Validate checksum (#2)

.editorconfig

@@ -0,0 +1,10 @@
+root = true
+
+[*]
+end_of_line = lf
+insert_final_newline = true
+indent_style = space
+indent_size = 2
+
+[bin/**]
+indent_style = tab

.github/workflows/ci.yml

@@ -1,7 +1,9 @@
 name: CI
 
+permissions: {}
+
 on:
-  workflow_dispatch:
+  workflow_dispatch: {}
   pull_request:
     paths-ignore:
       - "**.md"
@@ -18,11 +20,11 @@ jobs:
       matrix:
         include:
           - container: alpine:latest
-            preinstall: apk add bash coreutils curl git
+            preinstall: apk add bash coreutils curl git jq
           - container: centos:latest
-            preinstall: dnf -y --disablerepo '*' --enablerepo=extras swap centos-linux-repos centos-stream-repos && dnf -y install git
+            preinstall: dnf -y --disablerepo '*' --enablerepo=extras swap centos-linux-repos centos-stream-repos && dnf -y install git jq
           - container: ubuntu:latest
-            preinstall: apt-get -y update && apt-get -y install curl git
+            preinstall: apt-get -y update && apt-get -y install curl git jq
 
     runs-on: ubuntu-latest
 
@@ -42,6 +44,9 @@ jobs:
     runs-on: macos-latest
 
     steps:
+      - name: Preinstall
+        run: brew install jq
+
       - name: Test plugin
         uses: asdf-vm/actions/plugin-test@v1
         with:

.github/workflows/trunk.yml

@@ -1,7 +1,9 @@
 name: Trunk
 
+permissions: {}
+
 on:
-  workflow_dispatch:
+  workflow_dispatch: {}
   pull_request:
     paths-ignore:
       - LICENSE
@@ -15,7 +17,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Trunk Check
         uses: trunk-io/trunk-action@v1

.gitignore

@@ -0,0 +1,2 @@
+?.*
+.vscode

.trunk/.gitignore

@@ -2,6 +2,7 @@
 *logs
 *actions
 *notifications
+*tools
 plugins
 user_trunk.yaml
 user.yaml

.trunk/trunk.yaml

@@ -1,23 +1,30 @@
 version: 0.1
 cli:
-  version: 1.0.1
+  version: 1.16.2
 plugins:
   sources:
     - id: trunk
-      ref: v0.0.5
+      ref: v1.2.5
       uri: https://github.com/trunk-io/plugins
 lint:
+  disabled:
+    - checkov
+    - trivy
+    - trufflehog
   enabled:
-    - markdownlint@0.32.2
-    - gitleaks@8.15.0
-    - shellcheck@0.8.0
+    - actionlint@1.6.26
     - git-diff-check
-    - shfmt@3.5.0
-    - prettier@2.7.1
+    - gitleaks@8.18.0
+    - markdownlint@0.37.0
+    - prettier@3.0.3
+    - shellcheck@0.9.0
+    - shfmt@3.6.0
+    - yamllint@1.32.0
 runtimes:
   enabled:
-    - go@1.18.3
-    - node@16.14.2
+    - go@1.21.0
+    - node@18.12.1
+    - python@3.10.8
 actions:
   enabled:
     - trunk-announce

.yamllint.yaml

@@ -0,0 +1,10 @@
+rules:
+  quoted-strings:
+    required: only-when-needed
+    extra-allowed: ["{|}"]
+  empty-values:
+    forbid-in-block-mappings: true
+    forbid-in-flow-mappings: true
+  key-duplicates: {}
+  octal-values:
+    forbid-implicit-octal: true

bin/install

@@ -1,38 +1,93 @@
 #!/usr/bin/env bash
 
 set -euo pipefail
+shopt -s inherit_errexit 2>/dev/null || true
 
 [[ -z ${ASDF_INSTALL_TYPE+x} ]] && echo "ASDF_INSTALL_TYPE is required" && exit 1
 [[ -z ${ASDF_INSTALL_VERSION+x} ]] && echo "ASDF_INSTALL_VERSION is required" && exit 1
 [[ -z ${ASDF_INSTALL_PATH+x} ]] && echo "ASDF_INSTALL_PATH is required" && exit 1
 
-install() {
+function gh_curl() {
+	if [[ -n ${GITHUB_TOKEN-} ]]; then
+		curl -fLsS -H "Authorization: token ${GITHUB_TOKEN}" "$@"
+	elif [[ -n ${GITHUB_API_TOKEN-} ]]; then
+		curl -fLsS -H "Authorization: token ${GITHUB_API_TOKEN}" "$@"
+	else
+		curl -fLsS "$@"
+	fi
+}
+
+function install() {
+	# set -x
 	local install_type=$1
-	[[ ${install_type} != "version" ]] && echo "intall type, ${install_type}, is not supported" && exit 1
+	[[ ${install_type} != "version" ]] && echo "install type, ${install_type}, is not supported" && exit 1
 
+	local prefix="v"
 	local version=$2
 	local install_path=$3
 
+	local tmp_download_dir
+
+	tmp_download_dir=$(mktemp -d -t asdf.XXXXXXXX)
+
 	local bin_install_path="${install_path}/bin"
 
 	local platform
-	platform=$(uname)
+	platform=$(uname -s)
 
 	local arch
+	arch=$(uname -m)
 	case "$(uname -m)" in
 	i386 | i686 | x86) arch="i386" ;;
 	aarch64) arch="arm64" ;;
-	*) arch="$(uname -m)" ;;
 	esac
 
 	local download_url
-	download_url="https://github.com/google/go-containerregistry/releases/download/v${version}/go-containerregistry_${platform}_${arch}.tar.gz"
+	local checksum_url
+
+	local repo="google/go-containerregistry"
+	local download_filename="go-containerregistry_${platform}_${arch}.tar.gz"
+	local checksum_filename="checksums.txt"
+
+	if [[ -n ${GITHUB_TOKEN-} ]] || [[ -n ${GITHUB_API_TOKEN-} ]]; then
+		local asset_url
+		asset_url="https://api.github.com/repos/${repo}/releases/tags/${prefix}${version}"
+		download_url=$(gh_curl -H "Accept: application/vnd.github.v3.raw" "${asset_url}" | jq -r ".assets | map(select(.name == \"${download_filename}\"))[0].url")
+		if [[ ${download_url} == null ]]; then
+			echo "Asset ${download_filename} not found in a release ${prefix}${version}."
+			exit 1
+		fi
+		checksum_url=$(gh_curl -H "Accept: application/vnd.github.v3.raw" "${asset_url}" | jq -r ".assets | map(select(.name == \"${checksum_filename}\"))[0].url")
+		if [[ ${checksum_url} == null ]]; then
+			echo "Asset ${checksum_filename} not found in a release ${prefix}${version}."
+			exit 1
+		fi
+	else
+		download_url="https://github.com/${repo}/releases/download/${prefix}${version}/${download_filename}"
+		checksum_url="https://github.com/${repo}/releases/download/${prefix}${version}/${checksum_filename}"
+	fi
+
+	set -x
+	echo "Downloading ${download_filename} from release ${prefix}${version} from ${download_url}"
+
+	mkdir -p "${tmp_download_dir}"
+
+	pushd "${tmp_download_dir}" >/dev/null
+
+	gh_curl -H "Accept: application/octet-stream" -o "${download_filename}" "${download_url}"
+
+	if command -v shasum >/dev/null; then
+		gh_curl -H "Accept: application/octet-stream" "${checksum_url}" | awk "\$2 == \"${download_filename}\" {print}" | shasum -a 256 -c
+	elif command -v sha256sum >/dev/null; then
+		gh_curl -H "Accept: application/octet-stream" "${checksum_url}" | awk "\$2 == \"${download_filename}\" {print}" | sha256sum -c
+	fi
 
 	mkdir -p "${bin_install_path}"
 
-	echo "Downloading go-containerregistry from ${download_url}"
-	cd "${bin_install_path}"
-	curl -sL "${download_url}" | tar zx
+	tar zxf "${download_filename}"
+	find "${tmp_download_dir}" -type f -perm -a=x -print0 | xargs -0 -I {} cp -fp {} "${bin_install_path}"
+
+	popd >/dev/null
 }
 
 install "${ASDF_INSTALL_TYPE}" "${ASDF_INSTALL_VERSION}" "${ASDF_INSTALL_PATH}"

bin/list-all

@@ -1,16 +1,28 @@
 #!/usr/bin/env bash
 
-releases_path=https://api.github.com/repos/google/go-containerregistry/releases
-cmd="curl -s"
-if [[ -n ${GITHUB_API_TOKEN} ]]; then
-	cmd="${cmd} -H 'Authorization: token ${GITHUB_API_TOKEN}'"
-fi
+set -euo pipefail
+shopt -s inherit_errexit 2>/dev/null || true
 
-cmd="${cmd} ${releases_path}"
+function gh_curl() {
+	if [[ -n ${GITHUB_TOKEN-} ]]; then
+		curl -s -H "Authorization: token ${GITHUB_TOKEN}" "$@"
+	elif [[ -n ${GITHUB_API_TOKEN-} ]]; then
+		curl -s -H "Authorization: token ${GITHUB_API_TOKEN}" "$@"
+	else
+		curl -s "$@"
+	fi
+}
+
+function filter_versions() {
+	grep -E '^[0-9]'
+}
 
 function sort_versions() {
 	sed 'h; s/[+-]/./g; s/.p\([[:digit:]]\)/.z\1/; s/$/.z/; G; s/\n/ /' |
 		LC_ALL=C sort -t. -k 1,1 -k 2,2n -k 3,3n -k 4,4n -k 5,5n | awk '{print $2}'
 }
 
-echo $(eval "${cmd}" | grep -oE 'tag_name": ".{1,15}",' | sed 's/tag_name\": \"v//;s/\",//' | sort_versions)
+repo="google/go-containerregistry"
+releases_path=https://api.github.com/repos/${repo}/releases
+
+gh_curl "${releases_path}" | grep -oE 'tag_name": "v.{1,15}",' | sed 's/tag_name\": \"v//;s/\",//' | filter_versions | sort_versions | xargs echo