UNPKG

aws-delivlib

Version:

A fabulous library for defining continuous pipelines for building, testing and releasing code libraries.

github.com/cdklabs/aws-delivlib

cdklabs/aws-delivlib

75 lines 11.2 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
"use strict"; var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { if (k2 === undefined) k2 = k; var desc = Object.getOwnPropertyDescriptor(m, k); if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { desc = { enumerable: true, get: function() { return m[k]; } }; } Object.defineProperty(o, k2, desc); }) : (function(o, m, k, k2) { if (k2 === undefined) k2 = k; o[k2] = m[k]; })); var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { Object.defineProperty(o, "default", { enumerable: true, value: v }); }) : function(o, v) { o["default"] = v; }); var __importStar = (this && this.__importStar) || function (mod) { if (mod && mod.__esModule) return mod; var result = {}; if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); __setModuleDefault(result, mod); return result; }; Object.defineProperty(exports, "__esModule", { value: true }); exports.PackageIntegrityValidation = void 0; const path = __importStar(require("path")); const aws_cdk_lib_1 = require("aws-cdk-lib"); const constructs_1 = require("constructs"); const shellable_1 = require("../shellable"); /** * Perform periodic integrity checks on published packages based on the * source code of the package. Currently supports only GitHub hosted packages. * * The check is done by downloading the published artifact, building the source code, and comparing the two. * If they differ, it means that of the following was compromised: * * - The publishing platform (for example GitHub runners) * - The artifact storage (for example npmjs.com) */ class PackageIntegrityValidation extends constructs_1.Construct { constructor(scope, id, props) { super(scope, id); const rate = props.rate ?? aws_cdk_lib_1.Duration.days(1); const shellable = new shellable_1.Shellable(this, 'Default', { scriptDirectory: path.join(__dirname, 'handler'), entrypoint: 'validate.sh', privileged: props.privileged ?? false, platform: props.buildPlatform ?? shellable_1.ShellPlatform.LinuxUbuntu, environmentSecrets: props.environmentSecrets, environmentParameters: props.environmentParameters, environment: { ...props.environment, // always override the env vars we have explicit options for GITHUB_REPOSITORY: props.repository, TAG_PREFIX: props.tagPrefix ?? '', GITHUB_TOKEN_ARN: props.githubTokenSecret?.secretArn, PACK_TASK: props.packTask, }, alarmPeriod: rate, alarmEvaluationPeriods: props.consecutiveFailuresToAlarm ?? 3, }); if (props.githubTokenSecret) { const grant = props.githubTokenSecret.grantRead(shellable.role); grant.assertSuccess(); } new aws_cdk_lib_1.aws_events.Rule(this, 'ScheduledTrigger', { schedule: aws_cdk_lib_1.aws_events.Schedule.rate(rate), targets: [new aws_cdk_lib_1.aws_events_targets.CodeBuildProject(shellable.project)], }); this.failureAlarm = shellable.alarm; } } exports.PackageIntegrityValidation = PackageIntegrityValidation; //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW50ZWdyaXR5LmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiaW50ZWdyaXR5LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7O0FBQUEsMkNBQTZCO0FBQzdCLDZDQU1xQjtBQUNyQiwyQ0FBdUM7QUFDdkMsNENBQXdEO0FBbUZ4RDs7Ozs7Ozs7O0dBU0c7QUFDSCxNQUFhLDBCQUEyQixTQUFRLHNCQUFTO0lBT3ZELFlBQVksS0FBZ0IsRUFBRSxFQUFVLEVBQUUsS0FBc0M7UUFDOUUsS0FBSyxDQUFDLEtBQUssRUFBRSxFQUFFLENBQUMsQ0FBQztRQUVqQixNQUFNLElBQUksR0FBRyxLQUFLLENBQUMsSUFBSSxJQUFJLHNCQUFRLENBQUMsSUFBSSxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBRTVDLE1BQU0sU0FBUyxHQUFHLElBQUkscUJBQVMsQ0FBQyxJQUFJLEVBQUUsU0FBUyxFQUFFO1lBQy9DLGVBQWUsRUFBRSxJQUFJLENBQUMsSUFBSSxDQUFDLFNBQVMsRUFBRSxTQUFTLENBQUM7WUFDaEQsVUFBVSxFQUFFLGFBQWE7WUFDekIsVUFBVSxFQUFFLEtBQUssQ0FBQyxVQUFVLElBQUksS0FBSztZQUNyQyxRQUFRLEVBQUUsS0FBSyxDQUFDLGFBQWEsSUFBSSx5QkFBYSxDQUFDLFdBQVc7WUFDMUQsa0JBQWtCLEVBQUUsS0FBSyxDQUFDLGtCQUFrQjtZQUM1QyxxQkFBcUIsRUFBRSxLQUFLLENBQUMscUJBQXFCO1lBQ2xELFdBQVcsRUFBRTtnQkFDWCxHQUFHLEtBQUssQ0FBQyxXQUFXO2dCQUNwQiw0REFBNEQ7Z0JBQzVELGlCQUFpQixFQUFFLEtBQUssQ0FBQyxVQUFVO2dCQUNuQyxVQUFVLEVBQUUsS0FBSyxDQUFDLFNBQVMsSUFBSSxFQUFFO2dCQUNqQyxnQkFBZ0IsRUFBRSxLQUFLLENBQUMsaUJBQWlCLEVBQUUsU0FBUztnQkFDcEQsU0FBUyxFQUFFLEtBQUssQ0FBQyxRQUFRO2FBQzFCO1lBQ0QsV0FBVyxFQUFFLElBQUk7WUFDakIsc0JBQXNCLEVBQUUsS0FBSyxDQUFDLDBCQUEwQixJQUFJLENBQUM7U0FDOUQsQ0FBQyxDQUFDO1FBRUgsSUFBSSxLQUFLLENBQUMsaUJBQWlCLEVBQUU7WUFDM0IsTUFBTSxLQUFLLEdBQUcsS0FBSyxDQUFDLGlCQUFpQixDQUFDLFNBQVMsQ0FBQyxTQUFTLENBQUMsSUFBSSxDQUFDLENBQUM7WUFDaEUsS0FBSyxDQUFDLGFBQWEsRUFBRSxDQUFDO1NBQ3ZCO1FBRUQsSUFBSSx3QkFBTSxDQUFDLElBQUksQ0FBQyxJQUFJLEVBQUUsa0JBQWtCLEVBQUU7WUFDeEMsUUFBUSxFQUFFLHdCQUFNLENBQUMsUUFBUSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUM7WUFDcEMsT0FBTyxFQUFFLENBQUMsSUFBSSxnQ0FBTyxDQUFDLGdCQUFnQixDQUFDLFNBQVMsQ0FBQyxPQUFPLENBQUMsQ0FBQztTQUMzRCxDQUFDLENBQUM7UUFFSCxJQUFJLENBQUMsWUFBWSxHQUFHLFNBQVMsQ0FBQyxLQUFLLENBQUM7SUFFdEMsQ0FBQztDQUNGO0FBNUNELGdFQTRDQyIsInNvdXJjZXNDb250ZW50IjpbImltcG9ydCAqIGFzIHBhdGggZnJvbSAncGF0aCc7XG5pbXBvcnQge1xuICBhd3NfY2xvdWR3YXRjaCBhcyBjbG91ZHdhdGNoLFxuICBhd3NfZXZlbnRzIGFzIGV2ZW50cyxcbiAgYXdzX2V2ZW50c190YXJnZXRzIGFzIHRhcmdldHMsXG4gIGF3c19zZWNyZXRzbWFuYWdlciBhcyBzbSxcbiAgRHVyYXRpb24sXG59IGZyb20gJ2F3cy1jZGstbGliJztcbmltcG9ydCB7IENvbnN0cnVjdCB9IGZyb20gJ2NvbnN0cnVjdHMnO1xuaW1wb3J0IHsgU2hlbGxhYmxlLCBTaGVsbFBsYXRmb3JtIH0gZnJvbSAnLi4vc2hlbGxhYmxlJztcblxuLyoqXG4gKiBQcm9wZXJ0aWVzIGZvciBgUGFja2FnZUludGVncml0eVZhbGlkYXRpb25gLlxuICovXG5leHBvcnQgaW50ZXJmYWNlIFBhY2thZ2VJbnRlZ3JpdHlWYWxpZGF0aW9uUHJvcHMge1xuXG4gIC8qKlxuICAgKiBUaGUgcmVwb3NpdG9yeSBzbHVnIG9mIHRoZSBwYWNrYWdlIChpLmUgY2RrbGFicy9qc2lpLWRvY2dlbilcbiAgICovXG4gIHJlYWRvbmx5IHJlcG9zaXRvcnk6IHN0cmluZztcblxuICAvKipcbiAgICogU2VjcmV0IGNvbnRhaW5pbmcgYSBnaXRodWIgdG9rZW4uXG4gICAqL1xuICByZWFkb25seSBnaXRodWJUb2tlblNlY3JldD86IHNtLklTZWNyZXQ7XG5cbiAgLyoqXG4gICAqIFRoZSBidWlsZCBwbGF0Zm9ybSB0byB1c2UuIFRoaXMgcGxhdGZvcm0gc2hvdWxkIGNvbnRhaW4gYWxsIG5lY2Vzc2FyeSB0b29scyB0byBwYWNrYWdlIHRoZSBhcnRpZmFjdHNcbiAgICogaW4gdGhlIHJlcG9zaXRvcnkuIE5vdGUgdGhhdCBieSBkZWZhdWx0LCB0aGlzIGFsc28gbWVhbnMgcnVubmluZyB0aGUgdGVzdHMuXG4gICAqXG4gICAqIEBkZWZhdWx0IFNoZWxsUGxhdGZvcm0uTGludXhVYnVudHVcbiAgICovXG4gIHJlYWRvbmx5IGJ1aWxkUGxhdGZvcm0/OiBTaGVsbFBsYXRmb3JtO1xuXG4gIC8qKlxuICAgKiBIb3cgb2Z0ZW4gdG8gcnVuIHRoZSB2YWxpZGF0aW9uLlxuICAgKlxuICAgKiBAZGVmYXVsdCAtIG9uY2UgYSBkYXkuXG4gICAqL1xuICByZWFkb25seSByYXRlPzogRHVyYXRpb247XG5cbiAgLyoqXG4gICAqIEhvdyBtYW55IGNvbnNlY3V0aXZlIGZhaWx1cmVzIHNob3VsZCBjYXVzZSB0aGUgbW9uaXRvciB0byBnbyBpbnRvIGFsYXJtLlxuICAgKlxuICAgKiBAZGVmYXVsdCAzXG4gICAqL1xuICByZWFkb25seSBjb25zZWN1dGl2ZUZhaWx1cmVzVG9BbGFybT86IG51bWJlcjtcblxuICAvKipcbiAgICogV2V0aGVyIG9yIG5vdCB0aGUgZW52aXJvbm1lbnQgc2hvdWxkIGJlIHByaXZpbGVnZWQsIG5lY2Vzc2FyeSB0byBydW4gY29udGFpbmVyIGltYWdlcy5cbiAgICpcbiAgICogQGRlZmF1bHQgZmFsc2VcbiAgICovXG4gIHJlYWRvbmx5IHByaXZpbGVnZWQ/OiBib29sZWFuO1xuXG4gIC8qKlxuICAgKiBUYWcgcHJlZml4IGZvciB0aGlzIHNwZWNpZmljIHZhbGlkYXRpb24uIE9ubHkgbmVlZGVkIGZvciByZXBvc2l0b3JpZXMgdGhhdCBlaXRoZXIgcmVsZWFzZVxuICAgKiBtdWx0aXBsZSBwYWNrYWdlcyBvciBtdWx0aXBsZSBtYWpvciB2ZXJzaW9ucy5cbiAgICpcbiAgICogQGRlZmF1bHQgLSBubyBwcmVmaXhcbiAgICovXG4gIHJlYWRvbmx5IHRhZ1ByZWZpeD86IHN0cmluZztcblxuICAvKipcbiAgICogVGhlIHByb2plbiB0YXNrIHRoYXQgcHJvZHVjZXMgdGhlIGxvY2FsIGFydGlmYWN0cy5cbiAgICpcbiAgICogQGRlZmF1bHQgJ3JlbGVhc2UnXG4gICAqL1xuICByZWFkb25seSBwYWNrVGFzaz86IHN0cmluZztcblxuICAvKipcbiAgICogQWRkaXRpb25hbCBlbnZpcm9ubWVudCB2YXJpYWJsZXMgdG8gc2V0LlxuICAgKlxuICAgKiBAZGVmYXVsdCAtIE5vIGFkZGl0aW9uYWwgZW52aXJvbm1lbnQgdmFyaWFibGVzXG4gICAqL1xuICByZWFkb25seSBlbnZpcm9ubWVudD86IHsgW2tleTogc3RyaW5nXTogc3RyaW5nIHwgdW5kZWZpbmVkIH07XG5cbiAgLyoqXG4gICAqIEVudmlyb25tZW50IHZhcmlhYmxlcyB3aXRoIHNlY3JldHMgbWFuYWdlciB2YWx1ZXMuIFRoZSB2YWx1ZXMgbXVzdCBiZSBjb21wbGV0ZSBTZWNyZXQgTWFuYWdlciBBUk5zLlxuICAgKlxuICAgKiBAZGVmYXVsdCBubyBhZGRpdGlvbmFsIGVudmlyb25tZW50IHZhcmlhYmxlc1xuICAgKi9cbiAgcmVhZG9ubHkgZW52aXJvbm1lbnRTZWNyZXRzPzogeyBba2V5OiBzdHJpbmddOiBzdHJpbmcgfTtcblxuICAvKipcbiAgICogRW52aXJvbm1lbnQgdmFyaWFibGVzIHdpdGggU1NNIHBhcmFtZXRlciB2YWx1ZXMuXG4gICAqXG4gICAqIEBkZWZhdWx0IG5vIGFkZGl0aW9uYWwgZW52aXJvbm1lbnQgdmFyaWFibGVzXG4gICAqL1xuICByZWFkb25seSBlbnZpcm9ubWVudFBhcmFtZXRlcnM/OiB7IFtrZXk6IHN0cmluZ106IHN0cmluZyB9O1xufVxuXG4vKipcbiAqIFBlcmZvcm0gcGVyaW9kaWMgaW50ZWdyaXR5IGNoZWNrcyBvbiBwdWJsaXNoZWQgcGFja2FnZXMgYmFzZWQgb24gdGhlXG4gKiBzb3VyY2UgY29kZSBvZiB0aGUgcGFja2FnZS4gQ3VycmVudGx5IHN1cHBvcnRzIG9ubHkgR2l0SHViIGhvc3RlZCBwYWNrYWdlcy5cbiAqXG4gKiBUaGUgY2hlY2sgaXMgZG9uZSBieSBkb3dubG9hZGluZyB0aGUgcHVibGlzaGVkIGFydGlmYWN0LCBidWlsZGluZyB0aGUgc291cmNlIGNvZGUsIGFuZCBjb21wYXJpbmcgdGhlIHR3by5cbiAqIElmIHRoZXkgZGlmZmVyLCBpdCBtZWFucyB0aGF0IG9mIHRoZSBmb2xsb3dpbmcgd2FzIGNvbXByb21pc2VkOlxuICpcbiAqIC0gVGhlIHB1Ymxpc2hpbmcgcGxhdGZvcm0gKGZvciBleGFtcGxlIEdpdEh1YiBydW5uZXJzKVxuICogLSBUaGUgYXJ0aWZhY3Qgc3RvcmFnZSAoZm9yIGV4YW1wbGUgbnBtanMuY29tKVxuICovXG5leHBvcnQgY2xhc3MgUGFja2FnZUludGVncml0eVZhbGlkYXRpb24gZXh0ZW5kcyBDb25zdHJ1Y3Qge1xuXG4gIC8qKlxuICAgKiBUaGUgYWxhcm0gdGhhdCB3aWxsIHRyaWdnZXIgaWYgdGhlIHZhbGlkYXRpb24gZmFpbHMuXG4gICAqL1xuICBwdWJsaWMgcmVhZG9ubHkgZmFpbHVyZUFsYXJtOiBjbG91ZHdhdGNoLkFsYXJtO1xuXG4gIGNvbnN0cnVjdG9yKHNjb3BlOiBDb25zdHJ1Y3QsIGlkOiBzdHJpbmcsIHByb3BzOiBQYWNrYWdlSW50ZWdyaXR5VmFsaWRhdGlvblByb3BzKSB7XG4gICAgc3VwZXIoc2NvcGUsIGlkKTtcblxuICAgIGNvbnN0IHJhdGUgPSBwcm9wcy5yYXRlID8/IER1cmF0aW9uLmRheXMoMSk7XG5cbiAgICBjb25zdCBzaGVsbGFibGUgPSBuZXcgU2hlbGxhYmxlKHRoaXMsICdEZWZhdWx0Jywge1xuICAgICAgc2NyaXB0RGlyZWN0b3J5OiBwYXRoLmpvaW4oX19kaXJuYW1lLCAnaGFuZGxlcicpLFxuICAgICAgZW50cnlwb2ludDogJ3ZhbGlkYXRlLnNoJyxcbiAgICAgIHByaXZpbGVnZWQ6IHByb3BzLnByaXZpbGVnZWQgPz8gZmFsc2UsXG4gICAgICBwbGF0Zm9ybTogcHJvcHMuYnVpbGRQbGF0Zm9ybSA/PyBTaGVsbFBsYXRmb3JtLkxpbnV4VWJ1bnR1LFxuICAgICAgZW52aXJvbm1lbnRTZWNyZXRzOiBwcm9wcy5lbnZpcm9ubWVudFNlY3JldHMsXG4gICAgICBlbnZpcm9ubWVudFBhcmFtZXRlcnM6IHByb3BzLmVudmlyb25tZW50UGFyYW1ldGVycyxcbiAgICAgIGVudmlyb25tZW50OiB7XG4gICAgICAgIC4uLnByb3BzLmVudmlyb25tZW50LFxuICAgICAgICAvLyBhbHdheXMgb3ZlcnJpZGUgdGhlIGVudiB2YXJzIHdlIGhhdmUgZXhwbGljaXQgb3B0aW9ucyBmb3JcbiAgICAgICAgR0lUSFVCX1JFUE9TSVRPUlk6IHByb3BzLnJlcG9zaXRvcnksXG4gICAgICAgIFRBR19QUkVGSVg6IHByb3BzLnRhZ1ByZWZpeCA/PyAnJyxcbiAgICAgICAgR0lUSFVCX1RPS0VOX0FSTjogcHJvcHMuZ2l0aHViVG9rZW5TZWNyZXQ/LnNlY3JldEFybixcbiAgICAgICAgUEFDS19UQVNLOiBwcm9wcy5wYWNrVGFzayxcbiAgICAgIH0sXG4gICAgICBhbGFybVBlcmlvZDogcmF0ZSxcbiAgICAgIGFsYXJtRXZhbHVhdGlvblBlcmlvZHM6IHByb3BzLmNvbnNlY3V0aXZlRmFpbHVyZXNUb0FsYXJtID8/IDMsXG4gICAgfSk7XG5cbiAgICBpZiAocHJvcHMuZ2l0aHViVG9rZW5TZWNyZXQpIHtcbiAgICAgIGNvbnN0IGdyYW50ID0gcHJvcHMuZ2l0aHViVG9rZW5TZWNyZXQuZ3JhbnRSZWFkKHNoZWxsYWJsZS5yb2xlKTtcbiAgICAgIGdyYW50LmFzc2VydFN1Y2Nlc3MoKTtcbiAgICB9XG5cbiAgICBuZXcgZXZlbnRzLlJ1bGUodGhpcywgJ1NjaGVkdWxlZFRyaWdnZXInLCB7XG4gICAgICBzY2hlZHVsZTogZXZlbnRzLlNjaGVkdWxlLnJhdGUocmF0ZSksXG4gICAgICB0YXJnZXRzOiBbbmV3IHRhcmdldHMuQ29kZUJ1aWxkUHJvamVjdChzaGVsbGFibGUucHJvamVjdCldLFxuICAgIH0pO1xuXG4gICAgdGhpcy5mYWlsdXJlQWxhcm0gPSBzaGVsbGFibGUuYWxhcm07XG5cbiAgfVxufVxuIl19