blob: 5c965607d7eb80e70438c3860ff5d688d33ed56a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
|
---
name: Verify git signatures on important files
on:
pull_request:
paths:
- .github/workflows/android-audit.yml
- .github/workflows/code-owner-approval.yml
- .github/workflows/unicop.yml
- .github/workflows/verify-locked-down-signatures.yml
- .github/CODEOWNERS
- Cargo.toml
- test/Cargo.toml
- Cargo.lock
- test/Cargo.lock
- code-owners.json
- deny.toml
- test/deny.toml
- mullvad-ios/deny.toml
- rust-toolchain.toml
- desktop/package-lock.json
- wireguard-go-rs/libwg/go.sum
- ci/keys/**
- ci/verify-locked-down-signatures.sh
- ios/MullvadVPN.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved
- android/gradlew
- android/gradlew.bat
- android/gradle/verification-metadata.xml
- android/gradle/verification-metadata.keys.xml
- android/gradle/verification-keyring.keys
- android/gradle/wrapper/gradle-wrapper.jar
- android/gradle/wrapper/gradle-wrapper.properties
- android/scripts/lockfile
- android/flake.lock
- building/build-and-publish-container-image.sh
- building/mullvad-app-container-signing.asc
- building/linux-container-image.txt
- building/android-container-image.txt
- building/sigstore/**
- mullvad-update/trusted-metadata-signing-pubkeys
permissions: {}
jobs:
verify-signatures:
name: Verify git signatures
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Verify signatures
run: |-
base_ref=${{ github.event.pull_request.base.sha }}
head_ref=${{ github.event.pull_request.head.sha }}
git fetch --no-recurse-submodules --shallow-exclude=main origin main $base_ref $head_ref
git fetch --deepen=1
ci/verify-locked-down-signatures.sh --import-gpg-keys --whitelist origin/main
|
