From cb569ff14d02bd07ef30fff57a2aac5772f6b500 Mon Sep 17 00:00:00 2001 From: Owen Date: Wed, 28 Jan 2026 15:03:31 -0800 Subject: [PATCH] Properly insert PANGOLIN_SETUP_TOKEN into db Fixes #2361 --- .github/workflows/cicd.yml | 49 ++++++++++++++++++++++++++++++-- server/setup/ensureSetupToken.ts | 20 +++++++------ 2 files changed, 59 insertions(+), 10 deletions(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index 715b74c7..0e4d9bc6 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -504,10 +504,55 @@ jobs: } echo "==> cosign verify (public key) ${REF}" - retry_verify "cosign verify --key env://COSIGN_PUBLIC_KEY '${REF}' -o text" + if retry_verify "cosign verify --key env://COSIGN_PUBLIC_KEY '${REF}' -o text"; then + VERIFIED_INDEX=true + else + VERIFIED_INDEX=false + fi echo "==> cosign verify (keyless policy) ${REF}" - retry_verify "cosign verify --certificate-oidc-issuer '${issuer}' --certificate-identity-regexp '${id_regex}' '${REF}' -o text" + if retry_verify "cosign verify --certificate-oidc-issuer '${issuer}' --certificate-identity-regexp '${id_regex}' '${REF}' -o text"; then + VERIFIED_INDEX_KEYLESS=true + else + VERIFIED_INDEX_KEYLESS=false + fi + + # If index verification fails, attempt to verify child platform manifests + if [ "${VERIFIED_INDEX}" != "true" ] || [ "${VERIFIED_INDEX_KEYLESS}" != "true" ]; then + echo "Index verification not available; attempting child manifest verification for ${BASE_IMAGE}:${IMAGE_TAG}" + CHILD_VERIFIED=false + + for ARCH in arm64 amd64; do + CHILD_TAG="${IMAGE_TAG}-${ARCH}" + echo "Resolving child digest for ${BASE_IMAGE}:${CHILD_TAG}" + CHILD_DIGEST="$(skopeo inspect --retry-times 3 docker://${BASE_IMAGE}:${CHILD_TAG} | jq -r '.Digest' || true)" + if [ -n "${CHILD_DIGEST}" ] && [ "${CHILD_DIGEST}" != "null" ]; then + CHILD_REF="${BASE_IMAGE}@${CHILD_DIGEST}" + echo "==> cosign verify (public key) child ${CHILD_REF}" + if retry_verify "cosign verify --key env://COSIGN_PUBLIC_KEY '${CHILD_REF}' -o text"; then + CHILD_VERIFIED=true + echo "Public key verification succeeded for child ${CHILD_REF}" + else + echo "Public key verification failed for child ${CHILD_REF}" + fi + + echo "==> cosign verify (keyless policy) child ${CHILD_REF}" + if retry_verify "cosign verify --certificate-oidc-issuer '${issuer}' --certificate-identity-regexp '${id_regex}' '${CHILD_REF}' -o text"; then + CHILD_VERIFIED=true + echo "Keyless verification succeeded for child ${CHILD_REF}" + else + echo "Keyless verification failed for child ${CHILD_REF}" + fi + else + echo "No child digest found for ${BASE_IMAGE}:${CHILD_TAG}; skipping" + fi + done + + if [ "${CHILD_VERIFIED}" != "true" ]; then + echo "Failed to verify index and no child manifests verified for ${BASE_IMAGE}:${IMAGE_TAG}" + exit 10 + fi + fi echo "✓ Successfully signed and verified ${BASE_IMAGE}:${IMAGE_TAG}" done diff --git a/server/setup/ensureSetupToken.ts b/server/setup/ensureSetupToken.ts index 5ea9542a..ff6387f0 100644 --- a/server/setup/ensureSetupToken.ts +++ b/server/setup/ensureSetupToken.ts @@ -64,16 +64,20 @@ export async function ensureSetupToken() { ); } - if (existingToken?.token !== envSetupToken) { - console.warn( - "Overwriting existing token in DB since PANGOLIN_SETUP_TOKEN is set" - ); + if (existingToken) { + // Token exists in DB - update it if different + if (existingToken.token !== envSetupToken) { + console.warn( + "Overwriting existing token in DB since PANGOLIN_SETUP_TOKEN is set" + ); - await db - .update(setupTokens) - .set({ token: envSetupToken }) - .where(eq(setupTokens.tokenId, existingToken.tokenId)); + await db + .update(setupTokens) + .set({ token: envSetupToken }) + .where(eq(setupTokens.tokenId, existingToken.tokenId)); + } } else { + // No existing token - insert new one const tokenId = generateId(15); await db.insert(setupTokens).values({