Clone specific software-layer-commit and implement CI to check merged status #3
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # documentation: https://help.github.com/en/articles/workflow-syntax-for-github-actions | |
| # | |
| # This workflow verifies that the correct version of software-layer-scripts is used. | |
| # | |
| # First, check_bot_build_checksums checks if the bot/build.sh code that clones software-layer-scripts is untouched, | |
| # as this normally shouldn't change (a change could mean a contributor is trying to inject something | |
| # malicious). Having this CI means that a change in bot/build.sh should at least be accompanied by | |
| # a change in this CI, making it stand out to reviewers and increasing the likelihood of this being caught. | |
| # | |
| # Second, check-software_layer_scripts_commit checks if the commit used in bot/commit_sha is a merge-commit for a | |
| # merge into the default branch of software-layer-scripts. This guarantees that everything that is associated with | |
| # that commit was approved by a reviewer (and deployed, if needed) | |
| name: Verify software-layer-scripts | |
| on: | |
| push: | |
| branches: [ "main" ] | |
| pull_request: | |
| workflow_dispatch: | |
| permissions: | |
| contents: read # to fetch code (actions/checkout) | |
| jobs: | |
| check_bot_build_checksum: | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Check out software-layer repository (shallow) | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| with: | |
| fetch-depth: 1 # We only need the current revision to read bot/commit_sha | |
| - name: Compute bot/build.sh checksum and verify it | |
| run: | | |
| # Print clear error if file doesn't exist at all | |
| if [[ ! -f bot/build.sh ]]; then | |
| echo "ERROR: File bot/build.sh not found!" | |
| exit 1 | |
| fi | |
| # Reference checksum | |
| # UPDATE THIS CHECKSUM IF AND ONLY IF WE ACTUALLY WANT TO CHANGE bot/build.sh | |
| EXPECTED_CHECKSUM="9d33368cac2e38e10147eeb0aafc321651ebaa5912387ecef97683570906773a" | |
| # Compute checksum | |
| COMPUTED_CHECKSUM=$(sha256sum bot/build.sh | awk '{print $1}') | |
| echo "Computed checksum: $COMPUTED_CHECKSUM" | |
| echo "Reference checksum: $EXPECTED_CHECKSUM" | |
| # Compare checksums | |
| if [[ "$COMPUTED_CHECKSUM" != "$EXPECTED_CHECKSUM" ]]; then | |
| echo "ERROR: Checksum mismatch! The file bot/build.sh has been modified." | |
| exit 1 | |
| else | |
| echo "Checksum for bot/build.sh matches the reference value" | |
| fi | |
| check_software_layer_scripts_commit: | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Check out software-layer repository (shallow) | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| with: | |
| fetch-depth: 1 # We only need the current revision to read bot/commit_sha | |
| - name: Checkout software-layer-scripts (full history) | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: EESSI/software-layer-scripts | |
| path: upstream-scripts | |
| fetch-depth: 0 # full history → required for ancestry checks | |
| - name: Read commit SHA | |
| id: read_sha | |
| run: | | |
| SHA=$(cat bot/commit_sha | tr -d '[:space:]') | |
| echo "sha=$SHA" >> $GITHUB_OUTPUT | |
| echo "Found SHA: $SHA" | |
| - name: Verify SHA exists in software‑layer‑scripts | |
| working-directory: upstream-scripts | |
| run: | | |
| SHA="${{ steps.read_sha.outputs.sha }}" | |
| echo "Checking out commit ${SHA} from software-layer-scripts" | |
| git fetch --depth=1 origin ${SHA} | |
| git checkout --detach ${SHA} | |
| # Validate that this object is _actually_ a commit | |
| if ! git cat-file -e "${SHA}^{commit}" 2>/dev/null; then | |
| echo "Commit $SHA not found in software‑layer‑scripts." | |
| exit 1 | |
| fi | |
| echo "Commit $SHA exists in software‑layer‑scripts." | |
| - name: Check that SHA is merged into the default branch | |
| working-directory: upstream-scripts | |
| run: | | |
| SHA="${{ steps.read_sha.outputs.sha }}" | |
| # git merge‑base --is‑ancestor returns 0 if $SHA is an ancestor of origin/main | |
| if git merge-base --is-ancestor "$SHA" origin/main; then | |
| echo "Commit $SHA is merged into origin/main." | |
| else | |
| echo "Commit $SHA is NOT merged into origin/main." | |
| exit 1 | |
| fi | |
| - name: Verify commit is signed by GitHub’s web‑flow key | |
| working-directory: upstream-scripts | |
| env: | |
| GIT_TRACE: 1 # extra debug output if something goes wrong | |
| run: | | |
| SHA="${{ steps.read_sha.outputs.sha }}" | |
| # Import the public key that GitHub uses for UI‑generated merges | |
| echo "Importing GitHub web‑flow GPG key…" | |
| curl -sSfL https://github.com/web-flow.gpg | gpg --dearmor > web-flow.gpg | |
| gpg --import web-flow.gpg | |
| # (optional) show the fingerprint for debugging | |
| echo "Fingerprint of the web-flow GPG key:" | |
| gpg --list-keys --fingerprint | grep -i "web-flow" -A1 | |
| # Verify the commit’s GPG signature | |
| echo "Verifying the signature of commit $SHA…" | |
| if git verify-commit "$SHA"; then | |
| echo "Commit $SHA is signed and the signature validates with the web‑flow key." | |
| echo "All verification steps succeeded." | |
| else | |
| echo "Commit $SHA is either unsigned or not signed by the web‑flow key." | |
| exit 1 | |
| fi |