microsoft/hve-core
Publicmirrored fromhttps://github.com/microsoft/hve-coreAvailable
.devcontainer/scripts/on-create.sh
132lines · modecode
| 1 | #!/usr/bin/env bash |
| 2 | # Copyright (c) Microsoft Corporation. |
| 3 | # SPDX-License-Identifier: MIT |
| 4 | # |
| 5 | # on-create.sh |
| 6 | # Install system dependencies for HVE Core development container |
| 7 | |
| 8 | set -euo pipefail |
| 9 | |
| 10 | main() { |
| 11 | # Enterprise artifact hub overrides (public defaults when unset) |
| 12 | GITHUB_RELEASES_URL="${HVE_GITHUB_RELEASES_URL:-https://github.com}" |
| 13 | PSGALLERY_REPO="${HVE_PSGALLERY_REPOSITORY:-PSGallery}" |
| 14 | PSGALLERY_SOURCE="${HVE_PSGALLERY_SOURCE_URL:-}" |
| 15 | |
| 16 | echo "Installing system dependencies..." |
| 17 | |
| 18 | sudo apt update |
| 19 | sudo apt install -y shellcheck |
| 20 | |
| 21 | # Dependencies are pinned for stability. Dependabot and security workflows manage updates. |
| 22 | echo "Installing actionlint..." |
| 23 | ACTIONLINT_VERSION="1.7.10" |
| 24 | ARCH=$(uname -m) |
| 25 | if [[ "${ARCH}" == "x86_64" ]]; then |
| 26 | ACTIONLINT_ARCH="amd64" |
| 27 | ACTIONLINT_SHA256="f4c76b71db5755a713e6055cbb0857ed07e103e028bda117817660ebadb4386f" |
| 28 | elif [[ "${ARCH}" == "aarch64" ]]; then |
| 29 | ACTIONLINT_ARCH="arm64" |
| 30 | ACTIONLINT_SHA256="cd3dfe5f66887ec6b987752d8d9614e59fd22f39415c5ad9f28374623f41773a" |
| 31 | else |
| 32 | echo "ERROR: Unsupported architecture: ${ARCH}" >&2 |
| 33 | exit 1 |
| 34 | fi |
| 35 | curl -sSfL "${GITHUB_RELEASES_URL}/rhysd/actionlint/releases/download/v${ACTIONLINT_VERSION}/actionlint_${ACTIONLINT_VERSION}_linux_${ACTIONLINT_ARCH}.tar.gz" -o /tmp/actionlint.tar.gz |
| 36 | |
| 37 | echo "Checking actionlint tarball integrity..." |
| 38 | if ! echo "${ACTIONLINT_SHA256} /tmp/actionlint.tar.gz" | sha256sum -c --quiet -; then |
| 39 | echo "ERROR: SHA256 checksum verification failed for actionlint tarball" >&2 |
| 40 | rm /tmp/actionlint.tar.gz |
| 41 | exit 1 |
| 42 | fi |
| 43 | sudo tar -xzf /tmp/actionlint.tar.gz -C /usr/local/bin actionlint |
| 44 | rm /tmp/actionlint.tar.gz |
| 45 | |
| 46 | echo "Installing PowerShell modules..." |
| 47 | if [[ -n "${PSGALLERY_SOURCE}" ]]; then |
| 48 | PSGALLERY_REPO="${PSGALLERY_REPO}" PSGALLERY_SOURCE="${PSGALLERY_SOURCE}" \ |
| 49 | pwsh -NoProfile -Command 'Register-PSRepository -Name $env:PSGALLERY_REPO -SourceLocation $env:PSGALLERY_SOURCE -InstallationPolicy Trusted -ErrorAction SilentlyContinue' |
| 50 | fi |
| 51 | PSGALLERY_REPO="${PSGALLERY_REPO}" pwsh -NoProfile -Command 'Install-Module -Name PowerShell-Yaml -RequiredVersion 0.4.7 -Force -Scope CurrentUser -Repository $env:PSGALLERY_REPO' |
| 52 | PSGALLERY_REPO="${PSGALLERY_REPO}" pwsh -NoProfile -Command 'Install-Module -Name PSScriptAnalyzer -RequiredVersion 1.25.0 -Force -Scope CurrentUser -Repository $env:PSGALLERY_REPO' |
| 53 | PSGALLERY_REPO="${PSGALLERY_REPO}" pwsh -NoProfile -Command 'Install-Module -Name Pester -RequiredVersion 5.7.1 -Force -Scope CurrentUser -Repository $env:PSGALLERY_REPO' |
| 54 | |
| 55 | echo "Installing gitleaks..." |
| 56 | # Download gitleaks tarball and verify checksum before extracting |
| 57 | GITLEAKS_VERSION="8.18.2" |
| 58 | if [[ "${ARCH}" == "x86_64" ]]; then |
| 59 | GITLEAKS_ARCH="x64" |
| 60 | GITLEAKS_SHA256="6298c9235dfc9278c14b28afd9b7fa4e6f4a289cb1974bd27949fc1e9122bdee" |
| 61 | elif [[ "${ARCH}" == "aarch64" ]]; then |
| 62 | GITLEAKS_ARCH="arm64" |
| 63 | GITLEAKS_SHA256="4df25683f95b9e1dbb8cc71dac74d10067b8aba221e7f991e01cafa05bcbd030" |
| 64 | else |
| 65 | echo "ERROR: Unsupported architecture for gitleaks: ${ARCH}" >&2 |
| 66 | exit 1 |
| 67 | fi |
| 68 | curl -sSfL "${GITHUB_RELEASES_URL}/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_${GITLEAKS_ARCH}.tar.gz" -o /tmp/gitleaks.tar.gz |
| 69 | |
| 70 | echo "Checking gitleaks tarball integrity..." |
| 71 | if ! echo "${GITLEAKS_SHA256} /tmp/gitleaks.tar.gz" | sha256sum -c --quiet -; then |
| 72 | echo "ERROR: SHA256 checksum verification failed for gitleaks tarball" >&2 |
| 73 | rm /tmp/gitleaks.tar.gz |
| 74 | exit 1 |
| 75 | fi |
| 76 | sudo tar -xzf /tmp/gitleaks.tar.gz -C /usr/local/bin gitleaks |
| 77 | rm /tmp/gitleaks.tar.gz |
| 78 | |
| 79 | echo "Installing cosign..." |
| 80 | COSIGN_VERSION="3.0.5" |
| 81 | if [[ "${ARCH}" == "x86_64" ]]; then |
| 82 | COSIGN_ARCH="amd64" |
| 83 | COSIGN_SHA256="db15cc99e6e4837daabab023742aaddc3841ce57f193d11b7c3e06c8003642b2" |
| 84 | elif [[ "${ARCH}" == "aarch64" ]]; then |
| 85 | COSIGN_ARCH="arm64" |
| 86 | COSIGN_SHA256="d098f3168ae4b3aa70b4ca78947329b953272b487727d1722cb3cb098a1a20ab" |
| 87 | else |
| 88 | echo "ERROR: Unsupported architecture for cosign: ${ARCH}" >&2 |
| 89 | exit 1 |
| 90 | fi |
| 91 | curl -sSfL "${GITHUB_RELEASES_URL}/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-${COSIGN_ARCH}" -o /tmp/cosign |
| 92 | |
| 93 | echo "Checking cosign binary integrity..." |
| 94 | if ! echo "${COSIGN_SHA256} /tmp/cosign" | sha256sum -c --quiet -; then |
| 95 | echo "ERROR: SHA256 checksum verification failed for cosign binary" >&2 |
| 96 | rm /tmp/cosign |
| 97 | exit 1 |
| 98 | fi |
| 99 | sudo install /tmp/cosign /usr/local/bin/cosign |
| 100 | rm /tmp/cosign |
| 101 | |
| 102 | echo "Installing uv package manager..." |
| 103 | # Dependencies are pinned for stability. Dependabot and security workflows manage updates. |
| 104 | UV_VERSION="0.10.8" |
| 105 | if [[ "${ARCH}" == "x86_64" ]]; then |
| 106 | UV_ARCH="x86_64-unknown-linux-gnu" |
| 107 | UV_SHA256="f0c566b55683395a62fefb9261a060fa09824914b5682c3b9629fa154762ae2f" |
| 108 | elif [[ "${ARCH}" == "aarch64" ]]; then |
| 109 | UV_ARCH="aarch64-unknown-linux-gnu" |
| 110 | UV_SHA256="661860e954f87dcd823251191866af3486484d1a9df60eed56f4586ed7559e3d" |
| 111 | else |
| 112 | echo "ERROR: Unsupported architecture for uv: ${ARCH}" >&2 |
| 113 | exit 1 |
| 114 | fi |
| 115 | curl -sSfL "${GITHUB_RELEASES_URL}/astral-sh/uv/releases/download/${UV_VERSION}/uv-${UV_ARCH}.tar.gz" -o /tmp/uv.tar.gz |
| 116 | |
| 117 | echo "Checking uv tarball integrity..." |
| 118 | if ! echo "${UV_SHA256} /tmp/uv.tar.gz" | sha256sum -c --quiet -; then |
| 119 | echo "ERROR: SHA256 checksum verification failed for uv tarball" >&2 |
| 120 | rm -f /tmp/uv.tar.gz |
| 121 | exit 1 |
| 122 | fi |
| 123 | sudo tar -xzf /tmp/uv.tar.gz -C /usr/local/bin --strip-components=1 "uv-${UV_ARCH}/uv" "uv-${UV_ARCH}/uvx" |
| 124 | rm /tmp/uv.tar.gz |
| 125 | |
| 126 | echo "Syncing Python environments for skills..." |
| 127 | find .github/skills -name pyproject.toml -type f -execdir uv sync \; |
| 128 | |
| 129 | echo "System dependencies installed successfully" |
| 130 | } |
| 131 | |
| 132 | main "$@" |
| 133 | |