From e29f89c27dce63bc08240c21f75a5946fbfe4cbc Mon Sep 17 00:00:00 2001
From: Patryk Konopka <konopka90@gmail.com>
Date: Wed, 12 Apr 2023 12:07:06 +0200
Subject: [PATCH 1/4] Add auth token to curl

Signed-off-by: Patryk Konopka <konopka90@gmail.com>
---
 action.yml |  4 ++++
 ct.sh      | 20 +++++++++++++++++++-
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/action.yml b/action.yml
index 980bd1e..91a7177 100644
--- a/action.yml
+++ b/action.yml
@@ -5,6 +5,9 @@ branding:
   color: blue
   icon: anchor
 inputs:
+  token:
+    description: "The token used to authenticate when fetching chart-testing release. When running this action on github.com, the default value is sufficient. When running on GHES, you can pass a personal access token for github.com if you are experiencing rate limiting."
+    default: ${{ github.server_url == 'https://github.com' && github.token || '' }}
   version:
     description: "The chart-testing version to install (default: v3.8.0)"
     required: false
@@ -24,6 +27,7 @@ runs:
     - run: |
         cd $GITHUB_ACTION_PATH \
         && ./ct.sh \
+            --token ${{ inputs.token }} \
             --version ${{ inputs.version }} \
             --yamllint-version ${{ inputs.yamllint_version }} \
             --yamale-version ${{ inputs.yamale_version }}
diff --git a/ct.sh b/ct.sh
index b76da48..4218fb7 100755
--- a/ct.sh
+++ b/ct.sh
@@ -4,6 +4,7 @@ set -o errexit
 set -o nounset
 set -o pipefail
 
+DEFAULT_TOKEN=
 DEFAULT_CHART_TESTING_VERSION=v3.8.0
 DEFAULT_YAMLLINT_VERSION=1.27.1
 DEFAULT_YAMALE_VERSION=3.0.4
@@ -14,10 +15,12 @@ Usage: $(basename "$0") <options>
 
     -h, --help          Display help
     -v, --version       The chart-testing version to use (default: $DEFAULT_CHART_TESTING_VERSION)"
+    -t, --token         The token used to authenticate when fetching chart-testing release from github.com"
 EOF
 }
 
 main() {
+    local token="$DEFAULT_TOKEN"
     local version="$DEFAULT_CHART_TESTING_VERSION"
     local yamllint_version="$DEFAULT_YAMLLINT_VERSION"
     local yamale_version="$DEFAULT_YAMALE_VERSION"
@@ -34,6 +37,16 @@ parse_command_line() {
                 show_help
                 exit
                 ;;
+            -t|--token)
+                if [[ -n "${2:-}" ]]; then
+                    token="$2"
+                    shift
+                else
+                    echo "ERROR: '-t|--token' cannot be empty." >&2
+                    show_help
+                    exit 1
+                fi
+                ;;
             -v|--version)
                 if [[ -n "${2:-}" ]]; then
                     version="$2"
@@ -95,7 +108,12 @@ install_chart_testing() {
         CT_CERT=https://github.com/helm/chart-testing/releases/download/$version/chart-testing_${version#v}_linux_$arch.tar.gz.pem
         CT_SIG=https://github.com/helm/chart-testing/releases/download/$version/chart-testing_${version#v}_linux_$arch.tar.gz.sig
 
-        curl --retry 5 --retry-delay 1 -sSLo ct.tar.gz "https://github.com/helm/chart-testing/releases/download/$version/chart-testing_${version#v}_linux_$arch.tar.gz"
+        AUTH_HEADER=""
+        if [ ! -z "$token" ]; then
+            AUTH_HEADER="--header \"Authorization: Bearer ${token}\""
+        fi
+
+        curl --retry 5 --retry-delay 1 -sSLo $AUTH_HEADER ct.tar.gz "https://github.com/helm/chart-testing/releases/download/$version/chart-testing_${version#v}_linux_$arch.tar.gz"
         cosign verify-blob --certificate $CT_CERT --signature $CT_SIG \
           --certificate-identity "https://github.com/helm/chart-testing/.github/workflows/release.yaml@refs/heads/main" \
           --certificate-oidc-issuer "https://token.actions.githubusercontent.com" ct.tar.gz

From 60bebc13af4f4b1c8d546989f2762cef6f180ebc Mon Sep 17 00:00:00 2001
From: Patryk Konopka <konopka90@gmail.com>
Date: Wed, 12 Apr 2023 12:24:23 +0200
Subject: [PATCH 2/4] Fix passing header to curl

Signed-off-by: Patryk Konopka <konopka90@gmail.com>
---
 ct.sh | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/ct.sh b/ct.sh
index 4218fb7..ead30d9 100755
--- a/ct.sh
+++ b/ct.sh
@@ -4,7 +4,6 @@ set -o errexit
 set -o nounset
 set -o pipefail
 
-DEFAULT_TOKEN=
 DEFAULT_CHART_TESTING_VERSION=v3.8.0
 DEFAULT_YAMLLINT_VERSION=1.27.1
 DEFAULT_YAMALE_VERSION=3.0.4
@@ -20,7 +19,7 @@ EOF
 }
 
 main() {
-    local token="$DEFAULT_TOKEN"
+    local token=""
     local version="$DEFAULT_CHART_TESTING_VERSION"
     local yamllint_version="$DEFAULT_YAMLLINT_VERSION"
     local yamale_version="$DEFAULT_YAMALE_VERSION"
@@ -108,12 +107,11 @@ install_chart_testing() {
         CT_CERT=https://github.com/helm/chart-testing/releases/download/$version/chart-testing_${version#v}_linux_$arch.tar.gz.pem
         CT_SIG=https://github.com/helm/chart-testing/releases/download/$version/chart-testing_${version#v}_linux_$arch.tar.gz.sig
 
-        AUTH_HEADER=""
         if [ ! -z "$token" ]; then
-            AUTH_HEADER="--header \"Authorization: Bearer ${token}\""
+            auth+=(--header "Authorization: Bearer ${token}")
         fi
 
-        curl --retry 5 --retry-delay 1 -sSLo $AUTH_HEADER ct.tar.gz "https://github.com/helm/chart-testing/releases/download/$version/chart-testing_${version#v}_linux_$arch.tar.gz"
+        curl "${auth[@]}" --retry 5 --retry-delay 1 -sSLo ct.tar.gz "https://github.com/helm/chart-testing/releases/download/$version/chart-testing_${version#v}_linux_$arch.tar.gz"
         cosign verify-blob --certificate $CT_CERT --signature $CT_SIG \
           --certificate-identity "https://github.com/helm/chart-testing/.github/workflows/release.yaml@refs/heads/main" \
           --certificate-oidc-issuer "https://token.actions.githubusercontent.com" ct.tar.gz

From fb48fd528032894d9214a9dedc179bb148c98f1e Mon Sep 17 00:00:00 2001
From: Patryk Konopka <konopka90@gmail.com>
Date: Wed, 12 Apr 2023 12:43:46 +0200
Subject: [PATCH 3/4] Update README.md

Signed-off-by: Patryk Konopka <konopka90@gmail.com>
---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index 94f0587..c121406 100644
--- a/README.md
+++ b/README.md
@@ -15,6 +15,7 @@ A GitHub Action for installing the [helm/chart-testing](https://github.com/helm/
 
 For more information on inputs, see the [API Documentation](https://developer.github.com/v3/repos/releases/#input)
 
+- `token`: The token used to authenticate when fetching chart-testing release from github.com (optional)
 - `version`: The chart-testing version to install (default: `v3.8.0`)
 - `yamllint_version`: The chart-testing version to install (default: `1.27.1`)
 - `yamale_version`: The chart-testing version to install (default: `3.0.4`)

From 89c646ef61ed515059e2b60862cf14a3412eb8ef Mon Sep 17 00:00:00 2001
From: Patryk Konopka <konopka90@gmail.com>
Date: Wed, 12 Apr 2023 12:48:28 +0200
Subject: [PATCH 4/4] Download cert and sig with curl

Signed-off-by: Patryk Konopka <konopka90@gmail.com>
---
 ct.sh | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ct.sh b/ct.sh
index ead30d9..e673b5d 100755
--- a/ct.sh
+++ b/ct.sh
@@ -111,8 +111,10 @@ install_chart_testing() {
             auth+=(--header "Authorization: Bearer ${token}")
         fi
 
+        curl "${auth[@]}" --retry 5 --retry-delay 1 -sSLo chart-testing.tar.gz.pem $CT_CERT
+        curl "${auth[@]}" --retry 5 --retry-delay 1 -sSLo chart-testing.tar.gz.sig $CT_SIG
         curl "${auth[@]}" --retry 5 --retry-delay 1 -sSLo ct.tar.gz "https://github.com/helm/chart-testing/releases/download/$version/chart-testing_${version#v}_linux_$arch.tar.gz"
-        cosign verify-blob --certificate $CT_CERT --signature $CT_SIG \
+        cosign verify-blob --certificate ./chart-testing.tar.gz.pem --signature ./chart-testing.tar.gz.sig \
           --certificate-identity "https://github.com/helm/chart-testing/.github/workflows/release.yaml@refs/heads/main" \
           --certificate-oidc-issuer "https://token.actions.githubusercontent.com" ct.tar.gz
         retVal=$?