SQSCANGHA-146 Add proxy support for GPG keyserver access (#244)

Co-authored-by: Marius Boden <marius.boden@xebia.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-06-06 01:20:31 +03:00 · 2026-05-19 09:11:36 +02:00
parent c444753899
commit 56568530ed
13 changed files with 288 additions and 57802 deletions
@@ -31829,5 +31829,5 @@ function requireExec () {

 var execExports = requireExec();

-export { HttpClient as H, info as a, isDebug as b, cp as c, debug as d, exists as e, execExports as f, warning as g, addPath as h, isRooted as i, getInput as j, getBooleanInput as k, core as l, mkdirP as m, setOutput as n, startGroup as o, endGroup as p, rmRF as r, setFailed as s, which as w };
-//# sourceMappingURL=exec-zlpfwmpH.js.map
+export { HttpClient as H, info as a, isDebug as b, cp as c, debug as d, exists as e, execExports as f, warning as g, addPath as h, isRooted as i, setFailed as j, getInput as k, getBooleanInput as l, mkdirP as m, core as n, setOutput as o, startGroup as p, endGroup as q, rmRF as r, setSecret as s, which as w };
+//# sourceMappingURL=exec-BeYcktvA.js.map
@@ -1,4 +1,4 @@
-import { i as isRooted, w as which, e as exists, a as info, d as debug, m as mkdirP, c as cp, H as HttpClient, r as rmRF, b as isDebug, f as execExports, g as warning, h as addPath, s as setFailed, j as getInput, k as getBooleanInput, l as core } from './exec-zlpfwmpH.js';
+import { i as isRooted, w as which, e as exists, a as info, d as debug, m as mkdirP, c as cp, H as HttpClient, r as rmRF, b as isDebug, f as execExports, g as warning, s as setSecret, h as addPath, j as setFailed, k as getInput, l as getBooleanInput, n as core } from './exec-BeYcktvA.js';
 import * as crypto from 'crypto';
 import * as fs from 'fs';
 import * as os from 'os';
@@ -3977,6 +3977,18 @@ function setupGpgHome() {
  return gpgHome;
 }

+/**
+ * Detects HTTPS proxy from environment variables.
+ * Checks both upper and lower case variants (HTTPS_PROXY, https_proxy).
+ * Only HTTPS proxy is used since keyservers use hkps:// (TLS).
+ * HTTP_PROXY is intentionally not used as a fallback to avoid routing
+ * HTTPS traffic through a proxy not intended for TLS connections.
+ * @returns {string|undefined} Proxy URL or undefined if not set
+ */
+function getProxyFromEnv() {
+  return process.env.HTTPS_PROXY || process.env.https_proxy;
+}
+
 /**
 * Attempts to import a public key from a specific keyserver
 * @param {string} gpgHome - Path to GPG home directory
@@ -3988,6 +4000,15 @@ function setupGpgHome() {
 async function tryImportKey(gpgHome, keyFingerprint, keyserver) {
  const gpgCommand = getGpgCommand();
  const gpgHomePath = convertToUnixPath(gpgHome);
+  const proxyUrl = getProxyFromEnv();
+
+  if (proxyUrl) {
+    // The URL may carry credentials (e.g. http://user:pass@proxy:8080).
+    // Register it as a secret so future logging (here or downstream) is
+    // automatically redacted
+    setSecret(proxyUrl);
+    info("Using HTTPS_PROXY for keyserver access");
+  }

  await execExports.exec(
    gpgCommand,
@@ -3997,6 +4018,7 @@ async function tryImportKey(gpgHome, keyFingerprint, keyserver) {
      "--batch",
      "--keyserver",
      keyserver,
+      ...(proxyUrl ? ["--keyserver-options", `http-proxy=${proxyUrl}`] : []),
      "--recv-keys",
      keyFingerprint,
    ],
@@ -1,4 +1,4 @@
-import { f as execExports, h as addPath, a as info, n as setOutput, s as setFailed, o as startGroup, p as endGroup } from './exec-zlpfwmpH.js';
+import { f as execExports, h as addPath, a as info, o as setOutput, j as setFailed, p as startGroup, q as endGroup } from './exec-BeYcktvA.js';
 import * as fs from 'fs';
 import * as path from 'path';
 import 'os';