Copilot commented on code in PR #3639:
URL: https://github.com/apache/celeborn/pull/3639#discussion_r3026139201
##########
.github/workflows/integration.yml:
##########
@@ -51,11 +50,21 @@ jobs:
python-version: "3.12"
check-latest: true
- name: Setup Helm
- uses: azure/[email protected]
- with:
- version: v3.10.0
+ run: |
+ curl -fsSL "https://get.helm.sh/helm-v3.10.0-linux-amd64.tar.gz"; |
tar xz -C /tmp
+ sudo mv /tmp/linux-amd64/helm /usr/local/bin/helm
Review Comment:
The workflow downloads and installs Helm by piping a remote tarball directly
into `tar` and moving the extracted binary into `/usr/local/bin` without any
integrity verification. To reduce supply-chain risk, download the archive to a
file and verify its SHA256 (Helm publishes `*.sha256sum`) before
extracting/installing (and optionally clean up the extracted directory
afterward).
```suggestion
HELM_VERSION="v3.10.0"
HELM_ARCHIVE="helm-${HELM_VERSION}-linux-amd64.tar.gz"
HELM_BASE_URL="https://get.helm.sh";
curl -fsSLo "${HELM_ARCHIVE}" "${HELM_BASE_URL}/${HELM_ARCHIVE}"
curl -fsSLo "${HELM_ARCHIVE}.sha256sum"
"${HELM_BASE_URL}/${HELM_ARCHIVE}.sha256sum"
sha256sum -c "${HELM_ARCHIVE}.sha256sum"
tar -xzf "${HELM_ARCHIVE}" -C /tmp
sudo mv /tmp/linux-amd64/helm /usr/local/bin/helm
rm -f "${HELM_ARCHIVE}" "${HELM_ARCHIVE}.sha256sum"
```
##########
.github/workflows/integration.yml:
##########
@@ -51,11 +50,21 @@ jobs:
python-version: "3.12"
check-latest: true
- name: Setup Helm
- uses: azure/[email protected]
- with:
- version: v3.10.0
+ run: |
+ curl -fsSL "https://get.helm.sh/helm-v3.10.0-linux-amd64.tar.gz"; |
tar xz -C /tmp
+ sudo mv /tmp/linux-amd64/helm /usr/local/bin/helm
- name: Setup chart-testing
- uses: ./.github/actions/chart-testing-action
+ env:
+ CT_VERSION: "3.10.1"
+ run: |
+ curl -sSLo ct.tar.gz \
+
"https://github.com/helm/chart-testing/releases/download/v${CT_VERSION}/chart-testing_${CT_VERSION}_linux_amd64.tar.gz";
+ mkdir -p /tmp/ct
+ tar -xzf ct.tar.gz -C /tmp/ct
+ sudo mv /tmp/ct/ct /usr/local/bin/ct
+ echo "CT_CONFIG_DIR=/tmp/ct/etc" >> "$GITHUB_ENV"
+ rm ct.tar.gz
Review Comment:
`chart-testing` is installed from a GitHub release tarball without
checksum/signature verification, and the `curl` invocation does not use `-f` to
fail fast on HTTP errors. Consider adding `-f` (and optionally `--retry`) and
verifying the release SHA256 before extracting/installing to make the workflow
more reliable and reduce supply-chain risk.
```suggestion
curl -fsSLo ct.tar.gz \
"https://github.com/helm/chart-testing/releases/download/v${CT_VERSION}/chart-testing_${CT_VERSION}_linux_amd64.tar.gz";
curl -fsSLo ct_checksums.txt \
"https://github.com/helm/chart-testing/releases/download/v${CT_VERSION}/chart-testing_${CT_VERSION}_checksums.txt";
grep " chart-testing_${CT_VERSION}_linux_amd64.tar.gz"
ct_checksums.txt | sha256sum -c -
mkdir -p /tmp/ct
tar -xzf ct.tar.gz -C /tmp/ct
sudo mv /tmp/ct/ct /usr/local/bin/ct
echo "CT_CONFIG_DIR=/tmp/ct/etc" >> "$GITHUB_ENV"
rm ct.tar.gz ct_checksums.txt
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
