Compare commits

...

4 Commits

Author SHA1 Message Date
Alban Auzeill bc1610626e Fix from review 2026-07-13 17:14:12 +02:00
Alban Auzeill 2dfea3d9ad SQSCANGHA-156 GPG signature verification fails when temporary directory path is too long 2026-07-13 16:35:33 +02:00
dependabot[bot] 7cdc154593 SQSCANGHA-153 NO-JIRA Bump actions/checkout from 6.0.2 to 7.0.0 (#255)
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-07-06 11:52:45 +02:00
Antoine Vinot 45f27363d4 SQSCANGHA-151 Change Code Owners (#254) 2026-06-16 09:15:26 +02:00
13 changed files with 151 additions and 50 deletions
+3 -1
View File
@@ -1 +1,3 @@
.github/* @sonarsource/quality-processing-squad
# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
* @sonarsource/code-quality-ci-experience-squad
+1 -1
View File
@@ -34,7 +34,7 @@ jobs:
exit 1
fi
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
@@ -34,7 +34,7 @@ jobs:
exit 1
fi
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
+23 -23
View File
@@ -17,7 +17,7 @@ jobs:
os: [github-ubuntu-latest-s, macos-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action without args
@@ -37,7 +37,7 @@ jobs:
os: [github-ubuntu-latest-s, github-windows-latest-s, macos-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with args
@@ -66,7 +66,7 @@ jobs:
]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with args
@@ -93,7 +93,7 @@ jobs:
os: [github-ubuntu-latest-s, github-windows-latest-s, macos-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with args
@@ -121,7 +121,7 @@ jobs:
os: [github-ubuntu-latest-s, github-windows-latest-s, macos-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with args
@@ -148,7 +148,7 @@ jobs:
os: [github-ubuntu-latest-s, github-windows-latest-s, macos-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with args
@@ -178,7 +178,7 @@ jobs:
os: [github-ubuntu-latest-s, github-windows-latest-s, macos-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
- run: mkdir -p ./baseDir
@@ -198,7 +198,7 @@ jobs:
'scannerVersion' input
runs-on: github-ubuntu-latest-s # assumes default RUNNER_ARCH for linux is X64
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with scannerVersion
@@ -222,7 +222,7 @@ jobs:
'scannerBinariesUrl' input with invalid URL
runs-on: github-ubuntu-latest-s # assumes default RUNNER_ARCH for linux is X64
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with scannerBinariesUrl
@@ -250,7 +250,7 @@ jobs:
'scannerBinariesUrl' does not allow command injection via semicolons
runs-on: github-ubuntu-latest-s
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with scannerBinariesUrl
@@ -271,7 +271,7 @@ jobs:
'scannerBinariesUrl' does not allow command injection via spaces and quotes
runs-on: github-ubuntu-latest-s
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with scannerBinariesUrl
@@ -292,7 +292,7 @@ jobs:
Don't fail on Gradle project
runs-on: github-ubuntu-latest-s
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action on Gradle project
@@ -313,7 +313,7 @@ jobs:
Don't fail on Kotlin Gradle project
runs-on: github-ubuntu-latest-s
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action on Kotlin Gradle project
@@ -334,7 +334,7 @@ jobs:
Don't fail on Maven project
runs-on: github-ubuntu-latest-s
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action on Maven project
@@ -367,7 +367,7 @@ jobs:
--health-timeout 5s
--health-retries 10
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action on sample project
@@ -390,7 +390,7 @@ jobs:
os: [github-ubuntu-latest-s, github-windows-latest-s, macos-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with debug mode
@@ -421,7 +421,7 @@ jobs:
--health-timeout 5s
--health-retries 10
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: SonarQube Cache
@@ -450,7 +450,7 @@ jobs:
os: [github-ubuntu-latest-s, github-windows-latest-s, macos-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with deprecated SONARCLOUD_URL
@@ -469,7 +469,7 @@ jobs:
scannerBinariesUrl redirect (3xx) is followed
runs-on: github-ubuntu-latest-s
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Generate SSL certificates for nginx
@@ -505,7 +505,7 @@ jobs:
os: [github-ubuntu-latest-s, github-windows-latest-s, macos-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with SSL certificate
@@ -556,7 +556,7 @@ jobs:
Analysis takes into account 'SONAR_ROOT_CERT'
runs-on: github-ubuntu-latest-s
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Generate server certificate
@@ -664,7 +664,7 @@ jobs:
truststore.p12 is updated when present
runs-on: github-ubuntu-latest-s
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Create SONAR_SSL_FOLDER with a file in it (not-truststore.p12)
@@ -793,7 +793,7 @@ jobs:
'scannerVersion' input validation
runs-on: github-ubuntu-latest-s
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with invalid scannerVersion
+4 -4
View File
@@ -12,7 +12,7 @@ jobs:
name: create_install_path.sh
runs-on: github-ubuntu-latest-s
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
@@ -123,7 +123,7 @@ jobs:
SONAR_SCANNER_URL_MACOSX_AARCH64: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-macosx-aarch64.zip'
SONAR_SCANNER_SHA_MACOSX_AARCH64: 'DOWNLOAD-SHA-MACOSX-AARCH64'
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
@@ -252,7 +252,7 @@ jobs:
name: download.sh
runs-on: github-ubuntu-latest-s
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
@@ -321,7 +321,7 @@ jobs:
name: fetch_latest_version.sh
runs-on: github-ubuntu-latest-s
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: Test script
+1 -1
View File
@@ -13,7 +13,7 @@ jobs:
contents: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Setup Node.js
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e #v6.4.0
+1 -1
View File
@@ -13,7 +13,7 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Parse semver
uses: madhead/semver-utils@4cf918affe9106ea59f86c6250e5ec4570ac4389 # v5.0.0
+2 -2
View File
@@ -13,7 +13,7 @@ jobs:
new-version: ${{ steps.latest-version.outputs.sonar-scanner-version }}
steps:
- run: sudo apt install -y jq
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
ref: master
fetch-depth: 0
@@ -49,7 +49,7 @@ jobs:
pull-requests: write
if: needs.check-version.outputs.should_update == 'true'
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
ref: master
persist-credentials: true
+19 -4
View File
@@ -14,6 +14,7 @@ import * as fs$2 from 'node:fs/promises';
import * as os$1 from 'node:os';
import * as path$1 from 'node:path';
import { join } from 'node:path';
import { randomBytes } from 'node:crypto';
import * as fs$1 from 'node:fs';
import fs__default from 'node:fs';
import 'http';
@@ -3900,6 +3901,10 @@ function toSemVer(version) {
const SONARSOURCE_KEY_FINGERPRINT = "679F1EE92B19609DE816FDE81DB198F93525EC1A";
const DEFAULT_KEYSERVER = "hkps://keyserver.ubuntu.com";
const FALLBACK_KEYSERVER = "hkps://keys.openpgp.org";
// Linux/macOS sockaddr_un.sun_path limit is 108 bytes including the NUL terminator.
// S.gpg-agent.browser is the longest socket GPG creates directly under the home directory.
const MAX_GPG_SOCKET_PATH = 107;
const LONGEST_GPG_SOCKET = "/S.gpg-agent.browser";
/**
* Verifies the GPG signature of a downloaded file
@@ -3990,12 +3995,22 @@ function convertToUnixPath(windowsPath) {
* @returns {string} Path to the temporary GPG home directory
*/
function setupGpgHome() {
const tempDir = process.env.RUNNER_TEMP || os$1.tmpdir();
const gpgHome = path$1.join(tempDir, `gpg-home-${Date.now()}-${process.pid}`);
const dirName = `gpg-${randomBytes(4).toString("hex")}`;
fs$1.mkdirSync(gpgHome, { recursive: true, mode: 0o700 });
const runnertemp = process.env.RUNNER_TEMP;
for (const base of [runnertemp, os$1.tmpdir()].filter(Boolean)) {
const gpgHome = path$1.join(base, dirName);
if (process.platform === "win32" || (gpgHome + LONGEST_GPG_SOCKET).length <= MAX_GPG_SOCKET_PATH) {
fs$1.mkdirSync(gpgHome, { recursive: true, mode: 0o700 });
return gpgHome;
}
}
return gpgHome;
throw new Error(
`Cannot create a GPG home directory with a short enough path for GPG sockets. ` +
`The longest socket path (gpgHome + "${LONGEST_GPG_SOCKET}") must not exceed ${MAX_GPG_SOCKET_PATH} characters. ` +
`Consider setting RUNNER_TEMP to a shorter path, was "${runnertemp || '<empty>'}".`
);
}
/**
+1 -1
View File
File diff suppressed because one or more lines are too long
@@ -20,7 +20,9 @@
import assert from "node:assert/strict";
import * as fs from "node:fs";
import { afterEach, describe, it, mock } from "node:test";
import * as os from "node:os";
import * as path from "node:path";
import { afterEach, beforeEach, describe, it, mock } from "node:test";
import { getProxyFromEnv, setupGpgHome, } from "../gpg-verification.js";
/**
@@ -492,6 +494,76 @@ describe("gpg-verification with mocked exec", () => {
});
});
describe("setupGpgHome", () => {
let originalRunnerTemp;
beforeEach(() => {
originalRunnerTemp = process.env.RUNNER_TEMP;
});
afterEach(() => {
if (originalRunnerTemp === undefined) {
delete process.env.RUNNER_TEMP;
} else {
process.env.RUNNER_TEMP = originalRunnerTemp;
}
});
it("should create directory under RUNNER_TEMP when path is short enough", () => {
const runnerTemp = fs.mkdtempSync(path.join(os.tmpdir(), "runner-temp-"));
tempDirs.push(runnerTemp);
process.env.RUNNER_TEMP = runnerTemp;
const gpgHome = setupGpgHome();
tempDirs.push(gpgHome);
assert.equal(path.dirname(gpgHome), runnerTemp);
assert.ok(fs.existsSync(gpgHome));
});
it("should fall back to os.tmpdir() when RUNNER_TEMP is not set", () => {
delete process.env.RUNNER_TEMP;
const gpgHome = setupGpgHome();
tempDirs.push(gpgHome);
assert.equal(path.dirname(gpgHome), os.tmpdir());
assert.ok(fs.existsSync(gpgHome));
});
it("should fall back to os.tmpdir() when RUNNER_TEMP path is too long for GPG sockets", () => {
// Customer's actual RUNNER_TEMP (93 chars) — pushes the dirmngr socket path over the 107-char Linux limit
process.env.RUNNER_TEMP = "/codebuild/output/src2280/src/2bc4e189_61b5_4b91_abc6_9c5c06637b96/actions-runner/_work/_temp";
const gpgHome = setupGpgHome();
tempDirs.push(gpgHome);
assert.equal(path.dirname(gpgHome), os.tmpdir());
assert.ok(fs.existsSync(gpgHome));
});
it("should throw a clear error when all candidate paths are too long", async (t) => {
const longPath = "/codebuild/output/src2280/src/2bc4e189_61b5_4b91_abc6_9c5c06637b96/actions-runner/_work/_temp";
t.mock.module("node:os", {
namedExports: {
tmpdir: () => longPath,
},
});
process.env.RUNNER_TEMP = longPath;
const { setupGpgHome: freshSetupGpgHome } = await import("../gpg-verification.js?test=both-paths-too-long");
assert.throws(
() => freshSetupGpgHome(),
{ message: `Cannot create a GPG home directory with a short enough path for GPG sockets. ` +
`The longest socket path (gpgHome + "/S.gpg-agent.browser") must not exceed 107 characters. ` +
`Consider setting RUNNER_TEMP to a shorter path, was "${longPath}".` }
);
});
});
describe("getProxyFromEnv", () => {
afterEach(() => {
clearProxyEnv();
+3 -6
View File
@@ -101,9 +101,8 @@ async function withMockedEnv(envVars, testFn) {
* @returns {string} The path to the created temporary directory
*/
function createTempDir() {
const tempDir = path.join(os.tmpdir(), `test-runner-temp-${Date.now()}`);
fs.mkdirSync(tempDir, { recursive: true });
return tempDir;
// Use a short prefix so the gpg socket path stays within the 107-char Linux limit
return fs.mkdtempSync(path.join(os.tmpdir(), "r"));
}
describe("gpg-verification", () => {
@@ -177,10 +176,8 @@ describe("gpg-verification", () => {
}
});
it("should create unique directories on multiple calls", async () => {
it("should create unique directories on multiple calls", () => {
const gpgHome1 = createTrackedGpgHome(tempDirs);
// Small delay to ensure different timestamps
await new Promise((resolve) => setTimeout(resolve, 10));
const gpgHome2 = createTrackedGpgHome(tempDirs);
assert.notEqual(gpgHome1, gpgHome2);
+19 -4
View File
@@ -20,6 +20,7 @@
import * as core from "@actions/core";
import * as exec from "@actions/exec";
import { randomBytes } from "node:crypto";
import * as fs from "node:fs";
import * as os from "node:os";
import * as path from "node:path";
@@ -27,6 +28,10 @@ import * as path from "node:path";
const SONARSOURCE_KEY_FINGERPRINT = "679F1EE92B19609DE816FDE81DB198F93525EC1A";
const DEFAULT_KEYSERVER = "hkps://keyserver.ubuntu.com";
const FALLBACK_KEYSERVER = "hkps://keys.openpgp.org";
// Linux/macOS sockaddr_un.sun_path limit is 108 bytes including the NUL terminator.
// S.gpg-agent.browser is the longest socket GPG creates directly under the home directory.
const MAX_GPG_SOCKET_PATH = 107;
const LONGEST_GPG_SOCKET = "/S.gpg-agent.browser";
/**
* Verifies the GPG signature of a downloaded file
@@ -117,12 +122,22 @@ export function convertToUnixPath(windowsPath) {
* @returns {string} Path to the temporary GPG home directory
*/
export function setupGpgHome() {
const tempDir = process.env.RUNNER_TEMP || os.tmpdir();
const gpgHome = path.join(tempDir, `gpg-home-${Date.now()}-${process.pid}`);
const dirName = `gpg-${randomBytes(4).toString("hex")}`;
fs.mkdirSync(gpgHome, { recursive: true, mode: 0o700 });
const runnertemp = process.env.RUNNER_TEMP;
for (const base of [runnertemp, os.tmpdir()].filter(Boolean)) {
const gpgHome = path.join(base, dirName);
if (process.platform === "win32" || (gpgHome + LONGEST_GPG_SOCKET).length <= MAX_GPG_SOCKET_PATH) {
fs.mkdirSync(gpgHome, { recursive: true, mode: 0o700 });
return gpgHome;
}
}
return gpgHome;
throw new Error(
`Cannot create a GPG home directory with a short enough path for GPG sockets. ` +
`The longest socket path (gpgHome + "${LONGEST_GPG_SOCKET}") must not exceed ${MAX_GPG_SOCKET_PATH} characters. ` +
`Consider setting RUNNER_TEMP to a shorter path, was "${runnertemp || '<empty>'}".`
);
}
/**