diff options
| author | Jonathan <jonathan@mullvad.net> | 2022-05-11 10:33:11 +0200 |
|---|---|---|
| committer | Jonathan <jonathan@mullvad.net> | 2022-07-05 11:27:04 +0200 |
| commit | a6b73f3c3bf616b8ddfe075dd8ee197f2de17d58 (patch) | |
| tree | 086092c9ddd93d21685a6967949e93c3a3203214 /.github | |
| parent | f150ec3b2e7912b556602645654806981c6d69c5 (diff) | |
| download | mullvadvpn-a6b73f3c3bf616b8ddfe075dd8ee197f2de17d58.tar.xz mullvadvpn-a6b73f3c3bf616b8ddfe075dd8ee197f2de17d58.zip | |
Create verification script and github action
Create a script which verifies that a set of "locked down" files are not
changed in commits that have not been signed.
Create a github workflow that runs the script in the CI.
The script accepts --whitelist <commit> and --import-gpg-keys arguments.
The default settings are supposed to work on the build server without
importing the gpg keys from the trusted_keys.pub file and running with a
hardcoded whitelist commit.
Make the CI workflow use these arguments as it is supposed to in
.github.
The public keys that can be imported are specified as files in the ci/keys/
directory.
The files that are locked down are specified in the .github workflow as
a single source of truth. This requires some complicated parsing in the
verification script as well as a dependency from the verification script
to the workflow YAML. These are not ideal design choices however the
alternative is to not have a single source of truth for the locked down
files as the github workflow can not depend on an external file.
The mullvad signing key is named to be first in the list in order to be
imported first.
The whitelisted commit is the latest master before this commit
Diffstat (limited to '.github')
| -rw-r--r-- | .github/workflows/verify-locked-down-signatures.yml | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/.github/workflows/verify-locked-down-signatures.yml b/.github/workflows/verify-locked-down-signatures.yml new file mode 100644 index 0000000000..aef5f507b6 --- /dev/null +++ b/.github/workflows/verify-locked-down-signatures.yml @@ -0,0 +1,26 @@ +name: Verify lockfile signatures +on: + pull_request: + paths: + - .github/workflows/verify-locked-down-signatures.yml + - Cargo.lock + - gui/package-lock.json + - ci/keys/ + - ci/verify-locked-down-signatures.sh + workflow_dispatch: +jobs: + verify-signatures: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + - name: Verify signatures + run: | + commits=${{ github.event.pull_request.commits }} + if [[ -n "$commits" ]]; then + # Prepare enough depth for diffs with master, currently hard-coded but should probably be + # whatever branch is merged into + git fetch --depth="$(( commits + 1 ))" origin ${{ github.head_ref }} master + fi + ci/verify-locked-down-signatures.sh --import-gpg-keys --whitelist origin/master |