features/terraform: Migrate Cosign to GitHub Artifact Attestations for TFLint verification

[wata727]

See also terraform-linters/tflint#2405

Cosign signature verification in TFLint is now deprecated. We should use gh attestation verify instead.
The Terraform feature uses Cosign, so you will need to migrate:

features/src/terraform/install.sh

Lines 482 to 492 in c85af4d

	# Check that checksums.txt.keyless.sig exists and is not empty
	if [ -s checksums.txt.keyless.sig ]; then
	# Validate checksums with cosign
	curl -sSL -o checksums.txt.pem https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt.pem
	ensure_cosign
	cosign verify-blob \
	--certificate=/tmp/tf-downloads/checksums.txt.pem \
	--signature=/tmp/tf-downloads/checksums.txt.keyless.sig \
	--certificate-identity-regexp="^https://github.com/terraform-linters/tflint" \
	--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
	/tmp/tf-downloads/tflint_checksums.txt

I believe the fix itself is relatively easy, but I'm having trouble figuring out how to install the GitHub CLI.
Should I write my own installation script like Cosign, or is there a better way to reuse features/github-cli?

[Kaniska244]

Hello @wata727 ,

Thank you for reporting this issue. You could add the following in the devcontainer-feature.json of the terraform feature if you are planning to contribute a fix for this. It will create dependency with github-cli feature such that gh cli will be installed right before the terraform feature installation so that it would be possible to perform gh attestation verify during terraform feature installation. Kindly let me know in case of any further concern.

    "dependsOn": {
        "ghcr.io/devcontainers/features/github-cli:1": {
            "version": "latest"
        }        
    }

[wata727]

Thank you for your help, the dependsOn seems to work as expected.

However, I found that authentication is required to use the GitHub CLI, and that a GH_TOKEN is required to run gh attestation verify... cli/cli#2680
Is there a good way to use the GH_TOKEN in a devcontainer?

UPDATE: I discovered that we could get around this limitation by using a bundle cli/cli#11803