| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
The following lints have been fixed:
SC2046,SC2086,SC2068,SC2148,SC2007,SC2004,SC2006,
SC2164,SC2145,SC1091,SC2034,SC2155.
|
|
This commit fixes a problem where the path extraction would
only extract paths up until any path containing a `*` character.
This commit also removes an unwanted backslash in the path
matching portion of the `sed` command, since the backslash is
not special within the list according to the documentation:
https://www.gnu.org/software/sed/manual/html_node/Regular-Expressions.html
|
|
The verification script running on github would complain that the first
commit of a PR changed all of the locked down files if this commit was
unsigned. The reason was that in our github enviornment we don't fetch
the entire git history but instead only the needed commits (so called
shallow repository). The entire history is therefore folded into the
first commit in the shallow repo. Since this history contains
modifications of locked down files and since this commit is not signed
the script will think this commit modified files its not allowed to.
This fix deepens the shallow repo by 1 after fetching.
It also clarifies a print in verification script to be more descriptive.
|
|
Verify that we do not remove any file we deem important. If any such
file is removed, they should also be removed from the list this CI job
uses, and as such we raise a flag.
Update the CI job to also check that all files in the list of important
files still exists in the working directory/at the HEAD where it's being
executed from.
|
|
|
|
Create a script which verifies that a set of "locked down" files are not
changed in commits that have not been signed.
Create a github workflow that runs the script in the CI.
The script accepts --whitelist <commit> and --import-gpg-keys arguments.
The default settings are supposed to work on the build server without
importing the gpg keys from the trusted_keys.pub file and running with a
hardcoded whitelist commit.
Make the CI workflow use these arguments as it is supposed to in
.github.
The public keys that can be imported are specified as files in the ci/keys/
directory.
The files that are locked down are specified in the .github workflow as
a single source of truth. This requires some complicated parsing in the
verification script as well as a dependency from the verification script
to the workflow YAML. These are not ideal design choices however the
alternative is to not have a single source of truth for the locked down
files as the github workflow can not depend on an external file.
The mullvad signing key is named to be first in the list in order to be
imported first.
The whitelisted commit is the latest master before this commit
|
