actions/runner-images-sangeeth
1
0
Fork 0
mirror of https://github.com/actions/runner-images-sangeeth.git synced 2025-12-20 06:29:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

[Ubuntu] Add more checksum validations (#8660)

Browse Source
This commit is contained in:
Erik Bershel
2023-11-02 15:40:32 +01:00
committed by GitHub
parent 3146c7010e
commit 53416cd923
9 changed files with 86 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
images/linux/scripts/installers/docker.sh
View File

@@ -2,7 +2,7 @@
################################################################################
## File: docker.sh
## Desc: Installs docker onto the image
## Supply chain security: Docker Compose v2 - checksum validation
## Supply chain security: Docker Compose v2, amazon-ecr-credential-helper - checksum validation
################################################################################
# Source the helpers for use with the script
@@ -18,13 +18,14 @@ echo "deb [arch=amd64 signed-by=$gpg_key] $repo_url $(getOSVersionLabel) stable"
apt-get update
apt-get install --no-install-recommends docker-ce docker-ce-cli containerd.io docker-buildx-plugin
# Install docker compose v2 from releases
# Download docker compose v2 from releases
URL=$(get_github_package_download_url "docker/compose" "contains(\"compose-linux-x86_64\")")
curl -fsSL "${URL}" -o /tmp/docker-compose
# Supply chain security - CMake
hash_url=$(get_github_package_download_url "docker/compose" "contains(\"checksums.txt\")")
external_hash=$(get_hash_from_remote_file "$hash_url" "compose-linux-x86_64")
use_checksum_comparison "/tmp/docker-compose" "$external_hash"
# Supply chain security - Docker Compose v2
compose_hash_url=$(get_github_package_download_url "docker/compose" "contains(\"checksums.txt\")")
compose_external_hash=$(get_hash_from_remote_file "${compose_hash_url}" "compose-linux-x86_64")
use_checksum_comparison "/tmp/docker-compose" "${compose_external_hash}"
# Install docker compose v2
install /tmp/docker-compose /usr/libexec/docker/cli-plugins/docker-compose
@@ -62,17 +63,22 @@ else
echo "Skipping docker images pulling"
fi
# Install amazon-ecr-credential-helper
# Download amazon-ecr-credential-helper
aws_helper="docker-credential-ecr-login"
aws_latest_release_url="https://api.github.com/repos/awslabs/amazon-ecr-credential-helper/releases/latest"
aws_helper_url=$(curl "${authString[@]}" -fsSL $aws_latest_release_url | jq -r '.body' | awk -F'[()]' '/linux-amd64/ {print $2}')
download_with_retries "$aws_helper_url" "/usr/bin" docker-credential-ecr-login
chmod +x /usr/bin/docker-credential-ecr-login
aws_helper_url=$(curl "${authString[@]}" -fsSL "${aws_latest_release_url}" | jq -r '.body' | awk -F'[()]' '/linux-amd64/ {print $2}')
download_with_retries "${aws_helper_url}" "/tmp" "${aws_helper}"
# Supply chain security - amazon-ecr-credential-helper
aws_helper_external_hash=$(get_hash_from_remote_file "${aws_helper_url}.sha256" "${aws_helper}")
use_checksum_comparison "/tmp/${aws_helper}" "${aws_helper_external_hash}"
# Install amazon-ecr-credential-helper
install "/tmp/${aws_helper}" "/usr/bin/${aws_helper}"
# Cleanup custom repositories
rm $gpg_key
rm $repo_path
invoke_tests "Tools" "Docker"
if [ "${DOCKERHUB_PULL_IMAGES:-yes}" -eq "yes" ]; then
if [ "${DOCKERHUB_PULL_IMAGES:-yes}" == "yes" ]; then
invoke_tests "Tools" "Docker images"
fi