Thanks to visit codestin.com
Credit goes to github.com

Skip to content

sundry gh at inspect improvements #9954

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 22 commits into from
Dec 13, 2024
Merged

sundry gh at inspect improvements #9954

merged 22 commits into from
Dec 13, 2024

Conversation

@phillmv
Copy link
Contributor

@phillmv phillmv commented Nov 22, 2024
edited
Loading

Related to #9850,

We often find ourselves wanting to "pop" a bundle to debug what is going on.

This PR:

  • removes the requirement that an artifact be present
  • verifies the "authenticity" the bundle's crypto materials (aka does NOT perform a full verification)
  • even if the materials fail to verify we still try to export the bundle's contents in a user friendly way

ryashry

This comment was marked as spam.

Sign in to view

@phillmv phillmv marked this pull request as ready for review December 11, 2024 21:57
@phillmv phillmv requested review from a team as code owners December 11, 2024 21:57
@phillmv phillmv requested a review from andyfeller December 11, 2024 21:57
@cliAutomation cliAutomation added the external pull request originating outside of the CLI core team label Dec 11, 2024
@phillmv phillmv changed the title WIP: improve gh at inspect sundry gh at inspect improvements Dec 11, 2024
andyfeller
andyfeller reviewed Dec 11, 2024
View reviewed changes
Copy link
Member

@andyfeller andyfeller left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if this should be a draft being WIP or if you're looking for automated tests to run against it, so please let me know whether this is ready for final review πŸ™‡

go.mod
github.com/cli/safeexec v1.0.1
github.com/cpuguy83/go-md2man/v2 v2.0.5
github.com/creack/pty v1.1.24
github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I really wish this module had releases. That said, I see @malancas and @bdehamer have contributed before and this is just explicitly depending upon this previously indirect dependency.

@phillmv
Copy link
Contributor Author

phillmv commented Dec 11, 2024

@andyfeller It's ready to review now! But you did catch the one file I forgot to delete before opening it up πŸ€¦β€β™€οΈ.

kommendorkapten
kommendorkapten reviewed Dec 12, 2024
View reviewed changes
@kommendorkapten
Copy link
Contributor

kommendorkapten commented Dec 12, 2024
edited
Loading

Tested successfully with tenancy too:

$ ./bin/gh at inspect --hostname <tenant>.ghe.com sha256:ee1da733509a17045a215d5ce75a8f988ad4be3c60532d149babcf6e643a20df.jsonl 
Authentic:............. true (GH)
Source NWO:............ <org>/actions
PredicateType:......... https://slsa.dev/provenance/v1
SubjectAlternativeName: https://<tenant>.ghe.com/<org>/actions/.github/workflows/attest.yaml@refs/heads/main
RunInvocationURI:...... https://<tenant>.ghe.com/<org>/actions/actions/runs/2605126/attempts/1
CertificateNotBefore:.. 2024-10-22T13:50:54Z

edit: I first messed up tenancy test, shame on me.

kommendorkapten
kommendorkapten reviewed Dec 12, 2024
View reviewed changes
kommendorkapten
kommendorkapten reviewed Dec 12, 2024
View reviewed changes
pkg/cmd/attestation/inspect/inspect.go Outdated
if strings.HasSuffix(certIssuer, "O=GitHub\\, Inc.") {
printIssuer = "(GH)"
} else if strings.HasSuffix(certIssuer, "O=sigstore.dev") {
printIssuer = "(PGI)"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe use sigstore here instead of PGI?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I find "Sigstore" to be a bit confusing - this is still a sigstore system - but Sigstore PGI might be a good compromise.

andyfeller
andyfeller reviewed Dec 12, 2024
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 12, 2024
View reviewed changes
andyfeller
andyfeller approved these changes Dec 13, 2024
View reviewed changes
Copy link
Member

@andyfeller andyfeller left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shipit-squirrel-thumbsup

@phillmv phillmv merged commit c789b56 into trunk Dec 13, 2024
@phillmv phillmv deleted the phillmv/improve-gh-at-inspect branch December 13, 2024 14:50
tmeijn pushed a commit to tmeijn/dotfiles that referenced this pull request Dec 21, 2024
@tmeijn
build(deps): update cli/cli to v2.64.0
16745e2 
This MR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [cli/cli](https://github.com/cli/cli) | minor | `v2.63.2` -> `v2.64.0` |

MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot).

**Proposed changes to behavior should be submitted there as MRs.**

---

### Release Notes

<details>
<summary>cli/cli (cli/cli)</summary>

### [`v2.64.0`](https://github.com/cli/cli/releases/tag/v2.64.0): GitHub CLI 2.64.0

[Compare Source](cli/cli@v2.63.2...v2.64.0)

#### What's Changed

-   docs: improve docs for browse command as of [#&#8203;5352](cli/cli#5352) by [@&#8203;ankddev](https://github.com/ankddev) in cli/cli#10025
-   Open MR against gh-merge-base by [@&#8203;heaths](https://github.com/heaths) in cli/cli#9712
-   Add integration tests for `gh attestation verify` when the `bundle-from-oci` flag is specified by [@&#8203;malancas](https://github.com/malancas) in cli/cli#10020
-   `gh repo rename` help text clarifies new repo name should not include owner by [@&#8203;BagToad](https://github.com/BagToad) in cli/cli#10044
-   fix: list branches in square brackets in `gh run` and `gh codespace` by [@&#8203;uday-rana](https://github.com/uday-rana) in cli/cli#10043
-   Bump actions/attest-build-provenance from 1.4.4 to 2.1.0 by [@&#8203;dependabot](https://github.com/dependabot) in cli/cli#10056
-   Bump golang.org/x/crypto from 0.29.0 to 0.31.0 by [@&#8203;dependabot](https://github.com/dependabot) in cli/cli#10070
-   Improve documentation and error messaging for local extension installations without executables by [@&#8203;BagToad](https://github.com/BagToad) in cli/cli#9933
-   docs: better document auth scopes by [@&#8203;ankddev](https://github.com/ankddev) in cli/cli#10026
-   Sigstore verifier logic updates by [@&#8203;malancas](https://github.com/malancas) in cli/cli#9999
-   `gh pr merge --delete-branch` exits with error when merge requested via merge queue by [@&#8203;BagToad](https://github.com/BagToad) in cli/cli#10074
-   sundry `gh at inspect` improvements by [@&#8203;phillmv](https://github.com/phillmv) in cli/cli#9954
-   Support `pr view` for intra-org forks by [@&#8203;williammartin](https://github.com/williammartin) in cli/cli#10078
-   Print policy information before verifying attestations by [@&#8203;malancas](https://github.com/malancas) in cli/cli#9891
-   Improve error handling in apt setup script by [@&#8203;jobegrabber](https://github.com/jobegrabber) in cli/cli#10055
-   Use Windows compatible file name for downloaded attestations when running `gh attestation download` by [@&#8203;malancas](https://github.com/malancas) in cli/cli#10051
-   Bump github.com/cpuguy83/go-md2man/v2 from 2.0.5 to 2.0.6 by [@&#8203;dependabot](https://github.com/dependabot) in cli/cli#10094
-   Perform all `gh attestation verify` policy options configuration in the `newEnforcementCriteria()` function by [@&#8203;malancas](https://github.com/malancas) in cli/cli#10012

#### New Contributors

-   [@&#8203;ankddev](https://github.com/ankddev) made their first contribution in cli/cli#10025
-   [@&#8203;uday-rana](https://github.com/uday-rana) made their first contribution in cli/cli#10043
-   [@&#8203;jobegrabber](https://github.com/jobegrabber) made their first contribution in cli/cli#10055

**Full Changelog**: cli/cli@v2.63.2...v2.64.0

</details>

---

### Configuration

πŸ“… **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

β™» **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

πŸ”• **Ignore**: Close this MR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box

---

This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS43Ny4wIiwidXBkYXRlZEluVmVyIjoiMzkuNzcuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiUmVub3ZhdGUgQm90Il19-->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andyfeller andyfeller andyfeller approved these changes

@kommendorkapten kommendorkapten kommendorkapten approved these changes

+1 more reviewer

@ryashry ryashry ryashry left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

external pull request originating outside of the CLI core team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@phillmv @kommendorkapten @andyfeller @ryashry @cliAutomation