admin/brew
1
0
Fork 0
Code Issues Packages Projects Releases 6 Wiki Activity

Merge pull request #17899 from Homebrew/ww/no-version-sniffing

Browse Source
This commit is contained in:
Nanda H Krishna 2024-07-29 14:08:39 -04:00 committed by GitHub
commit d99c2bc890
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 9 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
Library/Homebrew/attestation.rb
View File

@ -15,9 +15,6 @@ module Homebrew
# @api private # @api private
HOMEBREW_CORE_REPO = "Homebrew/homebrew-core" HOMEBREW_CORE_REPO = "Homebrew/homebrew-core"
# @api private
GH_ATTESTATION_MIN_VERSION = T.let(Version.new("2.49.0").freeze, Version)
# @api private # @api private
BACKFILL_REPO = "trailofbits/homebrew-brew-verify" BACKFILL_REPO = "trailofbits/homebrew-brew-verify"
@ -74,25 +71,14 @@ module Homebrew
# @api private # @api private
sig { returns(Pathname) } sig { returns(Pathname) }
def self.gh_executable def self.gh_executable
# NOTE: We set HOMEBREW_NO_VERIFY_ATTESTATIONS when installing `gh` itself,
# to prevent a cycle during bootstrapping. This can eventually be resolved
# by vendoring a pure-Ruby Sigstore verifier client.
@gh_executable ||= T.let(nil, T.nilable(Pathname)) @gh_executable ||= T.let(nil, T.nilable(Pathname))
return @gh_executable if @gh_executable.present? return @gh_executable if @gh_executable.present?
# NOTE: We set HOMEBREW_NO_VERIFY_ATTESTATIONS when installing `gh` itself,
# to prevent a cycle during bootstrapping. This can eventually be resolved
# by vendoring a pure-Ruby Sigstore verifier client.
with_env(HOMEBREW_NO_VERIFY_ATTESTATIONS: "1") do with_env(HOMEBREW_NO_VERIFY_ATTESTATIONS: "1") do
@gh_executable = ensure_executable!("gh", reason: "verifying attestations") @gh_executable = ensure_executable!("gh", reason: "verifying attestations", latest: true)
gh_version = Version.new(system_command!(@gh_executable, args: ["--version"], print_stderr: false)
.stdout.match(/\d+(?:\.\d+)+/i).to_s)
if gh_version < GH_ATTESTATION_MIN_VERSION
if Formula["gh"].version < GH_ATTESTATION_MIN_VERSION
raise "#{@gh_executable} is too old, you must upgrade it to >=#{GH_ATTESTATION_MIN_VERSION} to continue"
end
@gh_executable = ensure_formula_installed!("gh", latest: true,
reason: "verifying attestations").opt_bin/"gh"
end
end end
T.must(@gh_executable) T.must(@gh_executable)

4
Library/Homebrew/extend/kernel.rb
View File

@ -425,7 +425,7 @@ module Kernel
end end
# Ensure the given executable is exist otherwise install the brewed version # Ensure the given executable is exist otherwise install the brewed version
def ensure_executable!(name, formula_name = nil, reason: "") def ensure_executable!(name, formula_name = nil, reason: "", latest: false)
formula_name ||= name formula_name ||= name
executable = [ executable = [
@ -438,7 +438,7 @@ module Kernel
].compact.first ].compact.first
return executable if executable.exist? return executable if executable.exist?
ensure_formula_installed!(formula_name, reason:).opt_bin/name ensure_formula_installed!(formula_name, reason:, latest:).opt_bin/name
end end
def paths def paths

23
Library/Homebrew/test/attestation_spec.rb
View File

@ -6,9 +6,6 @@ RSpec.describe Homebrew::Attestation do
let(:fake_gh) { Pathname.new("/extremely/fake/gh") } let(:fake_gh) { Pathname.new("/extremely/fake/gh") }
let(:fake_old_gh) { Pathname.new("/extremely/fake/old/gh") } let(:fake_old_gh) { Pathname.new("/extremely/fake/old/gh") }
let(:fake_gh_creds) { "fake-gh-api-token" } let(:fake_gh_creds) { "fake-gh-api-token" }
let(:fake_gh_formula) { instance_double(Formula, "gh", opt_bin: Pathname.new("/extremely/fake")) }
let(:fake_gh_version) { instance_double(SystemCommand::Result, stdout: "2.49.0") }
let(:fake_old_gh_version) { instance_double(SystemCommand::Result, stdout: "2.48.0") }
let(:fake_error_status) { instance_double(Process::Status, exitstatus: 1, termsig: nil) } let(:fake_error_status) { instance_double(Process::Status, exitstatus: 1, termsig: nil) }
let(:fake_auth_status) { instance_double(Process::Status, exitstatus: 4, termsig: nil) } let(:fake_auth_status) { instance_double(Process::Status, exitstatus: 4, termsig: nil) }
let(:cached_download) { "/fake/cached/download" } let(:cached_download) { "/fake/cached/download" }
@ -69,24 +66,10 @@ RSpec.describe Homebrew::Attestation do
end end
describe "::gh_executable" do describe "::gh_executable" do
before do it "calls ensure_executable" do
allow(Formulary).to receive(:factory)
.with("gh")
.and_return(instance_double(Formula, version: Version.new("2.49.0")))
allow(described_class).to receive(:system_command!)
.with(fake_old_gh, args: ["--version"], print_stderr: false)
.and_return(fake_old_gh_version)
end
it "calls ensure_executable and ensure_formula_installed" do
expect(described_class).to receive(:ensure_executable!) expect(described_class).to receive(:ensure_executable!)
.with("gh", reason: "verifying attestations") .with("gh", reason: "verifying attestations", latest: true)
.and_return(fake_old_gh) .and_return(fake_gh)
expect(described_class).to receive(:ensure_formula_installed!)
.with("gh", latest: true, reason: "verifying attestations")
.and_return(fake_gh_formula)
described_class.gh_executable described_class.gh_executable
end end