Using CAS for content-trust (#3382)

* Using CAS for content-trust * v2 * Fix linting errors * Adjust field checked for status in CAS response * CI workflow needs CAS not VCN now * Use cwd in test as code won't be in /usr/src * Pre-cache CAS pub key for supervisor * Cas doesn't actually need key file executable Co-authored-by: Mike Degatano <michael.degatano@gmail.com>
2025-12-27 05:57:09 +00:00 · 2022-02-10 09:21:21 +01:00
parent e5d64f6c75
commit 3478005e70
13 changed files with 100 additions and 67 deletions
--- a/.github/workflows/builder.yml
+++ b/.github/workflows/builder.yml
@@ -33,6 +33,7 @@ on:
      - setup.py

 env:
+  DEFAULT_PYTHON: 3.9
  BUILD_NAME: supervisor
  BUILD_TYPE: supervisor
  WHEELS_TAG: 3.9-alpine3.14
@@ -138,7 +139,7 @@ jobs:
          CAS_API_KEY: ${{ secrets.CAS_TOKEN }}

  codenotary:
-    name: CodeNotary signature
+    name: CAS signature
    needs: init
    runs-on: ubuntu-latest
    steps:
@@ -148,6 +149,20 @@ jobs:
        with:
          fetch-depth: 0

+      - name: Set up Python ${{ env.DEFAULT_PYTHON }}
+        if: needs.init.outputs.publish == 'true'
+        uses: actions/setup-python@v2.3.1
+        with:
+          python-version: ${{ env.DEFAULT_PYTHON }}
+
+      - name: Install dirhash and calc hash
+        if: needs.init.outputs.publish == 'true'
+        id: dirhash
+        run: |
+          pip3 install dirhash
+          dir_hash="$(dirhash "${{ github.workspace }}" -a sha256 --match "*.py")"
+          echo "::set-output name=dirhash::${dir_hash}"
+
      - name: Set version
        if: needs.init.outputs.publish == 'true'
        uses: home-assistant/actions/helpers/version@master
@@ -158,10 +173,8 @@ jobs:
        if: needs.init.outputs.publish == 'true'
        uses: home-assistant/actions/helpers/codenotary@master
        with:
-          source: dir://${{ github.workspace }}
-          user: ${{ secrets.VCN_USER }}
-          password: ${{ secrets.VCN_PASSWORD }}
-          organisation: ${{ secrets.VCN_ORG }}
+          source: hash://${{ steps.dirhash.outputs.dirhash }}
+          token: ${{ secrets.CAS_TOKEN }}

  version:
    name: Update version
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -10,7 +10,7 @@ on:
 env:
  DEFAULT_PYTHON: 3.9
  PRE_COMMIT_HOME: ~/.cache/pre-commit
-  DEFAULT_VCN: v0.9.8
+  DEFAULT_CAS: v1.0.1

 jobs:
  # Separate job to pre-populate the base dependency cache
@@ -351,10 +351,10 @@ jobs:
        id: python
        with:
          python-version: ${{ matrix.python-version }}
-      - name: Install VCN tools
-        uses: home-assistant/actions/helpers/vcn@master
+      - name: Install CAS tools
+        uses: home-assistant/actions/helpers/cas@master
        with:
-          vcn_version: ${{ env.DEFAULT_VCN }}
+          version: ${{ env.DEFAULT_CAS }}
      - name: Restore Python virtual environment
        id: cache-venv
        uses: actions/cache@v2.1.7