From c339a842d88a27193f6ea44bdbc6df270763ae94 Mon Sep 17 00:00:00 2001
From: Austin Vazquez <macedonv@amazon.com>
Date: Wed, 26 Jun 2024 16:36:17 -0700
Subject: [PATCH 1/2] ci: update base os image during update dependencies
 workflow

This change adds update base os image to the update dependencies
workflow.

Signed-off-by: Austin Vazquez <macedonv@amazon.com>
---
 .github/workflows/update-dependencies.yaml | 13 +++--
 bin/update-os-image.sh                     | 58 ++++++++++++++++++++++
 2 files changed, 66 insertions(+), 5 deletions(-)
 create mode 100755 bin/update-os-image.sh

diff --git a/.github/workflows/update-dependencies.yaml b/.github/workflows/update-dependencies.yaml
index ab666d4..67cd62b 100644
--- a/.github/workflows/update-dependencies.yaml
+++ b/.github/workflows/update-dependencies.yaml
@@ -25,11 +25,14 @@ jobs:
           role-session-name: dependency-upload-session
           aws-region: ${{ secrets.REGION }}
 
-      # This step fetches the latest set of released dependencies from s3 and updates the Makefile to use the same.
-      - name: update dependencies url
-        run: |
-          ./bin/update-deps.sh -d ${{ secrets.DEPENDENCY_BUCKET_NAME }}
-          ./bin/update-rootfs.sh -d ${{ secrets.DEPENDENCY_BUCKET_NAME }}
+      - name: Update Lima dependencies archive for Finch on macOS
+        run: bash bin/update-deps.sh -d ${{ secrets.DEPENDENCY_BUCKET_NAME }}
+      
+      - name: Update base OS for Finch on macOS
+        run: bash bin/update-os-image.sh -d ${{ secrets.DEPENDENCY_BUCKET_NAME }}
+
+      - name: Update rootfs for Finch on Windows
+        run: bash bin/update-rootfs.sh -d ${{ secrets.DEPENDENCY_BUCKET_NAME }}
 
       - name: create PR
         uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0
diff --git a/bin/update-os-image.sh b/bin/update-os-image.sh
new file mode 100755
index 0000000..949ed17
--- /dev/null
+++ b/bin/update-os-image.sh
@@ -0,0 +1,58 @@
+#!/usr/bin/env bash
+
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+# A script to update the base os image used for Finch on macOS.
+#
+# Usage: bash update-os-image.sh -d <S3 bucket>
+
+set -euxo pipefail
+
+CURRENT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd -- "${CURRENT_DIR}/.." && pwd)"
+
+# shellcheck source=/dev/null
+source "${PROJECT_ROOT}/bin/utility.sh"
+
+DEPENDENCY_CLOUDFRONT_URL="https://deps.runfinch.com"
+AARCH64_FILENAME_PATTERN="Fedora-Cloud-Base-.*\.aarch64-[0-9]+\.qcow2$"
+AMD64_FILENAME_PATTERN="Fedora-Cloud-Base-.*\.x86_64-[0-9]+\.qcow2$"
+
+while getopts d: flag
+do
+  case "${flag}" in
+    d) dependency_bucket=${OPTARG};;
+    *) echo "Error: unknown flag" && exit 1;;
+  esac
+done
+
+[[ -z "$dependency_bucket" ]] && { echo "Error: dependency bucket not set"; exit 1; }
+
+aarch64_deps=$(find_latest_object_match_from_s3 "${AARCH64_FILENAME_PATTERN}" "${dependency_bucket}")
+[[ -z "$aarch64_deps" ]] && { echo "Error: aarch64 dependency not found"; exit 1; }
+
+# Need to pull the shasum of the artifact to store for later verification.
+aarch64_deps_shasum_url="${DEPENDENCY_CLOUDFRONT_URL}/${aarch64_deps}.sha512sum"
+aarch64_deps_shasum=$(curl -L --fail "${aarch64_deps_shasum_url}")
+
+amd64_deps=$(find_latest_object_match_from_s3 "${AMD64_FILENAME_PATTERN}" "${dependency_bucket}")
+[[ -z "$amd64_deps" ]] && { echo "Error: x86_64 dependency not found"; exit 1; }
+
+amd64_deps_shasum_url="${DEPENDENCY_CLOUDFRONT_URL}/${amd64_deps}.sha512sum"
+amd64_deps_shasum=$(curl -L --fail "${amd64_deps_shasum_url}")
+
+# Update base os file with latest artifacts and digests
+OS_FILE="${PROJECT_ROOT}/deps/full-os.conf"
+truncate -s 0 "${OS_FILE}"
+{
+    echo "ARTIFACT_BASE_URL=${DEPENDENCY_CLOUDFRONT_URL}"
+    echo ""
+    echo "# From https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Cloud/aarch64/images/"
+    echo "AARCH64_ARTIFACT=${aarch64_deps}"
+    echo "AARCH64_512_DIGEST=${aarch64_deps_shasum}"
+    echo ""
+    echo "# From https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Cloud/x86_64/images/"
+    echo "X86_64_ARTIFACT=${amd64_deps}"
+    echo "X86_64_512_DIGEST=${amd64_deps_shasum}"
+} >> "${OS_FILE}"

From c4ff37acedd07e6eeb62be37415375f674afffc2 Mon Sep 17 00:00:00 2001
From: Austin Vazquez <macedonv@amazon.com>
Date: Mon, 15 Jul 2024 10:09:16 -0700
Subject: [PATCH 2/2] ci: pull and verify artifact shasum on update

Signed-off-by: Austin Vazquez <macedonv@amazon.com>
---
 bin/update-deps.sh     |  4 ++++
 bin/update-os-image.sh |  8 ++++++--
 bin/update-rootfs.sh   |  2 ++
 bin/utility.sh         | 17 +++++++++++++++++
 4 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/bin/update-deps.sh b/bin/update-deps.sh
index 3ce76e8..582d840 100755
--- a/bin/update-deps.sh
+++ b/bin/update-deps.sh
@@ -37,12 +37,16 @@ aarch64_deps=$(find_latest_object_match_from_s3 "${AARCH64_FILENAME_PATTERN}" "$
 aarch64_deps_shasum_url="${DEPENDENCY_CLOUDFRONT_URL}/${aarch64_deps}.sha512sum"
 aarch64_deps_shasum=$(curl -L --fail "${aarch64_deps_shasum_url}")
 
+pull_artifact_and_verify_shasum "${DEPENDENCY_CLOUDFRONT_URL}/${aarch64_deps}" "${aarch64_deps_shasum}"
+
 amd64_deps=$(find_latest_object_match_from_s3 "${AMD64_FILENAME_PATTERN}" "${dependency_bucket}/${X86_64}")
 [[ -z "$amd64_deps" ]] && { echo "Error: x86_64 dependency not found"; exit 1; }
 
 amd64_deps_shasum_url="${DEPENDENCY_CLOUDFRONT_URL}/${amd64_deps}.sha512sum"
 amd64_deps_shasum=$(curl -L --fail "${amd64_deps_shasum_url}")
 
+pull_artifact_and_verify_shasum "${DEPENDENCY_CLOUDFRONT_URL}/${amd64_deps}" "${amd64_deps_shasum}"
+
 # Update bundles file with latest artifacts and digests.
 BUNDLES_FILE="${PROJECT_ROOT}/deps/lima-bundles.conf"
 truncate -s 0 "${BUNDLES_FILE}"
diff --git a/bin/update-os-image.sh b/bin/update-os-image.sh
index 949ed17..b135671 100755
--- a/bin/update-os-image.sh
+++ b/bin/update-os-image.sh
@@ -36,12 +36,16 @@ aarch64_deps=$(find_latest_object_match_from_s3 "${AARCH64_FILENAME_PATTERN}" "$
 aarch64_deps_shasum_url="${DEPENDENCY_CLOUDFRONT_URL}/${aarch64_deps}.sha512sum"
 aarch64_deps_shasum=$(curl -L --fail "${aarch64_deps_shasum_url}")
 
+pull_artifact_and_verify_shasum "${DEPENDENCY_CLOUDFRONT_URL}/${aarch64_deps}" "${aarch64_deps_shasum}"
+
 amd64_deps=$(find_latest_object_match_from_s3 "${AMD64_FILENAME_PATTERN}" "${dependency_bucket}")
 [[ -z "$amd64_deps" ]] && { echo "Error: x86_64 dependency not found"; exit 1; }
 
 amd64_deps_shasum_url="${DEPENDENCY_CLOUDFRONT_URL}/${amd64_deps}.sha512sum"
 amd64_deps_shasum=$(curl -L --fail "${amd64_deps_shasum_url}")
 
+pull_artifact_and_verify_shasum "${DEPENDENCY_CLOUDFRONT_URL}/${amd64_deps}" "${amd64_deps_shasum}"
+
 # Update base os file with latest artifacts and digests
 OS_FILE="${PROJECT_ROOT}/deps/full-os.conf"
 truncate -s 0 "${OS_FILE}"
@@ -49,10 +53,10 @@ truncate -s 0 "${OS_FILE}"
     echo "ARTIFACT_BASE_URL=${DEPENDENCY_CLOUDFRONT_URL}"
     echo ""
     echo "# From https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Cloud/aarch64/images/"
-    echo "AARCH64_ARTIFACT=${aarch64_deps}"
+    echo "AARCH64_ARTIFACT=$(basename "${aarch64_deps}")"
     echo "AARCH64_512_DIGEST=${aarch64_deps_shasum}"
     echo ""
     echo "# From https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Cloud/x86_64/images/"
-    echo "X86_64_ARTIFACT=${amd64_deps}"
+    echo "X86_64_ARTIFACT=$(basename "${amd64_deps}")"
     echo "X86_64_512_DIGEST=${amd64_deps_shasum}"
 } >> "${OS_FILE}"
diff --git a/bin/update-rootfs.sh b/bin/update-rootfs.sh
index 959fa65..a833885 100755
--- a/bin/update-rootfs.sh
+++ b/bin/update-rootfs.sh
@@ -38,6 +38,8 @@ amd64_deps=$(find_latest_object_match_from_s3 "${AMD64_FILENAME_PATTERN}" "${dep
 amd64_deps_shasum_url="${DEPENDENCY_CLOUDFRONT_URL}/${amd64_deps}.sha512sum"
 amd64_deps_shasum=$(curl -L --fail "${amd64_deps_shasum_url}")
 
+pull_artifact_and_verify_shasum "${DEPENDENCY_CLOUDFRONT_URL}/${amd64_deps}" "${amd64_deps_shasum}"
+
 # Update rootfs file with latest artifacts and digests
 ROOTFS_FILE="${PROJECT_ROOT}/deps/rootfs.conf"
 truncate -s 0 "${ROOTFS_FILE}"
diff --git a/bin/utility.sh b/bin/utility.sh
index de2b0b4..deb277a 100644
--- a/bin/utility.sh
+++ b/bin/utility.sh
@@ -22,3 +22,20 @@ find_latest_object_match_from_s3() {
 
     echo "$object"
 }
+
+# pull_artifact_and_verify_shasum is a function for pulling a Finch core
+# artifact and verifying its shasum.
+#
+# @param artifact_url - URL to artifact
+# @param expected_shasum - the expected SHA512SUM for the artifact
+pull_artifact_and_verify_shasum() {
+    local artifact_url="$1"
+    local expected_shasum="$2"
+
+    local artifact
+    artifact=$(basename "$artifact_url")
+
+    curl -L --fail "${artifact_url}" > "${artifact}"
+    shasum --algorithm 512 "${artifact}" | cut -d ' ' -f 1 | grep -xq "^${expected_shasum}$" || \
+      (echo "error: shasum verification failed for \"${artifact}\" dependency" && rm -f "${artifact}" && exit 1)
+}