Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added codecov checksum validation, updated CircleCI machine to Focal. #5907

Merged
merged 3 commits into from Apr 22, 2021
Merged

Added codecov checksum validation, updated CircleCI machine to Focal. #5907

merged 3 commits into from Apr 22, 2021

Conversation

zenmonkeykstop
Copy link
Contributor

@zenmonkeykstop zenmonkeykstop commented Apr 19, 2021
edited

Status

Ready for review

Description of Changes

  • Updates invocations of codecov bash and env scripts in CI to validate checksums against their GitHub repo before running.
  • Updates CircleCI machines to use Ubuntu 20.04 images (instead of Trusty).

Testing

  • CI is passing
  • codecov scripts used in `securedrop/bin/{run-test,dev-shell} are not piped directly into bash

Deployment

CI only, no deployment issues

@zenmonkeykstop zenmonkeykstop requested a review from a team as a code owner April 19, 2021 19:31
@zenmonkeykstop zenmonkeykstop force-pushed the codecov-barndoor-close branch 5 times, most recently from a4b5772 to fb8c356 Compare April 19, 2021 22:17
@zenmonkeykstop zenmonkeykstop changed the title Added checksum validation for codecov scripts Added codecov checksum validation, updated CircleCI machine to Focal. Apr 19, 2021
@emkll emkll added this to In Development in SecureDrop Team Board Apr 20, 2021
@eloquence eloquence moved this from In Development to Ready for Review in SecureDrop Team Board Apr 21, 2021
conorsch
conorsch suggested changes Apr 21, 2021
View reviewed changes
Copy link
Contributor

@conorsch conorsch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this PR was opened, looks like we have more checksums to validate. Will tack on some changes requested and confirm CI is still passing.

securedrop/bin/dev-shell
ci_env=$(bash <(curl -s https://codecov.io/env))
tmpdir=$(mktemp -d -t codecov-XXXX)
curl -s https://codecov.io/bash > "$tmpdir"/codecov; # env isn't in SHA256SUM yet!!
curl -s https://codecov.io/env > "$tmpdir"/env;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

env isn't in SHA256SUM yet!!

Looks like it is now: https://github.com/codecov/codecov-bash/blob/1b4b96ac38946b20043b3ca3bad88d95462259b6/SHA256SUM

.circleci/config.yml
@@ -97,6 +97,7 @@ version: 2
jobs:
lint:
machine:
image: ubuntu-2004:202010-01
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Machine images are set to 20.04 through all machine-executor jobs in the CI config. 👍

securedrop/bin/dev-shell Outdated
tmpdir=$(mktemp -d -t codecov-XXXX)
curl -s https://codecov.io/bash > "$tmpdir"/codecov; # env isn't in SHA256SUM yet!!
curl -s https://codecov.io/env > "$tmpdir"/env;
VERSION=$(curl --silent "https://api.github.com/repos/codecov/codecov-bash/releases/latest" | grep '"tag_name":' |sed -E 's/.*"([^"]+)".*/\1/')
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: curl -s https://api.github.com/repos/codecov/codecov-bash/releases/latest | jq -r .tag_name for posterity's sake.

securedrop/bin/dev-shell Outdated
VERSION=$(curl --silent "https://api.github.com/repos/codecov/codecov-bash/releases/latest" | grep '"tag_name":' |sed -E 's/.*"([^"]+)".*/\1/')
curl -s https://raw.githubusercontent.com/codecov/codecov-bash/"${VERSION}"/SHA256SUM > "$tmpdir"/codecov-hashes
pushd "$tmpdir" && shasum -a 256 -c --ignore-missing codecov-hashes && popd
chmod +x "$tmpdir"/env
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: does env need to be executable?

@conorsch
Copy link
Contributor

Encountered a flake on the ua test:

assert 1 == 0
  +1
  -0
host = <testinfra.host.Host ansible://app-staging>

    def test_unattended_upgrades_functional(host):
        """
        Ensure unatteded-upgrades completes successfully and ensures all packages
        are up-to-date.
        """
        if host.system_info.codename != "xenial":
            c = host.run('sudo unattended-upgrades --dry-run --debug')
>           assert c.rc == 0
E           assert 1 == 0
E             +1
E             -0

../testinfra/common/test_automatic_updates.py:256: AssertionError

via https://app.circleci.com/pipelines/github/freedomofpress/securedrop/2313/workflows/1e215457-a0bd-4e8f-9aec-2c800348d61b/jobs/53583 . Rerunning.

emkll
emkll approved these changes Apr 22, 2021
View reviewed changes
Copy link
Contributor

@emkll emkll left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CI now passing, and changes lgtm

@emkll emkll merged commit 14c9d3a into develop Apr 22, 2021
SecureDrop Team Board automation moved this from Ready for Review to Done Apr 22, 2021
@emkll emkll deleted the codecov-barndoor-close branch April 22, 2021 14:33
@conorsch conorsch mentioned this pull request Apr 27, 2021
Merged
12 tasks
@eloquence eloquence mentioned this pull request Jul 28, 2021
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@conorsch conorsch conorsch approved these changes

@emkll emkll emkll approved these changes

Assignees
No one assigned
Labels
None yet
Projects
No open projects
SecureDrop Team Board
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@zenmonkeykstop @conorsch @emkll