Merge branch 'main' into multiple-archive-support

canonical · Oct 14, 2024 · 39c3023 · 39c3023
2 parents 82587f6 + 022d771
commit 39c3023
Show file tree

Hide file tree

Showing 5 changed files with 50 additions and 16 deletions.
diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml
@@ -1,15 +1,15 @@
 name: Security
 
 on:
-  push:
-    branches: [main]
-  pull_request:
-    branches: [main]
+  schedule:
+    - cron: "0 1 * * *"
 
 jobs:
   scan:
     name: Scan for known vulnerabilities
     runs-on: ubuntu-latest
+    env:
+      TRIVY_RESULTS: 'trivy-results.sarif'
     steps:
       - uses: actions/checkout@v3
 
@@ -18,3 +18,23 @@ jobs:
         with:
           scan-type: 'fs'
           scan-ref: '.'
+          format: 'sarif'
+          output: ${{ env.TRIVY_RESULTS }}
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ env.TRIVY_RESULTS }}
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.TRIVY_RESULTS }}
+          path: ${{ env.TRIVY_RESULTS }}
+
+      - name: Raise error on HIGH,CRITICAL vulnerabilities
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          severity: 'CRITICAL,HIGH'
+          exit-code: '1'
diff --git a/cmd/chisel/cmd_info_test.go b/cmd/chisel/cmd_info_test.go
@@ -145,6 +145,7 @@ var defaultChiselYaml = `
 		ubuntu:
 			version: 22.04
 			components: [main, universe]
+			suites: [jammy]
 			public-keys: [test-key]
 	public-keys:
 		test-key:

diff --git a/internal/setup/setup.go b/internal/setup/setup.go
@@ -501,13 +501,6 @@ type yamlPubKey struct {
 	Armor string `yaml:"armor"`
 }
 
-var ubuntuAdjectives = map[string]string{
-	"18.04": "bionic",
-	"20.04": "focal",
-	"22.04": "jammy",
-	"22.10": "kinetic",
-}
-
 func parseRelease(baseDir, filePath string, data []byte) (*Release, error) {
 	release := &Release{
 		Path:     baseDir,
@@ -549,11 +542,7 @@ func parseRelease(baseDir, filePath string, data []byte) (*Release, error) {
 			return nil, fmt.Errorf("%s: archive %q missing version field", fileName, archiveName)
 		}
 		if len(details.Suites) == 0 {
-			adjective := ubuntuAdjectives[details.Version]
-			if adjective == "" {
-				return nil, fmt.Errorf("%s: archive %q missing suites field", fileName, archiveName)
-			}
-			details.Suites = []string{adjective}
+			return nil, fmt.Errorf("%s: archive %q missing suites field", fileName, archiveName)
 		}
 		if len(details.Components) == 0 {
 			return nil, fmt.Errorf("%s: archive %q missing components field", fileName, archiveName)

diff --git a/internal/setup/setup_test.go b/internal/setup/setup_test.go
@@ -798,6 +798,18 @@ var setupTests = []setupTest{{
 			},
 		},
 	},
+}, {
+	summary: "Archive with suites unset",
+	input: map[string]string{
+		"chisel.yaml": `
+			format: v1
+			archives:
+				ubuntu:
+					version: 22.04
+					components: [main, other]
+		`,
+	},
+	relerror: `chisel.yaml: archive "ubuntu" missing suites field`,
 }, {
 	summary: "Two archives cannot have same priority",
 	input: map[string]string{
@@ -1636,6 +1648,7 @@ var defaultChiselYaml = `
 		ubuntu:
 			version: 22.04
 			components: [main, universe]
+			suites: [jammy]
 			public-keys: [test-key]
 	public-keys:
 		test-key:

diff --git a/internal/slicer/slicer_test.go b/internal/slicer/slicer_test.go
@@ -802,11 +802,13 @@ var slicerTests = []slicerTest{{
 				foo:
 					version: 22.04
 					components: [main, universe]
+					suites: [jammy]
 					priority: 20
 					public-keys: [test-key]
 				bar:
 					version: 22.04
 					components: [main]
+					suites: [jammy]
 					priority: 10
 					public-keys: [test-key]
 			public-keys:
@@ -872,11 +874,13 @@ var slicerTests = []slicerTest{{
 				foo:
 					version: 22.04
 					components: [main, universe]
+					suites: [jammy]
 					priority: 20
 					public-keys: [test-key]
 				bar:
 					version: 22.04
 					components: [main]
+					suites: [jammy]
 					priority: 10
 					public-keys: [test-key]
 			public-keys:
@@ -923,11 +927,13 @@ var slicerTests = []slicerTest{{
 				foo:
 					version: 22.04
 					components: [main, universe]
+					suites: [jammy]
 					priority: 20
 					public-keys: [test-key]
 				bar:
 					version: 22.04
 					components: [main]
+					suites: [jammy]
 					priority: 10
 					public-keys: [test-key]
 			public-keys:
@@ -958,11 +964,13 @@ var slicerTests = []slicerTest{{
 				foo:
 					version: 22.04
 					components: [main, universe]
+					suites: [jammy]
 					priority: 20
 					public-keys: [test-key]
 				bar:
 					version: 22.04
 					components: [main]
+					suites: [jammy]
 					priority: 10
 					public-keys: [test-key]
 			public-keys:
@@ -996,6 +1004,7 @@ var slicerTests = []slicerTest{{
 				foo:
 					version: 22.04
 					components: [main, universe]
+					suites: [jammy]
 					priority: -20
 					public-keys: [test-key]
 			public-keys:
@@ -1032,6 +1041,7 @@ var slicerTests = []slicerTest{{
 				foo:
 					version: 22.04
 					components: [main, universe]
+					suites: [jammy]
 					priority: -20
 					public-keys: [test-key]
 			public-keys:
@@ -1443,6 +1453,7 @@ var defaultChiselYaml = `
 		ubuntu:
 			version: 22.04
 			components: [main, universe]
+			suites: [jammy]
 			public-keys: [test-key]
 	public-keys:
 		test-key: