---
name: Verify git signatures on important files
on:
  pull_request:
    paths:
      - .github/workflows/android-audit.yml
      - .github/workflows/code-owner-approval.yml
      - .github/workflows/unicop.yml
      - .github/workflows/verify-locked-down-signatures.yml
      - .github/CODEOWNERS
      - Cargo.toml
      - test/Cargo.toml
      - Cargo.lock
      - test/Cargo.lock
      - code-owners.json
      - deny.toml
      - test/deny.toml
      - mullvad-ios/deny.toml
      - rust-toolchain.toml
      - desktop/package-lock.json
      - wireguard-go-rs/libwg/go.sum
      - ci/keys/**
      - ci/verify-locked-down-signatures.sh
      - ios/MullvadVPN.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved
      - android/gradlew
      - android/gradlew.bat
      - android/gradle/verification-metadata.xml
      - android/gradle/verification-metadata.keys.xml
      - android/gradle/verification-keyring.keys
      - android/gradle/wrapper/gradle-wrapper.jar
      - android/gradle/wrapper/gradle-wrapper.properties
      - android/scripts/lockfile
      - android/flake.lock
      - building/build-and-publish-container-image.sh
      - building/mullvad-app-container-signing.asc
      - building/linux-container-image.txt
      - building/android-container-image.txt
      - building/sigstore/**
      - mullvad-update/trusted-metadata-signing-pubkeys

permissions: {}

jobs:
  verify-signatures:
    name: Verify git signatures
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Verify signatures
        run: |-
          base_ref=${{ github.event.pull_request.base.sha }}
          head_ref=${{ github.event.pull_request.head.sha }}
          git fetch --no-recurse-submodules --shallow-exclude=main origin main $base_ref $head_ref
          git fetch --deepen=1
          ci/verify-locked-down-signatures.sh --import-gpg-keys --whitelist origin/main