feat!: support addAptKey options through installAptPack

BREAKING no default keys are added during apt installations anymore. Explicitly pass the keys needed.
BREAKING the arguments to addAptKeyViaServer and addAptKeyViaDownload has changed. addAptKeyViaDownload renamed to addAptKeyViaURL

Author: aminya

dist/actions/setup-cpp.js

@@ -135,7 +135,7 @@ Add an apt key via a keyserver
 
 **returns:** Promise<string>
 
-### `addAptKeyViaDownload` (function)
+### `addAptKeyViaURL` (function)
 
 Add an apt key via a download
 

dist/actions/setup-cpp.js.map

@@ -1,6 +1,6 @@
 {
   "name": "setup-apt",
-  "version": "1.0.1",
+  "version": "2.0.0",
   "description": "Setup apt packages and repositories in Debian/Ubuntu-based distributions",
   "repository": "https://github.com/aminya/setup-cpp",
   "homepage": "https://github.com/aminya/setup-cpp/tree/master/packages/setup-apt",

dist/legacy/setup-cpp.js

@@ -1,69 +1,152 @@
 import { tmpdir } from "os"
+import { join } from "path"
 import { execRoot, execRootSync } from "admina"
 import { warning } from "ci-log"
 import { DownloaderHelper } from "node-downloader-helper"
 import { pathExists } from "path-exists"
 import { installAptPack } from "./install.js"
 
-function initGpg() {
-  execRootSync("gpg", ["-k"])
+export type AddAptKeyOptions = KeyServerOptions | KeyUrl
+
+/**
+ * Add an apt key
+ * @param options The options for adding the key
+ * @returns The file name of the key that was added or `undefined` if it failed
+ *
+ * @example
+ * ```ts
+ * await addAptKey({ keys: ["3B4FE6ACC0B21F32", "40976EAF437D05B5"], fileName: "bazel-archive-keyring.gpg"})
+ * ```
+ *
+ * @example
+ * ```ts
+ * await addAptKey({ keyUrl: "https://bazel.build/bazel-release.pub.gpg", fileName: "bazel-archive-keyring.gpg"})
+ * ```
+ */
+export function addAptKey(options: AddAptKeyOptions) {
+  if ("keyUrl" in options) {
+    return addAptKeyViaURL(options)
+  } else {
+    return addAptKeyViaServer(options)
+  }
 }
 
+type GpgKeyOptions = {
+  /**
+   * The file name for the key (should end in `.gpg`)
+   */
+  fileName: string
+  /**
+   * The key store path (Defaults to `/etc/apt/trusted.gpg.d`)
+   */
+  keyStorePath?: string
+}
+
+export const defaultKeyStorePath = "/etc/apt/trusted.gpg.d"
+
+export type KeyServerOptions = {
+  /**
+   * The keys to add
+   *
+   * @example
+   * ```ts
+   * ["3B4FE6ACC0B21F32", "40976EAF437D05B5"]
+   * ```
+   */
+  keys: string[]
+  /**
+   * The keyserver to use (Defaults to `keyserver.ubuntu.com`)
+   */
+  keyServer?: string
+} & GpgKeyOptions
+
+export const defaultKeyServer = "keyserver.ubuntu.com"
+
 /**
  * Add an apt key via a keyserver
- * @param keys The keys to add
- * @param name The name of the key
- * @param server The keyserver to use (Defaults to `keyserver.ubuntu.com`)
  * @returns The file name of the key that was added or `undefined` if it failed
  */
-export async function addAptKeyViaServer(keys: string[], name: string, server = "keyserver.ubuntu.com") {
+export async function addAptKeyViaServer(
+  { keys, keyServer = defaultKeyServer, fileName, keyStorePath = defaultKeyServer }: KeyServerOptions,
+) {
   try {
-    const fileName = `/etc/apt/trusted.gpg.d/${name}`
-    if (!(await pathExists(fileName))) {
+    assertGpgFileName(fileName)
+    const filePath = join(keyStorePath, fileName)
+    if (!(await pathExists(filePath))) {
       initGpg()
 
       await Promise.all(
         keys.map(async (key) => {
           await execRoot("gpg", [
             "--no-default-keyring",
             "--keyring",
-            `gnupg-ring:${fileName}`,
+            `gnupg-ring:${filePath}`,
             "--keyserver",
-            server,
+            keyServer,
             "--recv-keys",
             key,
           ])
-          await execRoot("chmod", ["644", fileName])
+          await execRoot("chmod", ["644", filePath])
         }),
       )
     }
-    return fileName
+    return filePath
   } catch (err) {
-    warning(`Failed to add apt key via server ${server}: ${err}`)
+    warning(`Failed to add apt key via server ${keyServer}: ${err}`)
     return undefined
   }
 }
 
+export type KeyUrl = {
+  /**
+   * The URL to download the key from
+   */
+  keyUrl: string
+} & GpgKeyOptions
+
 /**
  * Add an apt key via a download
- * @param name The name of the key
- * @param url The URL of the key
+ * @param options The options for adding the key
  * @returns The file name of the key that was added
  */
-export async function addAptKeyViaDownload(name: string, url: string) {
-  const fileName = `/etc/apt/trusted.gpg.d/${name}`
-  if (!(await pathExists(fileName))) {
-    initGpg()
+export async function addAptKeyViaURL({ keyUrl, fileName, keyStorePath = defaultKeyStorePath }: KeyUrl) {
+  try {
+    assertGpgFileName(fileName)
+    const filePath = join(keyStorePath, fileName)
+    if (!(await pathExists(filePath))) {
+      initGpg()
+
+      await installAptPack([{ name: "ca-certificates" }])
+
+      const dlPath = join(tmpdir(), fileName)
+      const dl = new DownloaderHelper(keyUrl, tmpdir(), { fileName })
+      dl.on("error", (err) => {
+        throw new Error(`Failed to download ${keyUrl}: ${err}`)
+      })
+      await dl.start()
 
-    await installAptPack([{ name: "ca-certificates" }])
-    const dl = new DownloaderHelper(url, tmpdir(), { fileName: name })
-    dl.on("error", (err) => {
-      throw new Error(`Failed to download ${url}: ${err}`)
-    })
-    await dl.start()
+      execRootSync("gpg", [
+        "--no-default-keyring",
+        "--keyring",
+        `gnupg-ring:${filePath}`,
+        "--import",
+        dlPath,
+      ])
+      execRootSync("chmod", ["644", filePath])
+    }
+    return filePath
+  } catch (err) {
+    warning(`Failed to add apt key via download ${keyUrl}: ${err}`)
+    return undefined
+  }
+}
+
+function initGpg() {
+  execRootSync("gpg", ["-k"])
+}
 
-    execRootSync("gpg", ["--no-default-keyring", "--keyring", `gnupg-ring:${fileName}`, "--import", `/tmp/${name}`])
-    execRootSync("chmod", ["644", fileName])
+function assertGpgFileName(fileName: string) {
+  if (!fileName.endsWith(".gpg")) {
+    throw new Error(`Key file name must end with .gpg: ${fileName}`)
   }
-  return fileName
 }

dist/legacy/setup-cpp.js.map

@@ -3,7 +3,7 @@ import { info, warning } from "ci-log"
 import escapeRegex from "escape-string-regexp"
 import { type ExecaError, execa } from "execa"
 import which from "which"
-import { addAptKeyViaServer } from "./apt-key.js"
+import { type AddAptKeyOptions, addAptKey } from "./apt-key.js"
 import { isAptPackInstalled } from "./is-installed.js"
 import { updateAptRepos } from "./update.js"
 
@@ -40,6 +40,8 @@ export type AptPackage = {
   version?: string
   /** The repositories to add before installing the package (optional) */
   repositories?: string[]
+  /** The keys to add before installing the package (optional) */
+  addAptKey?: AddAptKeyOptions[]
 }
 
 const retryErrors = [
@@ -83,8 +85,11 @@ export async function installAptPack(packages: AptPackage[], update = false): Pr
     didInit = true
   }
 
-  // Install
   try {
+    // Add the keys if needed
+    await addAptKeys(packages)
+
+    // Install
     execRootSync(apt, ["install", "--fix-broken", "-y", ...needToInstall], {
       ...defaultExecOptions,
       env: getAptEnv(apt),
@@ -107,6 +112,14 @@ export async function installAptPack(packages: AptPackage[], update = false): Pr
   return { binDir: "/usr/bin/" }
 }
 
+async function addAptKeys(packages: AptPackage[]) {
+  await Promise.all(packages.map(async (pack) => {
+    if (pack.addAptKey !== undefined) {
+      await Promise.all(pack.addAptKey.map(addAptKey))
+    }
+  }))
+}
+
 function isExecaError(err: unknown): err is ExecaError {
   return typeof (err as ExecaError).stderr === "string"
 }
@@ -285,9 +298,4 @@ async function initApt(apt: string) {
       env: getAptEnv(apt),
     })
   }
-
-  await Promise.all([
-    addAptKeyViaServer(["3B4FE6ACC0B21F32", "40976EAF437D05B5"], "setup-cpp-ubuntu-archive.gpg"),
-    addAptKeyViaServer(["1E9377A2BA9EF27F"], "launchpad-toolchain.gpg"),
-  ])
 }