Update hardening manifest schema to allow multiple valid shas
This template is ONLY used for reporting bugs. New feature request or pipeline enhancement issues should use the other template options for issue submission.
Current Behavior
CHT has notified us that when adding a release from github to the resources section in their hardening manifest, they may get one of two valid shas for that release. They have performed further investigation into this issue and have provided information confirming that github is providing the same release, but with different tokens substituted within the code.
Live Example
< gitVersion string = "v0.0.0-master+f3abc15296f3a3"
---
> gitVersion string = "v0.0.0-master+f3abc15296f3a"Expected Behavior
The pipeline should be able to receive a list of valid shas for https requests and try to verify the imported artifact against both shas. If one is successfully, accept that the sha is validated and continue.
Possible Solution
- Update hardening manifest schema to allow either a string for a sha, or a list of shas (up to 2)
- Update import artifacts to verify against either case
Edited by Kenneth Maguire