diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 0e1580e..93e9f4b 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -20,6 +20,33 @@ concurrency: cancel-in-progress: true jobs: + install-dependencies: + # This is a spot check for make install.dependencies on macOS and Windows platforms. + # Finch-core provides the core dependencies needed to run Finch such as the base OS + # image, rootfs, and Lima bundle. Validate the mechanism used to install the core + # dependencies works on the respective platforms. + strategy: + fail-fast: false + matrix: + os: [macos-13, windows-2022] + runs-on: ${{ matrix.os }} + steps: + - name: Checkout code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + fetch-depth: 0 + persist-credentials: false + submodules: true + - name: Setup go + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 + with: + go-version-file: e2e/go.mod + cache-dependency-path: e2e/go.sum + - name: Install platform dependencies + run: make install.dependencies + - name: Clean up dependencies + run: make clean + e2e-tests: strategy: fail-fast: false diff --git a/Makefile.windows b/Makefile.windows index eed483b..edad438 100644 --- a/Makefile.windows +++ b/Makefile.windows @@ -16,7 +16,7 @@ endif WINGIT_TEMP_DIR := $(CURDIR)/wingit-temp WINGIT_x86_URL := $(or $(WINGIT_x86_URL),https://github.com/git-for-windows/git/releases/download/v2.42.0.windows.2/Git-2.42.0.2-64-bit.tar.bz2) WINGIT_x86_BASENAME ?= $(notdir $(WINGIT_x86_URL)) -WINGIT_x86_HASH := $(or $(WINGIT_x86_HASH),"sha256:c192e56f8ed3d364acc87ad04d1f5aa6ae03c23b32b67bf65fcc6f9b8f032e65") +WINGIT_x86_HASH := $(or $(WINGIT_x86_HASH),"sha512:795a2e7e0be5ab78f2d28d0bd971961d121b9c808a95dec795343dc5af943574dcf54f63a8580c5a5102075abdae387d7a67135c165821428afc07f11ef7543d") install.dependencies: install.rootfs install.lima diff --git a/bin/verify_hash.ps1 b/bin/verify_hash.ps1 index eb2dfc4..32d52a4 100644 --- a/bin/verify_hash.ps1 +++ b/bin/verify_hash.ps1 @@ -11,7 +11,7 @@ param ( [string]$DependencyHash = 'out.png' ) -if (!(Get-FileHash -Algorithm SHA256 "$DependencyFilePath").Hash -eq $DependencyHash) { +if (!(Get-FileHash -Algorithm SHA512 "$DependencyFilePath").Hash -eq $DependencyHash) { $host.SetShouldExit(-1); exit } else { Write-Output "Verified $DependencyFilePath" diff --git a/deps/install.sh b/deps/install.sh index b0308e3..d8708a9 100644 --- a/deps/install.sh +++ b/deps/install.sh @@ -9,6 +9,9 @@ set -euxo pipefail +CURRENT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +PROJECT_ROOT="$(cd -- "${CURRENT_DIR}/.." && pwd)" + file="" sources="" @@ -68,9 +71,27 @@ case "${arch}" in ;; esac +windows=false +os="$(uname -s)" +case "${os}" in + "Darwin") + ;; + CYGWIN*|MINGW32*|MINGW*|MYSYS*) + windows=true + ;; + *) + echo "error: unsupported operating system" && exit 1 + ;; +esac + # pull artifact from dependency repository curl -L --fail "${url}/${artifact}" > "${file}" -# validate shasum for downloaded artifact -(shasum --algorithm 512 "${file}" | cut -d ' ' -f 1 | grep -xq "^${digest}$") || \ - (echo "error: shasum verification failed for dependency" && rm -f "${file}" && exit 1) +# validate artifact digest +if [[ $windows = true ]]; then + (pwsh "${PROJECT_ROOT}/bin/verify_hash.ps1" "${file}" "${digest}") || \ + (echo "error: shasum verification failed for dependency" && rm -f "${file}" && exit 1) +else + (shasum --algorithm 512 "${file}" | cut -d ' ' -f 1 | grep -xq "^${digest}$") || \ + (echo "error: shasum verification failed for dependency" && rm -f "${file}" && exit 1) +fi