Merge pull request #506 from diofeher/fix-install-unstable-tofu

kvendingoldo · web-flow · commit 8edcf6b6376f · 2025-11-19T15:11:05.000+04:00
fix: cosign check for unstable tofu versions
diff --git a/versionmanager/retriever/tofu/tofuretriever.go b/versionmanager/retriever/tofu/tofuretriever.go
@@ -21,6 +21,7 @@ package tofuretriever
 import (
 	"context"
 	"errors"
+	"fmt"
 	"net/url"
 	"runtime"
 	"strings"
@@ -52,9 +53,9 @@ const (
 
 	defaultTofuURLTemplate = "https://github.com/opentofu/opentofu/releases/download/v{{ .Version }}/{{ .Artifact }}"
 
-	baseIdentity     = "https://github.com/opentofu/opentofu/.github/workflows/release.yml@refs/heads/v"
-	issuer           = "https://token.actions.githubusercontent.com"
-	unstableIdentity = "https://github.com/opentofu/opentofu/.github/workflows/release.yml@refs/heads/main"
+	baseIdentity = "https://github.com/opentofu/opentofu/.github/workflows/release.yml@refs/heads/v"
+	issuer       = "https://token.actions.githubusercontent.com"
+	mainIdentity = "https://github.com/opentofu/opentofu/.github/workflows/release.yml@refs/heads/main"
 
 	baseFileName = "tofu_"
 )
@@ -211,7 +212,7 @@ func (r TofuRetriever) checkSumAndSig(ctx context.Context, version *version.Vers
 		return err
 	}
 
-	identity := buildIdentity(version, stable)
+	identity := buildIdentity(version)
 	err = cosigncheck.Check(ctx, dataSums, dataSumsSig, dataSumsCert, identity, issuer, r.conf.Displayer)
 	if err == nil || !errors.Is(err, cosigncheck.ErrNotInstalled) {
 		return err
@@ -257,15 +258,19 @@ func buildAssetNames(version string, arch string, stable bool) []string {
 	return []string{nameBuilder.String(), sumsAssetName, sumsAssetName + ".pem", sumsAssetName + ".sig"}
 }
 
-func buildIdentity(v *version.Version, stable bool) string {
-	if !stable {
-		return unstableIdentity
+func buildIdentity(v *version.Version) string {
+	segments := v.Segments()
+	if len(segments) < 3 {
+		return baseIdentity + v.String()
+	}
+
+	// According to https://opentofu.org/docs/intro/install/standalone/,
+	// alpha and beta versions have a specific identity.
+	if strings.Contains(v.Prerelease(), "alpha") || strings.Contains(v.Prerelease(), "beta") {
+		return mainIdentity
 	}
 
-	cleanedVersion := v.String()
-	indexDot := strings.LastIndexByte(cleanedVersion, '.')
-	// cleaned, so indexDot can not be -1
-	shortVersion := cleanedVersion[:indexDot]
+	shortVersion := fmt.Sprintf("%d.%d", segments[0], segments[1])
 
 	return baseIdentity + shortVersion
 }
diff --git a/versionmanager/retriever/tofu/tofuretriever_test.go b/versionmanager/retriever/tofu/tofuretriever_test.go
@@ -0,0 +1,63 @@
+/*
+ *
+ * Copyright 2024 tofuutils authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package tofuretriever
+
+import (
+	"testing"
+
+	"github.com/hashicorp/go-version"
+)
+
+func TestBuildIdentity(t *testing.T) {
+	tests := map[string]struct {
+		name     string
+		version  *version.Version
+		expected string
+	}{
+		"stable version": {
+			name:     "1.11.0",
+			version:  version.Must(version.NewVersion("1.11.0")),
+			expected: "https://github.com/opentofu/opentofu/.github/workflows/release.yml@refs/heads/v1.11",
+		},
+		"unstable alpha version": {
+			name:     "1.7.0-alpha1",
+			version:  version.Must(version.NewVersion("1.7.0-alpha1")),
+			expected: "https://github.com/opentofu/opentofu/.github/workflows/release.yml@refs/heads/main",
+		},
+		"unstable beta version": {
+			name:     "1.7.0-beta1",
+			version:  version.Must(version.NewVersion("1.7.0-beta1")),
+			expected: "https://github.com/opentofu/opentofu/.github/workflows/release.yml@refs/heads/main",
+		},
+		"unstable rc version": {
+			name:     "1.7.0-rc1",
+			version:  version.Must(version.NewVersion("1.7.0-rc1")),
+			expected: "https://github.com/opentofu/opentofu/.github/workflows/release.yml@refs/heads/v1.7",
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			actual := buildIdentity(test.version)
+			if actual != test.expected {
+				t.Errorf("expected %s, got %s", test.expected, actual)
+			}
+		})
+	}
+}
