Skip to content

fix(ci): update curl pin to pqc-enabled tag so PQC keys are generated #3579

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dmihalcik-virtru wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix(ci): update curl pin to pqc-enabled tag so PQC keys are generated #3579

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
045f635
fix(ci): update curl pin to pqc-enabled tag so PQC keys are generated
dmihalcik-virtru Jun 5, 2026
29f065e
fix(ci): replace yq if-then-else with with(select) for PQC key injection
dmihalcik-virtru Jun 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions test/start-additional-kas/action.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -150,10 +150,10 @@ runs:
| (.mode = ["kas"])
| (.services.kas.preview.ec_tdf_enabled = (env(EC_TDF_ENABLED) == "true"))
| (.services.kas.preview.hybrid_tdf_enabled = (env(PQC_ENABLED) == "true"))
| (if env(PQC_ENABLED) == "true" then
(.services.kas.keyring += [{"kid":"x1","alg":"hpqt:xwing"},{"kid":"h1","alg":"hpqt:secp256r1-mlkem768"},{"kid":"h2","alg":"hpqt:secp384r1-mlkem1024"}])
| (.server.cryptoProvider.standard.keys += [{"kid":"x1","alg":"hpqt:xwing","private":"kas-xwing-private.pem","cert":"kas-xwing-public.pem"},{"kid":"h1","alg":"hpqt:secp256r1-mlkem768","private":"kas-p256mlkem768-private.pem","cert":"kas-p256mlkem768-public.pem"},{"kid":"h2","alg":"hpqt:secp384r1-mlkem1024","private":"kas-p384mlkem1024-private.pem","cert":"kas-p384mlkem1024-public.pem"}])
else . end)
| with(select(env(PQC_ENABLED) == "true");
.services.kas.keyring += [{"kid":"x1","alg":"hpqt:xwing"},{"kid":"h1","alg":"hpqt:secp256r1-mlkem768"},{"kid":"h2","alg":"hpqt:secp384r1-mlkem1024"}]
| .server.cryptoProvider.standard.keys += [{"kid":"x1","alg":"hpqt:xwing","private":"kas-xwing-private.pem","cert":"kas-xwing-public.pem"},{"kid":"h1","alg":"hpqt:secp256r1-mlkem768","private":"kas-p256mlkem768-private.pem","cert":"kas-p256mlkem768-public.pem"},{"kid":"h2","alg":"hpqt:secp384r1-mlkem1024","private":"kas-p384mlkem1024-private.pem","cert":"kas-p384mlkem1024-public.pem"}]
)
| (.services.kas.preview.key_management = (env(KEY_MANAGEMENT) == "true"))
| (.services.kas.registered_kas_uri = "http://localhost:" + env(KAS_PORT))
| del(.services.kas.root_key)
Expand Down
6 changes: 3 additions & 3 deletions test/start-up-with-containers/action.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -126,9 +126,9 @@ runs:
- name: Download latest init-temp-keys.sh, docker-compose.yaml, and watch.sh
shell: bash
run: |
curl https://raw.githubusercontent.com/opentdf/platform/refs/tags/watch-sh-fix/.github/scripts/init-temp-keys.sh > otdf-test-platform/.github/scripts/init-temp-keys.sh
curl https://raw.githubusercontent.com/opentdf/platform/refs/tags/watch-sh-fix/docker-compose.yaml > otdf-test-platform/docker-compose.yaml
curl https://raw.githubusercontent.com/opentdf/platform/refs/tags/watch-sh-fix/.github/scripts/watch.sh > otdf-test-platform/.github/scripts/watch.sh
curl https://raw.githubusercontent.com/opentdf/platform/refs/tags/pqc-enabled/.github/scripts/init-temp-keys.sh > otdf-test-platform/.github/scripts/init-temp-keys.sh
curl https://raw.githubusercontent.com/opentdf/platform/refs/tags/pqc-enabled/docker-compose.yaml > otdf-test-platform/docker-compose.yaml
curl https://raw.githubusercontent.com/opentdf/platform/refs/tags/pqc-enabled/.github/scripts/watch.sh > otdf-test-platform/.github/scripts/watch.sh
Comment on lines +129 to +131
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot Jun 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The curl commands do not use the -f / --fail flag. By default, curl does not return a non-zero exit code when encountering HTTP errors (such as 404 Not Found or 500 Internal Server Error). Instead, it will write the error response body to the destination files, which will cause confusing failures in subsequent steps when the runner attempts to execute the invalid shell scripts or parse the invalid YAML.

Using -sSfL ensures that curl fails the step immediately on HTTP errors, runs silently unless there is an error, and correctly follows any redirects.

        curl -sSfL https://raw.githubusercontent.com/opentdf/platform/refs/tags/pqc-enabled/.github/scripts/init-temp-keys.sh > otdf-test-platform/.github/scripts/init-temp-keys.sh
        curl -sSfL https://raw.githubusercontent.com/opentdf/platform/refs/tags/pqc-enabled/docker-compose.yaml > otdf-test-platform/docker-compose.yaml
        curl -sSfL https://raw.githubusercontent.com/opentdf/platform/refs/tags/pqc-enabled/.github/scripts/watch.sh > otdf-test-platform/.github/scripts/watch.sh

Comment on lines +129 to +131
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Jun 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Security: Downloaded scripts lack integrity verification.

The three scripts are fetched via curl from a remote GitHub URL without any checksum, signature, or hash verification. This creates a supply chain security risk:

  1. If the pqc-enabled tag is mutable (can be moved to point to different commits), an attacker who compromises the repository could inject malicious code.
  2. Even with an immutable tag, a compromised GitHub account or man-in-the-middle attack could serve malicious scripts.
  3. The scripts are executed with shell privileges (lines 183, 295) and can modify the test environment.

The PR description states the tag "points to main HEAD," which is ambiguous—if the tag is intended to track main, this introduces non-deterministic builds and increases the attack surface.

🛡️ Recommended fix to add integrity verification

Option 1: Use commit SHAs instead of tags for immutability

-        curl https://raw.githubusercontent.com/opentdf/platform/refs/tags/pqc-enabled/.github/scripts/init-temp-keys.sh > otdf-test-platform/.github/scripts/init-temp-keys.sh
-        curl https://raw.githubusercontent.com/opentdf/platform/refs/tags/pqc-enabled/docker-compose.yaml > otdf-test-platform/docker-compose.yaml
-        curl https://raw.githubusercontent.com/opentdf/platform/refs/tags/pqc-enabled/.github/scripts/watch.sh > otdf-test-platform/.github/scripts/watch.sh
+        # Replace COMMIT_SHA with the actual commit SHA of the pqc-enabled tag
+        COMMIT_SHA="<commit-sha-of-pqc-enabled-tag>"
+        curl https://raw.githubusercontent.com/opentdf/platform/${COMMIT_SHA}/.github/scripts/init-temp-keys.sh > otdf-test-platform/.github/scripts/init-temp-keys.sh
+        curl https://raw.githubusercontent.com/opentdf/platform/${COMMIT_SHA}/docker-compose.yaml > otdf-test-platform/docker-compose.yaml
+        curl https://raw.githubusercontent.com/opentdf/platform/${COMMIT_SHA}/.github/scripts/watch.sh > otdf-test-platform/.github/scripts/watch.sh

Option 2: Add checksum verification after download

         curl https://raw.githubusercontent.com/opentdf/platform/refs/tags/pqc-enabled/.github/scripts/init-temp-keys.sh > otdf-test-platform/.github/scripts/init-temp-keys.sh
+        echo "<expected-sha256-checksum>  otdf-test-platform/.github/scripts/init-temp-keys.sh" | sha256sum --check
         curl https://raw.githubusercontent.com/opentdf/platform/refs/tags/pqc-enabled/docker-compose.yaml > otdf-test-platform/docker-compose.yaml
+        echo "<expected-sha256-checksum>  otdf-test-platform/docker-compose.yaml" | sha256sum --check
         curl https://raw.githubusercontent.com/opentdf/platform/refs/tags/pqc-enabled/.github/scripts/watch.sh > otdf-test-platform/.github/scripts/watch.sh
+        echo "<expected-sha256-checksum>  otdf-test-platform/.github/scripts/watch.sh" | sha256sum --check
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/start-up-with-containers/action.yaml` around lines 129 - 131, The three
curl downloads (the URLs that write to
otdf-test-platform/.github/scripts/init-temp-keys.sh,
otdf-test-platform/docker-compose.yaml, and
otdf-test-platform/.github/scripts/watch.sh) must include integrity checks:
either pin the URLs to an immutable commit SHA instead of the "pqc-enabled" tag,
or (if tag use is required) fetch a trusted checksum/signature for each file and
verify it before saving/executing; implement a post-download verification step
that computes sha256 (or verifies a GPG signature) and fails the workflow if the
checksum/signature does not match, and ensure the verified files are only
executed later at the existing execution points (the script invocations around
lines where these files are run) after successful verification.

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Version mismatch risk between downloaded scripts and platform code.

The scripts are downloaded from the fixed pqc-enabled tag, while the platform repository is checked out at inputs.platform-ref (line 124, default: main). This creates a version skew where the scripts and platform code may be from different commits, potentially causing compatibility issues.

When inputs.platform-ref points to a commit that has diverged from the pqc-enabled tag, there is a risk that:

  • init-temp-keys.sh may not match the key generation logic expected by the checked-out platform version
  • docker-compose.yaml may reference images, volumes, or services incompatible with the platform version
  • watch.sh may use flags or behaviors not supported by the built binary

Consider using the same ref for both the platform checkout and the script downloads to ensure version consistency.

🔧 Proposed fix to align script downloads with platform checkout 
-        curl https://raw.githubusercontent.com/opentdf/platform/refs/tags/pqc-enabled/.github/scripts/init-temp-keys.sh > otdf-test-platform/.github/scripts/init-temp-keys.sh
-        curl https://raw.githubusercontent.com/opentdf/platform/refs/tags/pqc-enabled/docker-compose.yaml > otdf-test-platform/docker-compose.yaml
-        curl https://raw.githubusercontent.com/opentdf/platform/refs/tags/pqc-enabled/.github/scripts/watch.sh > otdf-test-platform/.github/scripts/watch.sh
+        PLATFORM_REF="${{ inputs.platform-ref }}"
+        curl https://raw.githubusercontent.com/opentdf/platform/${PLATFORM_REF}/.github/scripts/init-temp-keys.sh > otdf-test-platform/.github/scripts/init-temp-keys.sh
+        curl https://raw.githubusercontent.com/opentdf/platform/${PLATFORM_REF}/docker-compose.yaml > otdf-test-platform/docker-compose.yaml
+        curl https://raw.githubusercontent.com/opentdf/platform/${PLATFORM_REF}/.github/scripts/watch.sh > otdf-test-platform/.github/scripts/watch.sh

This ensures the scripts are from the same ref as the platform code being tested.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
curl https://raw.githubusercontent.com/opentdf/platform/refs/tags/pqc-enabled/.github/scripts/init-temp-keys.sh > otdf-test-platform/.github/scripts/init-temp-keys.sh
curl https://raw.githubusercontent.com/opentdf/platform/refs/tags/pqc-enabled/docker-compose.yaml > otdf-test-platform/docker-compose.yaml
curl https://raw.githubusercontent.com/opentdf/platform/refs/tags/pqc-enabled/.github/scripts/watch.sh > otdf-test-platform/.github/scripts/watch.sh
PLATFORM_REF="${{ inputs.platform-ref }}"
curl https://raw.githubusercontent.com/opentdf/platform/${PLATFORM_REF}/.github/scripts/init-temp-keys.sh > otdf-test-platform/.github/scripts/init-temp-keys.sh
curl https://raw.githubusercontent.com/opentdf/platform/${PLATFORM_REF}/docker-compose.yaml > otdf-test-platform/docker-compose.yaml
curl https://raw.githubusercontent.com/opentdf/platform/${PLATFORM_REF}/.github/scripts/watch.sh > otdf-test-platform/.github/scripts/watch.sh
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/start-up-with-containers/action.yaml` around lines 129 - 131, The
scripts are being fetched from the hardcoded tag "pqc-enabled" which can
mismatch the checked-out platform ref (inputs.platform-ref); update the curl
download URLs in action.yaml so the three fetched files (init-temp-keys.sh,
docker-compose.yaml, watch.sh) use the same ref as the platform checkout
(inputs.platform-ref) instead of the fixed tag, ensuring downloads are
parameterized to reference inputs.platform-ref so scripts and platform code
remain in sync.

- name: Set up go (platform's go version)
id: setup-go
uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
Expand Down
Loading