. 👍

securedrop/bin/dev-shell Outdated
tmpdir=$(mktemp -d -t codecov-XXXX)
curl -s https://codecov.io/bash > "$tmpdir"/codecov; # env isn't in SHA256SUM yet!!
curl -s https://codecov.io/env > "$tmpdir"/env;
VERSION=$(curl --silent "https://api.github.com/repos/codecov/codecov-bash/releases/latest" | grep '"tag_name":' |sed -E 's/.*"([^"]+)".*/\1/')
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: curl -s https://api.github.com/repos/codecov/codecov-bash/releases/latest | jq -r .tag_name for posterity's sake.

securedrop/bin/dev-shell Outdated
VERSION=$(curl --silent "https://api.github.com/repos/codecov/codecov-bash/releases/latest" | grep '"tag_name":' |sed -E 's/.*"([^"]+)".*/\1/')
curl -s https://raw.githubusercontent.com/codecov/codecov-bash/"${VERSION}"/SHA256SUM > "$tmpdir"/codecov-hashes
pushd "$tmpdir" && shasum -a 256 -c --ignore-missing codecov-hashes && popd
chmod +x "$tmpdir"/env
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: does env need to be executable?

@conorsch conorsch force-pushed the codecov-barndoor-close branch from 3341e41 to 31b05b0 Compare April 21, 2021 23:06
@conorsch
Copy link
Contributor

Encountered a flake on the ua test:

assert 1 == 0
  +1
  -0
host = <testinfra.host.Host ansible://app-staging>

    def test_unattended_upgrades_functional(host):
        """
        Ensure unatteded-upgrades completes successfully and ensures all packages
        are up-to-date.
        """
        if host.system_info.codename != "xenial":
            c = host.run('sudo unattended-upgrades --dry-run --debug')
>           assert c.rc == 0
E           assert 1 == 0
E             +1
E             -0

../testinfra/common/test_automatic_updates.py:256: AssertionError

via https://app.circleci.com/pipelines/github/freedomofpress/securedrop/2313/workflows/1e215457-a0bd-4e8f-9aec-2c800348d61b/jobs/53583 . Rerunning.

emkll
emkll approved these changes Apr 22, 2021
View reviewed changes
Copy link
Contributor

@emkll emkll left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CI now passing, and changes lgtm

@emkll emkll merged commit 14c9d3a into develop Apr 22, 2021
@emkll emkll deleted the codecov-barndoor-close branch April 22, 2021 14:33
@conorsch conorsch mentioned this pull request Apr 27, 2021
Merged
12 tasks
@eloquence eloquence mentioned this pull request Jul 28, 2021
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@emkll emkll emkll approved these changes

@conorsch conorsch conorsch approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@zenmonkeykstop @conorsch @emkll