software-layer/.github/workflows/test_software_layer_scripts.yml at 6d2714e3230fd31e08e13eb8b601d96734029d9b · EESSI/software-layer · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
# documentation: https://help.github.com/en/articles/workflow-syntax-for-github-actions
#
# This workflow verifies that the correct version of software-layer-scripts is used.
#
# First, check_bot_build_checksums checks if the bot/build.sh code that clones software-layer-scripts is untouched,
# as this normally shouldn't change (a change could mean a contributor is trying to inject something
# malicious). Having this CI means that a change in bot/build.sh should at least be accompanied by
# a change in this CI, making it stand out to reviewers and increasing the likelihood of this being caught.
#
# Second, check-software_layer_scripts_commit checks if the commit used in bot/commit_sha is a merge-commit for a
# merge into the default branch of software-layer-scripts. This guarantees that everything that is associated with
# that commit was approved by a reviewer (and deployed, if needed)
name: Verify software-layer-scripts
on:
  push:
    branches: [ "main" ]
  pull_request:
  workflow_dispatch:
permissions:
  contents: read # to fetch code (actions/checkout)
jobs:
  check_bot_build_checksum:
    runs-on: ubuntu-24.04
    steps:
        - name: Check out software-layer repository (shallow)
          uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
          with:
              fetch-depth: 1  # We only need the current revision to read bot/commit_sha

        - name: Compute bot/build.sh checksum and verify it
          run: |
            # Print clear error if file doesn't exist at all
            if [[ ! -f bot/build.sh ]]; then
              echo "ERROR: File bot/build.sh not found!"
              exit 1
            fi

            # Reference checksum
            # UPDATE THIS CHECKSUM IF AND ONLY IF WE ACTUALLY WANT TO CHANGE bot/build.sh
            EXPECTED_CHECKSUM="9d33368cac2e38e10147eeb0aafc321651ebaa5912387ecef97683570906773a"

            # Compute checksum
            COMPUTED_CHECKSUM=$(sha256sum bot/build.sh | awk '{print $1}')
            echo "Computed checksum: $COMPUTED_CHECKSUM"
            echo "Reference checksum: $EXPECTED_CHECKSUM"

            # Compare checksums
            if [[ "$COMPUTED_CHECKSUM" != "$EXPECTED_CHECKSUM" ]]; then
              echo "ERROR: Checksum mismatch! The file bot/build.sh has been modified."
              exit 1
            else
              echo "Checksum for bot/build.sh matches the reference value"
            fi
  check_software_layer_scripts_commit:
    runs-on: ubuntu-24.04
    steps:
        - name: Check out software-layer repository (shallow)
          uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
          with:
              fetch-depth: 1  # We only need the current revision to read bot/commit_sha
        - name: Checkout software-layer-scripts (full history)
          uses: actions/checkout@v4
          with:
            repository: EESSI/software-layer-scripts
            path: upstream-scripts
            fetch-depth: 0 # full history → required for ancestry checks

        - name: Read commit SHA
          id: read_sha
          run: |
            SHA=$(cat bot/commit_sha | tr -d '[:space:]')
            echo "sha=$SHA" >> $GITHUB_OUTPUT
            echo "Found SHA: $SHA"

        - name: Verify SHA exists in software‑layer‑scripts
          working-directory: upstream-scripts
          run: |
            SHA="${{ steps.read_sha.outputs.sha }}"

            echo "Checking out commit ${SHA} from software-layer-scripts"
            git fetch --depth=1 origin ${SHA}
            git checkout --detach ${SHA}

            # Validate that this object is _actually_ a commit
            if ! git cat-file -e "${SHA}^{commit}" 2>/dev/null; then
              echo "Commit $SHA not found in software‑layer‑scripts."
              exit 1
            fi
            echo "Commit $SHA exists in software‑layer‑scripts."

        - name: Check that SHA is merged into the default branch
          working-directory: upstream-scripts
          run: |
            SHA="${{ steps.read_sha.outputs.sha }}"

            # git merge‑base --is‑ancestor returns 0 if $SHA is an ancestor of origin/main
            if git merge-base --is-ancestor "$SHA" origin/main; then
              echo "Commit $SHA is merged into origin/main."
            else
              echo "Commit $SHA is NOT merged into origin/main."
              exit 1
            fi

        - name: Verify commit is signed by GitHub’s web‑flow key
          working-directory: upstream-scripts
          env:
            GIT_TRACE: 1   # extra debug output if something goes wrong
          run: |
            SHA="${{ steps.read_sha.outputs.sha }}"

            # Import the public key that GitHub uses for UI‑generated merges
            echo "Importing GitHub web‑flow GPG key…"
            curl -sSfL https://github.com/web-flow.gpg | gpg --dearmor > web-flow.gpg
            gpg --import web-flow.gpg
            # (optional) show the fingerprint for debugging
            echo "Fingerprint of the web-flow GPG key:"
            gpg --list-keys --fingerprint | grep -i "web-flow" -A1

            # Verify the commit’s GPG signature
            echo "Verifying the signature of commit $SHA…"
            if git verify-commit "$SHA"; then
              echo "Commit $SHA is signed and the signature validates with the web‑flow key."
              echo "All verification steps succeeded."
            else
              echo "Commit $SHA is either unsigned or not signed by the web‑flow key."
              exit 1
            fi