Merge pull request #827 from crazy-max/cosign-version

cosign version

Author: crazy-max

__tests__/cosign/cosign.test.ts

@@ -0,0 +1,63 @@
+/**
+ * Copyright 2025 actions-toolkit authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import {describe, expect, it, jest, test} from '@jest/globals';
+import * as semver from 'semver';
+
+import {Exec} from '../../src/exec';
+import {Cosign} from '../../src/cosign/cosign';
+
+describe('isAvailable', () => {
+  it('checks Cosign is available', async () => {
+    const execSpy = jest.spyOn(Exec, 'getExecOutput');
+    const cosign = new Cosign();
+    await cosign.isAvailable();
+    // eslint-disable-next-line jest/no-standalone-expect
+    expect(execSpy).toHaveBeenCalledWith(`cosign`, [], {
+      silent: true,
+      ignoreReturnCode: true
+    });
+  });
+});
+
+describe('printVersion', () => {
+  it('prints Cosign version', async () => {
+    const execSpy = jest.spyOn(Exec, 'exec');
+    const cosign = new Cosign();
+    await cosign.printVersion();
+    expect(execSpy).toHaveBeenCalledWith(`cosign`, ['version', '--json'], {
+      failOnStdErr: false
+    });
+  });
+});
+
+describe('version', () => {
+  it('valid', async () => {
+    const cosign = new Cosign();
+    expect(semver.valid(await cosign.version())).not.toBeUndefined();
+  });
+});
+
+describe('versionSatisfies', () => {
+  test.each([
+    ['v0.4.1', '>=0.3.2', true],
+    ['v0.8.0', '>0.6.0', true],
+    ['v0.8.0', '<0.3.0', false]
+  ])('given %p', async (version, range, expected) => {
+    const cosign = new Cosign();
+    expect(await cosign.versionSatisfies(range, version)).toBe(expected);
+  });
+});

dev.Dockerfile

@@ -20,6 +20,7 @@ ARG BUILDX_VERSION=0.29.1
 ARG COMPOSE_VERSION=2.39.1
 ARG UNDOCK_VERSION=0.10.0
 ARG REGCTL_VERSION=v0.8.2
+ARG COSIGN_VERSION=v3.0.2
 
 FROM node:${NODE_VERSION}-alpine AS base
 RUN apk add --no-cache cpio findutils git
@@ -81,6 +82,7 @@ FROM docker/buildx-bin:${BUILDX_VERSION} AS buildx
 FROM docker/compose-bin:v${COMPOSE_VERSION} AS compose
 FROM crazymax/undock:${UNDOCK_VERSION} AS undock
 FROM ghcr.io/regclient/regctl:${REGCTL_VERSION} AS regctl
+FROM ghcr.io/sigstore/cosign/cosign:${COSIGN_VERSION} AS cosign
 
 FROM deps AS test
 RUN --mount=type=bind,target=.,rw \
@@ -93,6 +95,7 @@ RUN --mount=type=bind,target=.,rw \
     --mount=type=bind,from=compose,source=/docker-compose,target=/usr/bin/compose \
     --mount=type=bind,from=undock,source=/usr/local/bin/undock,target=/usr/bin/undock \
     --mount=type=bind,from=regctl,source=/regctl,target=/usr/bin/regctl \
+    --mount=type=bind,from=cosign,source=/ko-app/cosign,target=/usr/bin/cosign \
     --mount=type=secret,id=GITHUB_TOKEN \
   GITHUB_TOKEN=$(cat /run/secrets/GITHUB_TOKEN) yarn run test:coverage --coverageDirectory=/tmp/coverage
 

src/cosign/cosign.ts

@@ -0,0 +1,91 @@
+/**
+ * Copyright 2025 actions-toolkit authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import * as core from '@actions/core';
+
+import {Exec} from '../exec';
+import * as semver from 'semver';
+
+export interface CosignOpts {
+  binPath?: string;
+}
+
+export class Cosign {
+  private readonly binPath: string;
+  private _version: string;
+  private _versionOnce: boolean;
+
+  constructor(opts?: CosignOpts) {
+    this.binPath = opts?.binPath || 'cosign';
+    this._version = '';
+    this._versionOnce = false;
+  }
+
+  public async isAvailable(): Promise<boolean> {
+    const ok: boolean = await Exec.getExecOutput(this.binPath, [], {
+      ignoreReturnCode: true,
+      silent: true
+    })
+      .then(res => {
+        if (res.stderr.length > 0 && res.exitCode != 0) {
+          core.debug(`Cosign.isAvailable cmd err: ${res.stderr.trim()}`);
+          return false;
+        }
+        return res.exitCode == 0;
+      })
+      .catch(error => {
+        core.debug(`Cosign.isAvailable error: ${error}`);
+        return false;
+      });
+
+    core.debug(`Cosign.isAvailable: ${ok}`);
+    return ok;
+  }
+
+  public async version(): Promise<string> {
+    if (this._versionOnce) {
+      return this._version;
+    }
+    this._versionOnce = true;
+    this._version = await Exec.getExecOutput(this.binPath, ['version', '--json'], {
+      ignoreReturnCode: true,
+      silent: true
+    }).then(res => {
+      if (res.stderr.length > 0 && res.exitCode != 0) {
+        throw new Error(res.stderr.trim());
+      }
+      return JSON.parse(res.stdout.trim()).gitVersion;
+    });
+    return this._version;
+  }
+
+  public async printVersion() {
+    await Exec.exec(this.binPath, ['version', '--json'], {
+      failOnStdErr: false
+    });
+  }
+
+  public async versionSatisfies(range: string, version?: string): Promise<boolean> {
+    const ver = version ?? (await this.version());
+    if (!ver) {
+      core.debug(`Cosign.versionSatisfies false: undefined version`);
+      return false;
+    }
+    const res = semver.satisfies(ver, range) || /^[0-9a-f]{7}$/.exec(ver) !== null;
+    core.debug(`Cosign.versionSatisfies ${ver} statisfies ${range}: ${res}`);
+    return res;
+  }
+}