feat: support "Pro" archives#167
Conversation
In chisel.yaml, archive definitions can now use the "pro" value to specify Ubuntu Pro archives. The `archives.<archive>.pro` value currently accepts the following values: "fips", "fips-updates", "apps" and "infra". Any other values are ignored. By default, Chisel will look for credentials in the `/etc/apt/auth.conf.d/` directory, unless the environment variable `CHISEL_AUTH_DIR` is set. In which case, it will look for configuration files in that directory. The configuration files may only have the ".conf" extensions or no extensions, the format is described in https://manpages.debian.org/testing/apt/apt_auth.conf.5.en.html.
niemeyer
left a comment
There was a problem hiding this comment.
Looking good in general. There are several minors, but nothing fundamental about the logic. Thanks for looking into these.
There was a problem hiding this comment.
Thanks for this @letFunny .
I'd propose something different here, just to avoid leaking the real Pro token.
Atm, you're attaching multiple times - 1 for the real-archive-tests job, within the GH runner; and the 1+ within the spread tasks.
An oversight or injection of malicious tests could compromise this token.
Instead, since Chisel only needs the APT creds, I'd propose the following flow:
- have an initial job that sets up the Pro subscription
- save the APT creds as a GitHub output
- share that output with the
real-archive-testsjob - share that same output with the spread job too
You may raise the point: "you might still leak the APT creds". True. I'm not sure if those bearer tokens ever expire, but in any case, with the Pro token you can also get them, plus more.
niemeyer
left a comment
There was a problem hiding this comment.
Thanks for the good work in this feature!
| }, | ||
| } | ||
|
|
||
| func archiveURL(pro, arch string) (string, *credentials, error) { |
There was a problem hiding this comment.
Function looks good now, thanks.
"v2-archives" defines the archives, same as "archives". It is added to define Ubuntu Pro archives in chisel-releases with "pro" and "priority" fields (see canonical#160 and canonical#167), while supporting Chisel<=v1.0.0 and chisel-releases "format"<=v1. Since Chisel ignores unknown fields, archives defined in "v2-archives" will be ignored by v1.0.0 but picked up by later versions.
In chisel.yaml, archive definitions can now use the "pro" value to specify Ubuntu Pro archives. The
archives.<archive>.provalue currently accepts the following values: "fips", "fips-updates", "apps" and "infra". Any other values are ignored.By default, Chisel will look for credentials in the
/etc/apt/auth.conf.d/directory, unless the environment variableCHISEL_AUTH_DIRis set. In which case, it will look for configuration files in that directory. The configuration files may only have the ".conf" extensions or no extensions, the format is described in https://manpages.debian.org/testing/apt/apt_auth.conf.5.en.html.