docker
diff --git a/‎__tests__/cosign/install.test.itg.ts‎
Lines changed: 50 additions & 0 deletions b/‎__tests__/cosign/install.test.itg.ts‎
Lines changed: 50 additions & 0 deletions
diff --git a/‎__tests__/cosign/install.test.ts‎
Lines changed: 132 additions & 0 deletions b/‎__tests__/cosign/install.test.ts‎
Lines changed: 132 additions & 0 deletions
diff --git a/‎src/cosign/dockerfile.ts‎
Lines changed: 60 additions & 0 deletions b/‎src/cosign/dockerfile.ts‎
Lines changed: 60 additions & 0 deletions
@@ -0,0 +1,50 @@
+/**
+ * Copyright 2025 actions-toolkit authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import {describe, expect, it, test} from '@jest/globals';
+import * as fs from 'fs';
+
+import {Install} from '../../src/cosign/install';
+
+const maybe = !process.env.GITHUB_ACTIONS || (process.env.GITHUB_ACTIONS === 'true' && process.env.ImageOS && process.env.ImageOS.startsWith('ubuntu')) ? describe : describe.skip;
+
+describe('download', () => {
+  // prettier-ignore
+  test.each(['latest'])(
+    'install cosign %s', async (version) => {
+      await expect((async () => {
+        const install = new Install();
+        const toolPath = await install.download(version);
+        if (!fs.existsSync(toolPath)) {
+          throw new Error('toolPath does not exist');
+        }
+        const binPath = await install.install(toolPath);
+        if (!fs.existsSync(binPath)) {
+          throw new Error('binPath does not exist');
+        }
+      })()).resolves.not.toThrow();
+    }, 60000);
+});
+
+maybe('build', () => {
+  it.skip('builds refs/pull/4492/head', async () => {
+    const install = new Install();
+    const toolPath = await install.build('https://github.com/sigstore/cosign.git#refs/pull/4492/head');
+    expect(fs.existsSync(toolPath)).toBe(true);
+    const buildxBin = await install.install(toolPath);
+    expect(fs.existsSync(buildxBin)).toBe(true);
+  }, 500000);
+});
@@ -0,0 +1,132 @@
+/**
+ * Copyright 2025 actions-toolkit authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import {describe, expect, it, jest, test, afterEach} from '@jest/globals';
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+import * as rimraf from 'rimraf';
+import osm = require('os');
+
+import {Install} from '../../src/cosign/install';
+
+const tmpDir = fs.mkdtempSync(path.join(process.env.TEMP || os.tmpdir(), 'cosign-install-'));
+
+afterEach(function () {
+  rimraf.sync(tmpDir);
+});
+
+describe('download', () => {
+  // prettier-ignore
+  test.each([
+    ['v2.6.1'],
+    ['v3.0.1'],
+    ['latest']
+  ])(
+  'acquires %p of cosign', async (version) => {
+    const install = new Install();
+    const toolPath = await install.download(version);
+    expect(fs.existsSync(toolPath)).toBe(true);
+    const cosignBin = await install.install(toolPath, tmpDir);
+    expect(fs.existsSync(cosignBin)).toBe(true);
+  }, 100000);
+
+  // prettier-ignore
+  test.each([
+    // following versions are already cached to htc from previous test cases
+    ['v2.6.1'],
+    ['v3.0.1'],
+  ])(
+  'acquires %p of cosign with cache', async (version) => {
+    const install = new Install();
+    const toolPath = await install.download(version);
+    expect(fs.existsSync(toolPath)).toBe(true);
+  }, 100000);
+
+  // prettier-ignore
+  test.each([
+    ['v2.5.3'],
+    ['v2.6.0'],
+  ])(
+  'acquires %p of cosign without cache', async (version) => {
+    const install = new Install();
+    const toolPath = await install.download(version, true);
+    expect(fs.existsSync(toolPath)).toBe(true);
+  }, 100000);
+
+  // TODO: add tests for arm
+  // prettier-ignore
+  test.each([
+    ['win32', 'x64'],
+    ['darwin', 'x64'],
+    ['darwin', 'arm64'],
+    ['linux', 'x64'],
+    ['linux', 'arm64']
+  ])(
+  'acquires undock for %s/%s', async (os, arch) => {
+    jest.spyOn(osm, 'platform').mockImplementation(() => os as NodeJS.Platform);
+    jest.spyOn(osm, 'arch').mockImplementation(() => arch);
+    const install = new Install();
+    const cosignBin = await install.download('latest');
+    expect(fs.existsSync(cosignBin)).toBe(true);
+  }, 100000);
+});
+
+describe('getDownloadVersion', () => {
+  it('returns latest download version', async () => {
+    const version = await Install.getDownloadVersion('latest');
+    expect(version.version).toEqual('latest');
+    expect(version.downloadURL).toEqual('https://github.com/sigstore/cosign/releases/download/v%s/%s');
+    expect(version.contentOpts).toEqual({
+      owner: 'docker',
+      repo: 'actions-toolkit',
+      ref: 'main',
+      path: '.github/cosign-releases.json'
+    });
+  });
+  it('returns v3.0.2 download version', async () => {
+    const version = await Install.getDownloadVersion('v3.0.2');
+    expect(version.version).toEqual('v3.0.2');
+    expect(version.downloadURL).toEqual('https://github.com/sigstore/cosign/releases/download/v%s/%s');
+    expect(version.contentOpts).toEqual({
+      owner: 'docker',
+      repo: 'actions-toolkit',
+      ref: 'main',
+      path: '.github/cosign-releases.json'
+    });
+  });
+});
+
+describe('getRelease', () => {
+  it('returns latest GitHub release', async () => {
+    const version = await Install.getDownloadVersion('latest');
+    const release = await Install.getRelease(version);
+    expect(release).not.toBeNull();
+    expect(release?.tag_name).not.toEqual('');
+  });
+  it('returns v3.0.2 GitHub release', async () => {
+    const version = await Install.getDownloadVersion('v3.0.2');
+    const release = await Install.getRelease(version);
+    expect(release).not.toBeNull();
+    expect(release?.id).toEqual(253720294);
+    expect(release?.tag_name).toEqual('v3.0.2');
+    expect(release?.html_url).toEqual('https://github.com/sigstore/cosign/releases/tag/v3.0.2');
+  });
+  it('unknown release', async () => {
+    const version = await Install.getDownloadVersion('foo');
+    await expect(Install.getRelease(version)).rejects.toThrow(new Error('Cannot find Cosign release foo in releases JSON'));
+  });
+});
@@ -0,0 +1,60 @@
+/**
+ * Copyright 2025 actions-toolkit authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+export const dockerfileContent = `
+# syntax=docker/dockerfile:1
+
+ARG GO_VERSION="1.25"
+ARG ALPINE_VERSION="3.22"
+
+FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.7.0 AS xx
+
+FROM --platform=$BUILDPLATFORM golang:\${GO_VERSION}-alpine\${ALPINE_VERSION} AS builder-base
+COPY --from=xx / /
+RUN apk add --no-cache git
+ENV CGO_ENABLED=0
+WORKDIR /src
+RUN --mount=type=cache,target=/go/pkg/mod \\
+    --mount=type=bind,source=go.mod,target=go.mod \\
+    --mount=type=bind,source=go.sum,target=go.sum \\
+    go mod download
+
+FROM builder-base AS version
+RUN --mount=type=bind,target=. <<'EOT'
+  git rev-parse HEAD 2>/dev/null || {
+    echo >&2 "Failed to get git revision, make sure --build-arg BUILDKIT_CONTEXT_KEEP_GIT_DIR=1 is set when building from Git directly"
+    exit 1
+  }
+  set -ex
+  export PKG=sigs.k8s.io BUILDDATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ") TREESTATE=$(if ! git diff --no-ext-diff --quiet --exit-code; then echo dirty; else echo clean; fi) VERSION=$(git describe --match 'v[0-9]*' --dirty='.m' --always --tags) COMMIT=$(git rev-parse HEAD)$(if ! git diff --no-ext-diff --quiet --exit-code; then echo .m; fi);
+  echo "-X \${PKG}/release-utils/version.gitVersion=\${VERSION} -X \${PKG}/release-utils/version.gitCommit=\${COMMIT} -X \${PKG}/release-utils/version.gitTreeState=\${TREESTATE} -X \${PKG}/release-utils/version.buildDate=\${BUILDDATE}" > /tmp/.ldflags;
+  echo -n "\${VERSION}" > /tmp/.version;
+EOT
+
+FROM builder-base AS builder
+ARG TARGETPLATFORM
+RUN --mount=type=bind,target=. \\
+    --mount=type=cache,target=/root/.cache,id=cosign-$TARGETPLATFORM \\
+    --mount=source=/tmp/.ldflags,target=/tmp/.ldflags,from=version \\
+    --mount=type=cache,target=/go/pkg/mod <<EOT
+  set -ex
+  xx-go build -trimpath -ldflags "-s -w $(cat /tmp/.ldflags)" -o /out/cosign ./cmd/cosign
+  xx-verify --static /out/cosign
+EOT
+
+FROM scratch
+COPY --from=builder /out /
+`;