Merge pull request #3408 from buildkite/check-go-pipeline-68

Upgrade to go-pipeline v0.15.0

Author: DrJosh9000

agent/integration/job_verification_integration_test.go

@@ -1,7 +1,6 @@
 package integration
 
 import (
-	"context"
 	"strings"
 	"testing"
 
@@ -286,7 +285,7 @@ var (
 
 func TestJobVerification(t *testing.T) {
 	t.Parallel()
-	ctx := context.Background()
+	ctx := t.Context()
 
 	cases := []struct {
 		name                     string
@@ -593,12 +592,20 @@ func TestJobVerification(t *testing.T) {
 			tc.mockBootstrapExpectation(mb)
 			defer mb.CheckAndClose(t) //nolint:errcheck // bintest logs to t
 
-			stepWithInvariants := signature.CommandStepWithInvariants{
-				CommandStep:   tc.job.Step,
-				RepositoryURL: tc.repositoryURL,
+			t.Logf("%s: signing step with key: %v", t.Name(), tc.signingKey)
+			if tc.signingKey != nil {
+				err := signature.SignSteps(
+					ctx,
+					pipeline.Steps{&tc.job.Step},
+					tc.signingKey,
+					tc.repositoryURL,
+					signature.WithEnv(pipelineUploadEnv),
+				)
+				if err != nil {
+					t.Fatalf("signing step: %v", err)
+				}
 			}
 
-			tc.job.Step = signStep(t, ctx, tc.signingKey, pipelineUploadEnv, stepWithInvariants)
 			err := runJob(t, ctx, testRunJobConfig{
 				job:              &tc.job,
 				server:           server,
@@ -686,25 +693,3 @@ func jwksFromKeys(t *testing.T, jwkes ...jwk.Key) jwk.Set {
 
 	return set
 }
-
-func signStep(
-	t *testing.T,
-	ctx context.Context,
-	key jwk.Key,
-	env map[string]string,
-	stepWithInvariants signature.CommandStepWithInvariants,
-) pipeline.CommandStep {
-	t.Helper()
-
-	t.Logf("%s: signing step with key: %v", t.Name(), key)
-	if key == nil {
-		return stepWithInvariants.CommandStep
-	}
-
-	signature, err := signature.Sign(ctx, key, &stepWithInvariants, signature.WithEnv(env))
-	if err != nil {
-		t.Fatalf("signing step: %v", err)
-	}
-	stepWithInvariants.Signature = signature
-	return stepWithInvariants.CommandStep
-}

agent/verify_job.go

@@ -35,28 +35,22 @@ func (e *invalidSignatureError) Unwrap() error {
 }
 
 func (r *JobRunner) verifyJob(ctx context.Context, keySet any) error {
-	step := r.conf.Job.Step
+	step := &r.conf.Job.Step
 
-	if step.Signature == nil {
-		r.agentLogger.Debug("verifyJob: Job.Step.Signature == nil")
-		return ErrNoSignature
-	}
-
-	stepWithInvariants := &signature.CommandStepWithInvariants{
-		CommandStep:   step,
-		RepositoryURL: r.conf.Job.Env["BUILDKITE_REPO"],
-	}
-
-	// Verify the signature
-	err := signature.Verify(
+	// First, verify the signature.
+	err := signature.VerifyStep(
 		ctx,
-		step.Signature,
+		step,
 		keySet,
-		stepWithInvariants,
+		r.conf.Job.Env["BUILDKITE_REPO"],
 		signature.WithEnv(r.conf.Job.Env),
 		signature.WithLogger(r.agentLogger),
 		signature.WithDebugSigning(r.conf.AgentConfiguration.DebugSigning),
 	)
+	if err == signature.ErrNoSignature {
+		r.agentLogger.Debug("verifyJob: Job.Step.Signature == nil")
+		return ErrNoSignature
+	}
 	if err != nil {
 		r.agentLogger.Debug("failed to verifyJob: step.Signature.Verify(Job.Env, stepWithInvariants, JWKS) = %v", err)
 		return newInvalidSignatureError(ErrVerificationFailed)

go.mod

@@ -16,7 +16,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/kms v1.41.3
 	github.com/brunoscheufler/aws-ecs-metadata-go v0.0.0-20220812150832-b6b31c6eeeaf
 	github.com/buildkite/bintest/v3 v3.3.0
-	github.com/buildkite/go-pipeline v0.14.0
+	github.com/buildkite/go-pipeline v0.15.0
 	github.com/buildkite/interpolate v0.1.5
 	github.com/buildkite/roko v1.3.1
 	github.com/buildkite/shellwords v1.0.0

go.sum

@@ -116,8 +116,8 @@ github.com/brunoscheufler/aws-ecs-metadata-go v0.0.0-20220812150832-b6b31c6eeeaf
 github.com/brunoscheufler/aws-ecs-metadata-go v0.0.0-20220812150832-b6b31c6eeeaf/go.mod h1:CeKhh8xSs3WZAc50xABMxu+FlfAAd5PNumo7NfOv7EE=
 github.com/buildkite/bintest/v3 v3.3.0 h1:RTWcSaJRlOT6t/K311ejPf+0J3LE/QEODzVG3vlLnWo=
 github.com/buildkite/bintest/v3 v3.3.0/go.mod h1:btqpTsVODiJcb0NMdkkmtMQ6xoFc2W/nY5yy+3I0zcs=
-github.com/buildkite/go-pipeline v0.14.0 h1:TMkFalrkniy2l5wEfmGyckT5kf21akWOY07i4esosAI=
-github.com/buildkite/go-pipeline v0.14.0/go.mod h1:VE37qY3X5pmAKKUMoDZvPsHOQuyakB9cmXj9Qn6QasA=
+github.com/buildkite/go-pipeline v0.15.0 h1:ae/TEXC/4HhajbED2vKcRL5vZTtb9C71cajzwoBlP8s=
+github.com/buildkite/go-pipeline v0.15.0/go.mod h1:VE37qY3X5pmAKKUMoDZvPsHOQuyakB9cmXj9Qn6QasA=
 github.com/buildkite/interpolate v0.1.5 h1:v2Ji3voik69UZlbfoqzx+qfcsOKLA61nHdU79VV+tPU=
 github.com/buildkite/interpolate v0.1.5/go.mod h1:dHnrwHew5O8VNOAgMDpwRlFnhL5VSN6M1bHVmRZ9Ccc=
 github.com/buildkite/roko v1.3.1 h1:t7K30ceLLYn6k7hQP4oq1c7dVlhgD5nRcuSRDEEnY1s=