mongodb · gssbzn · Mar 5, 2024 · Mar 5, 2024 · Mar 5, 2024 · Mar 5, 2024
@@ -0,0 +1,17 @@
+{
+  "problemMatcher": [
+    {
+      "owner": "actionlint",
+      "pattern": [
+        {
+          "regexp": "^(?:\\x1b\\[\\d+m)?(.+?)(?:\\x1b\\[\\d+m)*:(?:\\x1b\\[\\d+m)*(\\d+)(?:\\x1b\\[\\d+m)*:(?:\\x1b\\[\\d+m)*(\\d+)(?:\\x1b\\[\\d+m)*: (?:\\x1b\\[\\d+m)*(.+?)(?:\\x1b\\[\\d+m)* \\[(.+?)\\]$",
+          "file": 1,
+          "line": 2,
+          "column": 3,
+          "message": 4,
+          "code": 5
+        }
+      ]
+    }
+  ]
+}
@@ -100,17 +100,32 @@ jobs:
           go-version-file: 'go.mod'
       - name: Generate docs
         run: make gen-docs > /dev/null
-      - name: Check for uncommited files
+      - name: Check for uncommitted files
         run: |
-          export FILES=$(git ls-files -o -m --directory --exclude-standard --no-empty-directory)
-          export LINES=$(echo "$FILES" | awk 'NF' | wc -l)
-          if [ $LINES -ne 0 ]; then
+          export FILES=
+          FILES=$(git ls-files -o -m --directory --exclude-standard --no-empty-directory)
+          export LINES=
+          LINES=$(echo "$FILES" | awk 'NF' | wc -l)
+          if [ "$LINES" -ne 0 ]; then
             echo "Detected files that need to be committed:"
-            echo "$FILES" | sed -e "s/^/  /"
+            echo "${FILES//^/ }"
             echo ""
             echo "Try running: make gen-docs"
             exit 1
           fi
+  actionlint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Download actionlint
+        id: get_actionlint
+        run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
+        shell: bash
+      - name: Check workflow files
+        run: |
+          echo "::add-matcher::.github/actionlint-matcher.json"
+          ${{ steps.get_actionlint.outputs.executable }} -color
+        shell: bash
   mocks:
     runs-on: ubuntu-latest
     steps:
@@ -124,13 +139,15 @@ jobs:
         run: go install github.com/golang/mock/mockgen@latest
       - name: Generate mocks
         run: make gen-mocks
-      - name: Check for uncommited files
+      - name: Check for uncommitted files
         run: |
-          export FILES=$(git ls-files -o -m --directory --exclude-standard --no-empty-directory)
-          export LINES=$(echo "$FILES" | awk 'NF' | wc -l)
-          if [ $LINES -ne 0 ]; then
+          export FILES=
+          FILES=$(git ls-files -o -m --directory --exclude-standard --no-empty-directory)
+          export LINES=
+          LINES=$(echo "$FILES" | awk 'NF' | wc -l)
+          if [ "$LINES" -ne 0 ]; then
             echo "Detected files that need to be committed:"
-            echo "$FILES" | sed -e "s/^/  /"
+            echo "${FILES//^/ }"
             echo ""
             echo "Try running: make gen-mocks"
             exit 1
@@ -153,13 +170,15 @@ jobs:
           go-version-file: 'go.mod'
       - name: Run 'go mod tidy'
         run: go mod tidy
-      - name: Check for uncommited files
+      - name: Check for uncommitted files
         run: |
-          export FILES=$(git ls-files -o -m --directory --exclude-standard --no-empty-directory)
-          export LINES=$(echo "$FILES" | awk 'NF' | wc -l)
-          if [ $LINES -ne 0 ]; then
+          export FILES=
+          FILES=$(git ls-files -o -m --directory --exclude-standard --no-empty-directory)
+          export LINES=
+          LINES=$(echo "$FILES" | awk 'NF' | wc -l)
+          if [ "$LINES" -ne 0 ]; then
             echo "Detected files that need to be committed:"
-            echo "$FILES" | sed -e "s/^/  /"
+            echo "${FILES//^/ }"
             echo ""
             echo "Try running: go mod tidy"
             exit 1

@@ -21,7 +21,7 @@
       - name: Find JIRA team
         id: find
         run: |
-          echo "assigned_team="$(git diff HEAD~1..HEAD -- go.mod | grep -v "// indirect" | grep -i "^\-" | grep -v "^\-\-\-" | awk '{print $2}' | xargs -I $ echo "jq -r \".\\\"$\\\"\" < build/ci/library_owners.json" | sh | xargs -I $ echo "jq -r \".\\\"$\\\"\" < build/ci/library_owners_jira.json" | sh | head -1)  >> "${GITHUB_OUTPUT}"
+          echo "assigned_team=$(git diff HEAD~1..HEAD -- go.mod | grep -v "// indirect" | grep -i "^\-" | grep -v "^\-\-\-" | awk '{print $2}' | xargs -I $ echo "jq -r \".\\\"$\\\"\" < build/ci/library_owners.json" | sh | xargs -I $ echo "jq -r \".\\\"$\\\"\" < build/ci/library_owners_jira.json" | sh | head -1)"  >> "${GITHUB_OUTPUT}"
       - name: Create JIRA ticket
         id: create
         shell: bash

@@ -18,7 +18,7 @@ jobs:
         id: set-date
         run: |
           DATE=$(date +'%Y-%m-%d')
-          echo DATE=${DATE} >> $GITHUB_ENV
+          echo "DATE=${DATE}" >> "$GITHUB_ENV"
       - name: 'Get latest tag'
         id: get-latest-tag
         uses: oprypin/find-latest-tag@e1e0e606cc7e9ede25140a5a139b3a5a1b717ece
@@ -29,7 +29,7 @@ jobs:
       - name: Extract version
         run: |
           release_tag=${{ steps.get-latest-tag.outputs.tag }}
-          echo "LATEST_VERSION=${release_tag#*/}" >> $GITHUB_ENV
+          echo "LATEST_VERSION=${release_tag#*/}" >> "$GITHUB_ENV"
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226
       - name: Login to Docker Hub
@@ -69,7 +69,7 @@ jobs:
         id: set-date
         run: |
           DATE=$(date +'%Y-%m-%d')
-          echo DATE=${DATE} >> $GITHUB_ENV
+          echo "DATE=${DATE}" >> "$GITHUB_ENV"
       - name: 'Get latest tag'
         id: get-latest-tag
         uses: oprypin/find-latest-tag@e1e0e606cc7e9ede25140a5a139b3a5a1b717ece
@@ -80,7 +80,7 @@ jobs:
       - name: Extract version
         run: |
           release_tag=${{ steps.get-latest-tag.outputs.tag }}
-          echo "LATEST_VERSION=${release_tag#*/}" >> $GITHUB_ENV
+          echo "LATEST_VERSION=${release_tag#*/}" >> "$GITHUB_ENV"
       - name: Enable containerd image store # See https://github.com/docker/setup-buildx-action/issues/257#issuecomment-1722284952
         uses: crazy-max/ghaction-setup-docker@c2351bbd0bfab8cd65e684219ad8ea46a6d093f3
         with:
@@ -109,15 +109,15 @@ jobs:
           IMAGE: ${{ env.STAGING_IMAGE_REPOSITORY }}:latest
         run: |
           docker pull "${IMAGE}"
-
           # DIGESTS contains a list of three digests separated by a comma.
-          DIGESTS=$(docker buildx imagetools inspect $IMAGE --format '{{- range .Manifest.Manifests}}{{- if eq .Platform.OS "linux" }}{{ .Digest }},{{- end }}{{- end }}{{- .Manifest.Digest }}
+          DIGESTS=$(docker buildx imagetools inspect "${IMAGE}" --format '{{- range .Manifest.Manifests}}{{- if eq .Platform.OS "linux" }}{{ .Digest }},{{- end }}{{- end }}{{- .Manifest.Digest }}
           ')
           echo "These are the Docker image DIGESTS: ${DIGESTS}"
 
-          echo "GRS_CONFIG_USER1_USERNAME=${GRS_USERNAME}" >> "signing-envfile"
-          echo "GRS_CONFIG_USER1_PASSWORD=${GRS_PASSWORD}" >> "signing-envfile"
-          echo "COSIGN_REPOSITORY=${SIGNATURE_REPO}" >> "signing-envfile"
+          {
+           echo "GRS_CONFIG_USER1_USERNAME=${GRS_USERNAME}"
+           echo "GRS_CONFIG_USER1_PASSWORD=${GRS_PASSWORD}"
+          } >> "signing-envfile"
 
           echo "${DOCKERHUB_SECRET}" | docker login --password-stdin --username "${DOCKERHUB_USER}"
           for DIGEST in $(echo "$DIGESTS" | tr ',' ' '); do
@@ -127,10 +127,10 @@ jobs:
               --env-file=signing-envfile \
               --rm \
               -v ~/.docker/config.json:/root/.docker/config.json \
-              -v $(pwd):$(pwd) \
-              -w $(pwd) \
+              -v "$(pwd):$(pwd)" \
+              -w "$(pwd)" \
               artifactory.corp.mongodb.com/release-tools-container-registry-local/garasign-cosign \
-              cosign sign --key "${PKCS11_URI}" --sign-container-identity=index.docker.io/mongodb/atlas --tlog-upload=false "${IMAGE}@${DIGEST}"  
+              cosign sign --key "${PKCS11_URI}" --sign-container-identity=index.docker.io/mongodb/atlas --tlog-upload=false "${IMAGE}@${DIGEST}"
           done
       - name: Push image to dockerhub public registry
         run: |
@@ -178,18 +178,14 @@ jobs:
       - name: Verify Signature Docker Image
         env:
           IMAGE: ${{ env.IMAGE_REPOSITORY }}:latest
+          COSIGN_REPOSITORY: docker:io/mongodb/signatures
         run: |
           # Download MongoDB Atlas CLI Public Key
-          curl https://cosign.mongodb.com/atlas-cli.pem > atlas-cli.pem
-
-          # Download Docker Image
-          docker pull "${IMAGE}"
-
+          curl https://cosign.mongodb.com/atlas-cli.pem > atlas-cli.pem          
+          docker pull "${IMAGE}"          
           # Verify the signature
-          COSIGN_REPOSITORY=docker.io/mongodb/signatures cosign verify --private-infrastructure --key=./atlas-cli.pem "docker.io/${IMAGE}"
-
-          # Check the exit status of cosign verify
-          if [ $? -ne 0 ]; then
+          if cosign verify --private-infrastructure --key=./atlas-cli.pem "docker.io/${IMAGE}";
+          then
             echo "Error: Signature verification for ${IMAGE} failed."
             exit 1
           fi
@@ -221,18 +217,14 @@ jobs:
       - name: Verify Signature Quay Image
         env:
           IMAGE: ${{ env.QUAY }}/${{ env.IMAGE_REPOSITORY }}:latest
+          COSIGN_REPOSITORY: docker:io/mongodb/signatures
         run: |
           # Download MongoDB Atlas CLI Public Key
-          curl https://cosign.mongodb.com/atlas-cli.pem > atlas-cli.pem
-
-          # Download Quay Image
-          docker pull "${IMAGE}"
-
+          curl https://cosign.mongodb.com/atlas-cli.pem > atlas-cli.pem          
+          docker pull "${IMAGE}"          
           # Verify the signature
-          COSIGN_REPOSITORY=docker.io/mongodb/signatures cosign verify --private-infrastructure --key=./atlas-cli.pem "${IMAGE}"
-
-          # Check the exit status of cosign verify
-          if [ $? -ne 0 ]; then
+          if ! cosign verify --private-infrastructure --key=./atlas-cli.pem "${IMAGE}";
+          then
             echo "Error: Signature verification for ${IMAGE} failed."
             exit 1
           fi