-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: support "Pro" archives #167
Conversation
In chisel.yaml, archive definitions can now use the "pro" value to specify Ubuntu Pro archives. The `archives.<archive>.pro` value currently accepts the following values: "fips", "fips-updates", "apps" and "infra". Any other values are ignored. By default, Chisel will look for credentials in the `/etc/apt/auth.conf.d/` directory, unless the environment variable `CHISEL_AUTH_DIR` is set. In which case, it will look for configuration files in that directory. The configuration files may only have the ".conf" extensions or no extensions, the format is described in https://manpages.debian.org/testing/apt/apt_auth.conf.5.en.html.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking good in general. There are several minors, but nothing fundamental about the logic. Thanks for looking into these.
.github/workflows/pro_tests.yaml
Outdated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this @letFunny .
I'd propose something different here, just to avoid leaking the real Pro token.
Atm, you're attaching multiple times - 1 for the real-archive-tests
job, within the GH runner; and the 1+ within the spread tasks.
An oversight or injection of malicious tests could compromise this token.
Instead, since Chisel only needs the APT creds, I'd propose the following flow:
- have an initial job that sets up the Pro subscription
- save the APT creds as a GitHub output
- share that output with the
real-archive-tests
job - share that same output with the spread job too
You may raise the point: "you might still leak the APT creds". True. I'm not sure if those bearer tokens ever expire, but in any case, with the Pro token you can also get them, plus more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the good work in this feature!
}, | ||
} | ||
|
||
func archiveURL(pro, arch string) (string, *credentials, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Function looks good now, thanks.
"v2-archives" defines the archives, same as "archives". It is added to define Ubuntu Pro archives in chisel-releases with "pro" and "priority" fields (see canonical#160 and canonical#167), while supporting Chisel<=v1.0.0 and chisel-releases "format"<=v1. Since Chisel ignores unknown fields, archives defined in "v2-archives" will be ignored by v1.0.0 but picked up by later versions.
In chisel.yaml, archive definitions can now use the "pro" value to specify Ubuntu Pro archives. The
archives.<archive>.pro
value currently accepts the following values: "fips", "fips-updates", "apps" and "infra". Any other values are ignored.By default, Chisel will look for credentials in the
/etc/apt/auth.conf.d/
directory, unless the environment variableCHISEL_AUTH_DIR
is set. In which case, it will look for configuration files in that directory. The configuration files may only have the ".conf" extensions or no extensions, the format is described in https://manpages.debian.org/testing/apt/apt_auth.conf.5.en.html.