From 70689a318dc9d9e127b94d538186102aa52922a4 Mon Sep 17 00:00:00 2001 From: Kazuma Watanabe Date: Tue, 28 Jan 2025 16:53:49 +0000 Subject: [PATCH] Skip keyless verification for private third-party plugins --- plugin/install.go | 26 ++++++++++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/plugin/install.go b/plugin/install.go index 5c20a691d..43aa391eb 100644 --- a/plugin/install.go +++ b/plugin/install.go @@ -161,12 +161,22 @@ func (c *InstallConfig) Install() (string, error) { } else { // Attempt to verify by artifact attestations. - // If there are no attestations, it will be ignored without errors. + repo, err := c.fetchRepository() + if err != nil { + return "", fmt.Errorf("Failed to get GitHub repository metadata: %s", err) + } + // If the repository is private, artifact attestations is not always available + // because it requires GitHub Enterprise Cloud plan, so we skip verification here. + if repo.Private != nil && *repo.Private { + skipVerify = true + } + log.Printf("[DEBUG] Download artifact attestations") attestations, err := c.fetchArtifactAttestations(checksumsFile) if err != nil { var gerr *github.ErrorResponse - // If experimental mode is enabled, enforces that attestations are present. + // If there are no attestations, it will be ignored without errors. + // However, experimental mode is enabled, enforces that attestations are present. if errors.As(err, &gerr) && gerr.Response.StatusCode == 404 && !IsExperimentalModeEnabled() { log.Printf("[DEBUG] Artifact attestations not found and will be ignored: %s", err) skipVerify = true @@ -239,6 +249,18 @@ func (c *InstallConfig) fetchReleaseAssets() (map[string]*github.ReleaseAsset, e return assets, nil } +// fetchRepository fetches GitHub repository metadata. +func (c *InstallConfig) fetchRepository() (*github.Repository, error) { + ctx := context.Background() + client, err := newGitHubClient(ctx, c) + if err != nil { + return nil, err + } + + repo, _, err := client.Repositories.Get(ctx, c.SourceOwner, c.SourceRepo) + return repo, err +} + // fetchArtifactAttestations fetches GitHub Artifact Attestations based on the given io.ReadSeeker. func (c *InstallConfig) fetchArtifactAttestations(artifact io.ReadSeeker) ([]*github.Attestation, error) { bytes, err := io.ReadAll(artifact)