Added support for GPG

2025-04-06 23:39:37 +00:00 · 2020-05-02 04:33:15 -07:00
parent 5c87b70ffe
commit d94db22179
17 changed files with 37442 additions and 5142 deletions
--- a/src/auth.ts
+++ b/src/auth.ts
@ -3,60 +3,72 @@ import * as os from 'os';
 import * as path from 'path';
 import * as core from '@actions/core';
 import * as io from '@actions/io';
+import {create as xmlCreate} from 'xmlbuilder2';

 export const M2_DIR = '.m2';
 export const SETTINGS_FILE = 'settings.xml';

-export const DEFAULT_ID = 'github';
-export const DEFAULT_USERNAME = 'GITHUB_ACTOR';
-export const DEFAULT_PASSWORD = 'GITHUB_TOKEN';
-
 export async function configAuthentication(
-  id = DEFAULT_ID,
-  username = DEFAULT_USERNAME,
-  password = DEFAULT_PASSWORD
+  id: string,
+  username: string,
+  password: string,
+  gpgPassphrase: string | undefined = undefined
 ) {
  console.log(
    `creating ${SETTINGS_FILE} with server-id: ${id};`,
-    `environment variables: username=\$${username} and password=\$${password}`
+    'environment variables:',
+    `username=\$${username},`,
+    `password=\$${password},`,
+    `and gpg-passphrase=${gpgPassphrase ? '$' + gpgPassphrase : null}`
  );
  // when an alternate m2 location is specified use only that location (no .m2 directory)
  // otherwise use the home/.m2/ path
-  const directory: string = path.join(
+  const settingsDirectory: string = path.join(
    core.getInput('settings-path') || os.homedir(),
    core.getInput('settings-path') ? '' : M2_DIR
  );
-  await io.mkdirP(directory);
-  core.debug(`created directory ${directory}`);
-  await write(directory, generate(id, username, password));
-}
-
-function escapeXML(value: string) {
-  return value
-    .replace(/&/g, '&amp;')
-    .replace(/</g, '&lt;')
-    .replace(/>/g, '&gt;')
-    .replace(/"/g, '&quot;')
-    .replace(/'/g, '&apos;');
+  await io.mkdirP(settingsDirectory);
+  core.debug(`created directory ${settingsDirectory}`);
+  await write(
+    settingsDirectory,
+    generate(id, username, password, gpgPassphrase)
+  );
 }

 // only exported for testing purposes
 export function generate(
-  id = DEFAULT_ID,
-  username = DEFAULT_USERNAME,
-  password = DEFAULT_PASSWORD
+  id: string,
+  username: string,
+  password: string,
+  gpgPassphrase: string | undefined = undefined
 ) {
-  return `
-  <settings>
-      <servers>
-        <server>
-          <id>${escapeXML(id)}</id>
-          <username>\${env.${escapeXML(username)}}</username>
-          <password>\${env.${escapeXML(password)}}</password>
-        </server>
-      </servers>
-  </settings>
-  `;
+  const xmlObj: {[key: string]: any} = {
+    settings: {
+      '@xmlns': 'http://maven.apache.org/SETTINGS/1.0.0',
+      '@xmlns:xsi': 'http://www.w3.org/2001/XMLSchema-instance',
+      '@xsi:schemaLocation':
+        'http://maven.apache.org/SETTINGS/1.0.0 https://maven.apache.org/xsd/settings-1.0.0.xsd',
+      servers: {
+        server: [
+          {
+            id: id,
+            username: `\${env.${username}}`,
+            password: `\${env.${password}}`
+          }
+        ]
+      }
+    }
+  };
+
+  if (gpgPassphrase) {
+    const gpgServer = {
+      id: 'gpg.passphrase',
+      passphrase: `\${env.${gpgPassphrase}}`
+    };
+    xmlObj.settings.servers.server.push(gpgServer);
+  }
+
+  return xmlCreate(xmlObj).end({headless: true, prettyPrint: true, width: 80});
 }

 async function write(directory: string, settings: string) {
--- a/src/cleanup-java.ts
+++ b/src/cleanup-java.ts
@ -0,0 +1,16 @@
+import * as core from '@actions/core';
+import * as gpg from './gpg';
+
+async function run() {
+  if (core.getInput('gpg-private-key', {required: false})) {
+    console.log('removing private key from keychain');
+    try {
+      const keyFingerprint = core.getState('gpg-private-key-fingerprint');
+      await gpg.deleteKey(keyFingerprint);
+    } catch (error) {
+      core.setFailed(error.message);
+    }
+  }
+}
+
+run();
--- a/src/gpg.ts
+++ b/src/gpg.ts
@ -0,0 +1,58 @@
+import * as fs from 'fs';
+import * as path from 'path';
+import * as io from '@actions/io';
+import * as exec from '@actions/exec';
+import * as util from './util';
+import {ExecOptions} from '@actions/exec/lib/interfaces';
+
+export const PRIVATE_KEY_FILE = path.join(util.getTempDir(), 'private-key.asc');
+
+const PRIVATE_KEY_FINGERPRINT_REGEX = /\w{40}/;
+
+export async function importKey(privateKey: string) {
+  fs.writeFileSync(PRIVATE_KEY_FILE, privateKey, {
+    encoding: 'utf-8',
+    flag: 'w'
+  });
+
+  let output = '';
+
+  const options: ExecOptions = {
+    silent: true,
+    listeners: {
+      stdout: (data: Buffer) => {
+        output += data.toString();
+      }
+    }
+  };
+
+  await exec.exec(
+    'gpg',
+    [
+      '--batch',
+      '--import-options',
+      'import-show',
+      '--import',
+      PRIVATE_KEY_FILE
+    ],
+    options
+  );
+
+  await io.rmRF(PRIVATE_KEY_FILE);
+
+  const match = output.match(PRIVATE_KEY_FINGERPRINT_REGEX);
+  return match && match[0];
+}
+
+export async function deleteKey(keyFingerprint: string) {
+  await exec.exec(
+    'gpg',
+    ['--batch', '--yes', '--delete-secret-keys', keyFingerprint],
+    {silent: true}
+  );
+  await exec.exec(
+    'gpg',
+    ['--batch', '--yes', '--delete-keys', keyFingerprint],
+    {silent: true}
+  );
+}
--- a/src/installer.ts
+++ b/src/installer.ts
@ -1,5 +1,3 @@
-let tempDirectory = process.env['RUNNER_TEMP'] || '';
-
 import * as core from '@actions/core';
 import * as io from '@actions/io';
 import * as exec from '@actions/exec';
@ -8,23 +6,10 @@ import * as tc from '@actions/tool-cache';
 import * as fs from 'fs';
 import * as path from 'path';
 import * as semver from 'semver';
+import * as util from './util';

-const IS_WINDOWS = process.platform === 'win32';
-
-if (!tempDirectory) {
-  let baseLocation;
-  if (IS_WINDOWS) {
-    // On windows use the USERPROFILE env variable
-    baseLocation = process.env['USERPROFILE'] || 'C:\\';
-  } else {
-    if (process.platform === 'darwin') {
-      baseLocation = '/Users';
-    } else {
-      baseLocation = '/home';
-    }
-  }
-  tempDirectory = path.join(baseLocation, 'actions', 'temp');
-}
+const tempDirectory = util.getTempDir();
+const IS_WINDOWS = util.isWindows();

 export async function getJava(
  version: string,
--- a/src/setup-java.ts
+++ b/src/setup-java.ts
@ -1,10 +1,20 @@
 import * as core from '@actions/core';
 import * as installer from './installer';
 import * as auth from './auth';
+import * as gpg from './gpg';
 import * as path from 'path';

+const DEFAULT_ID = 'github';
+const DEFAULT_USERNAME = 'GITHUB_ACTOR';
+const DEFAULT_PASSWORD = 'GITHUB_TOKEN';
+const DEFAULT_GPG_PRIVATE_KEY = undefined;
+const DEFAULT_GPG_PASSPHRASE = 'GPG_PASSPHRASE';
+
 async function run() {
  try {
+    // Set secrets before use
+    core.setSecret('gpg-private-key');
+
    let version = core.getInput('version');
    if (!version) {
      version = core.getInput('java-version', {required: true});
@ -15,16 +25,28 @@ async function run() {

    await installer.getJava(version, arch, jdkFile, javaPackage);

-    const matchersPath = path.join(__dirname, '..', '.github');
+    const matchersPath = path.join(__dirname, '..', '..', '.github');
    console.log(`##[add-matcher]${path.join(matchersPath, 'java.json')}`);

-    const id = core.getInput('server-id', {required: false}) || undefined;
+    const id = core.getInput('server-id', {required: false}) || DEFAULT_ID;
    const username =
-      core.getInput('server-username', {required: false}) || undefined;
+      core.getInput('server-username', {required: false}) || DEFAULT_USERNAME;
    const password =
-      core.getInput('server-password', {required: false}) || undefined;
+      core.getInput('server-password', {required: false}) || DEFAULT_PASSWORD;
+    const gpgPrivateKey =
+      core.getInput('gpg-private-key', {required: false}) ||
+      DEFAULT_GPG_PRIVATE_KEY;
+    const gpgPassphrase =
+      core.getInput('gpg-passphrase', {required: false}) ||
+      (gpgPrivateKey ? DEFAULT_GPG_PASSPHRASE : undefined);

-    await auth.configAuthentication(id, username, password);
+    await auth.configAuthentication(id, username, password, gpgPassphrase);
+
+    if (gpgPrivateKey) {
+      console.log('importing private key');
+      const keyFingerprint = (await gpg.importKey(gpgPrivateKey)) || '';
+      core.saveState('gpg-private-key-fingerprint', keyFingerprint);
+    }
  } catch (error) {
    core.setFailed(error.message);
  }
--- a/src/util.ts
+++ b/src/util.ts
@ -0,0 +1,26 @@
+import * as path from 'path';
+
+export function getTempDir() {
+  let tempDirectory = process.env.RUNNER_TEMP;
+  if (tempDirectory === undefined) {
+    let baseLocation;
+    if (isWindows()) {
+      // On windows use the USERPROFILE env variable
+      baseLocation = process.env['USERPROFILE']
+        ? process.env['USERPROFILE']
+        : 'C:\\';
+    } else {
+      if (process.platform === 'darwin') {
+        baseLocation = '/Users';
+      } else {
+        baseLocation = '/home';
+      }
+    }
+    tempDirectory = path.join(baseLocation, 'actions', 'temp');
+  }
+  return tempDirectory;
+}
+
+export function isWindows() {
+  return process.platform === 'win32';
+}