Add git-cherry-pick pipeline (#1278)

* Add git-cherry-pick pipeline --------- Signed-off-by: Krish Jain <krish.jain@chainguard.dev>
chainguard-dev · Jun 25, 2024 · df975c9 · df975c9
1 parent 86ef7c0
commit df975c9
Show file tree

Hide file tree

Showing 4 changed files with 212 additions and 31 deletions.
diff --git a/docs/PIPELINES-GIT.md b/docs/PIPELINES-GIT.md
@@ -0,0 +1,37 @@
+# Built-in git pipeline
+
+Melange includes a built-in pipeline to checkout git repos.
+
+To get started quickly, checkout the `git-checkout` pipeline.
+
+
+How to use it?
+
+```
+  - uses: git-checkout
+    with:
+      repository: <UPDATE-ME>
+      tag: ${{package.version}}
+      expected-commit: <UPDATE-ME>
+
+```
+
+You have these inputs (defined in https://github.com/chainguard-dev/melange/blob/main/pkg/build/pipelines/git-checkout.yaml):
+
+How to use the cherry-picking feature?
+
+
+To fix  https://nvd.nist.gov/vuln/detail/CVE-2024-4032 for example you can do something nice:
+
+```
+pipeline:
+  - uses: git-checkout
+    with:
+      expected-commit: 976ea78599d71f22e9c0fefc2dc37c1d9fc835a4
+      repository: https://github.com/python/cpython.git
+      tag: v3.10.14
+      cherry-picks: |
+        3.10/c62c9e518b784fe44432a3f4fc265fb95b651906: CVE-2024-4032
+```
+
+Note the format of cherry-picking: ``[branch/]commit: comment here``
diff --git a/e2e-tests/git-checkout-build.yaml b/e2e-tests/git-checkout-build.yaml
@@ -3,18 +3,22 @@ package:
   version: 6.14
   epoch: 0
   description: This package mainly just tests git-checkout pipeline
+
 environment:
   contents:
     packages:
       - busybox
       - git
+
 vars:
   workd: /tmp/test-git-checkout-workd
   giturl: "file:///tmp/test-git-checkout-workd/repos/my-repo"
+
 pipeline:
   - name: "Create the bogus package content"
     runs: |
       echo "package does not do anything" > "${{targets.contextdir}}/README"
+
   - name: "Create a git repo"
     runs: |
       rm -Rf ${{vars.workd}}
@@ -23,32 +27,37 @@ pipeline:
 
       ./create-git-repo "$repo"
       touch "$repo/git-daemon-export-ok"
+
   - name: "standard tag on branch"
     uses: git-checkout
     working-directory: standard
     with:
       repository: ${{vars.giturl}}
       tag: 2.0
       expected-commit: 3dfc3dd573b814be48c07f7f8ae3c19a23b69865
+
   - name: "check standard tag on branch"
     working-directory: standard
     runs: |
       hash=$(git rev-parse --verify HEAD)
       [ "$hash" = 3dfc3dd573b814be48c07f7f8ae3c19a23b69865 ]
       cd ..
       rm -Rf standard
+
   - name: "standard no-working-directory"
     uses: git-checkout
     with:
       repository: ${{vars.giturl}}
       tag: 2.0
       expected-commit: 3dfc3dd573b814be48c07f7f8ae3c19a23b69865
+
   - name: "check standard no-working-directory"
     runs: |
       hash=$(git rev-parse --verify HEAD)
       [ "$hash" = 3dfc3dd573b814be48c07f7f8ae3c19a23b69865 ]
       [ -f create-git-repo ] ||
          { echo "create-git-repo did not exist"; exit 1; }
+
   - name: "destination"
     uses: git-checkout
     working-directory: destination-base
@@ -57,6 +66,7 @@ pipeline:
       tag: 2.0
       expected-commit: 3dfc3dd573b814be48c07f7f8ae3c19a23b69865
       destination: dest
+
   - name: "check destination"
     working-directory: destination-base
     runs: |
@@ -65,6 +75,7 @@ pipeline:
       [ "$hash" = 3dfc3dd573b814be48c07f7f8ae3c19a23b69865 ]
       cd ../..
       rm -R destination-base
+
   - name: "depth positive 1"
     uses: git-checkout
     working-directory: depth-positive-1
@@ -73,6 +84,7 @@ pipeline:
       repository: ${{vars.giturl}}
       tag: 2.0
       expected-commit: 3dfc3dd573b814be48c07f7f8ae3c19a23b69865
+
   - name: "check depth positive 1"
     working-directory: depth-positive-1
     runs: |
@@ -85,6 +97,7 @@ pipeline:
       [ "$hash" = 3dfc3dd573b814be48c07f7f8ae3c19a23b69865 ]
       cd ..
       rm -R depth-positive-1
+
   - name: "depth negative 1"
     working-directory: depth-negative-1
     uses: git-checkout
@@ -93,6 +106,7 @@ pipeline:
       repository: ${{vars.giturl}}
       tag: 2.0
       expected-commit: 3dfc3dd573b814be48c07f7f8ae3c19a23b69865
+
   - name: "check depth -1"
     working-directory: depth-negative-1
     runs: |
@@ -105,19 +119,22 @@ pipeline:
       [ "$hash" = 3dfc3dd573b814be48c07f7f8ae3c19a23b69865 ]
       cd ..
       rm -R depth-negative-1
+
   - name: "branch without expected"
     working-directory: branch-no-expected
     uses: git-checkout
     with:
       repository: ${{vars.giturl}}
       branch: 1.x
+
   - name: "check branch without expected"
     working-directory: branch-no-expected
     runs: |
       hash=$(git rev-parse --verify HEAD)
       [ "$hash" = 4b1593d8d8038f8c0ce1e2c608c9dd89066a2a0f ]
       cd ..
       rm -R branch-no-expected
+
   # for an annotated tag you can point to either the commit
   # or the tag object hash object
   - name: "annotated hash"
@@ -127,6 +144,7 @@ pipeline:
       repository: ${{vars.giturl}}
       tag: 2.0-annotated
       expected-commit: 4ce5bdbf45a68a166d931dd1247878829b5c0113
+
   - name: "check annotated hash"
     working-directory: annotated-hash
     runs: |
@@ -135,6 +153,7 @@ pipeline:
       [ "$hash" = 3dfc3dd573b814be48c07f7f8ae3c19a23b69865 ]
       cd ..
       rm -R annotated-hash
+
   # special case with clone --branch if there is a tag and a branch
   # with the same name.
   - name: "tag and branch same name"
@@ -144,10 +163,29 @@ pipeline:
       repository: ${{vars.giturl}}
       tag: dev
       expected-commit: 2b9bb894348794bc840a2ee7553d54a1c80b9278
+
   - name: "check tag and branch same name"
     working-directory: tag-and-branch
     runs: |
       hash=$(git rev-parse --verify HEAD)
       [ "$hash" = 2b9bb894348794bc840a2ee7553d54a1c80b9278 ]
       cd ..
       rm -R tag-and-branch
+
+  - name: "process cherry-picks"
+    uses: git-checkout
+    working-directory: cherry-pick-test
+    with:
+      repository: ${{vars.giturl}}
+      branch: 1.x
+      cherry-picks: |
+        main/582b4d7d62f1c512568649ce8b6db085a3d85a9f: here comment
+
+  - name: "check cherry-picks"
+    working-directory: cherry-pick-test
+    runs: |
+      hash=$(git rev-parse --verify HEAD)
+      expected_hash="225e712ae452645acbd8f137b13d6b1ded8a96a1"
+      [ "$hash" != "$expected_hash" ]
+      cd ..
+      rm -R cherry-pick-test
diff --git a/e2e-tests/test-fixtures/create-git-repo b/e2e-tests/test-fixtures/create-git-repo
@@ -33,6 +33,9 @@ TEMP_D=$(mktemp -d)
 trap cleanup EXIT
 
 dest="$1"
+if [ -z "$dest" ]; then
+    fail "must provide dest dir for bare git repo"
+fi
 if [ -e "$dest" ]; then
     fail "do not give existing dir for dest"
 fi
@@ -86,16 +89,20 @@ v git checkout --quiet main
 v wfile README "mainline stuff"
 v gcommit -m "mainline stuff" README
 
-v git checkout --quiet main
-v wfile README "mainline stuff 2"
-v gcommit -m "mainline stuff 2" README
-
-v git checkout --quiet -b 2.x main^
+v git checkout --quiet -b 2.x main
 v wfile README "2.0-release content"
 v gcommit -m "release 2.0" README
 v gtag 2.0
 v gtag --annotate --message="Release 2.0" 2.0-annotated HEAD
 
+v git checkout --quiet main
+v wfile README "mainline stuff 2"
+v gcommit -m "mainline stuff 2" README
+
+v wfile file1.txt "exciting file contents"
+v git add file1.txt
+v gcommit -m "finally add file1.txt" file1.txt
+
 v git checkout --quiet main
 
 v cd "$startd"