-
Notifications
You must be signed in to change notification settings - Fork 74
Clone specific software-layer-commit and implement CI to check merged status #1353
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
casparvl
wants to merge
22
commits into
EESSI:main
Choose a base branch
from
casparvl:improve_software_layer_scripts_workflow
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
22 commits
Select commit
Hold shift + click to select a range
7a52620
Add dummy EasyConfig
12c2bc7
Update bot/build.sh file to checkout commit_sha from software-layer-s…
dd37ed9
Fix indent
219bef9
Fix indent again
218e75f
Get rid of two unnecessary, and wrong commands
b8355bb
Check that changing the commit_sha to an _unmerged_ commit creates a …
f9d1b7d
Checkout the required github
2cd6082
Add comment
6d954c4
Replace commit_sha by an actual signed merge commit to prove that the…
36f7541
Test that the bot/build.sh script is unchanged
f1fdcca
Try to see if CI now fails, as intended
c4b1f9a
Correct missing space in bash logic - see if the workflow now fails (…
20d8bd2
Merge branch 'main' into improve_software_layer_scripts_workflow
casparvl 0494884
Undo dummy change to see if CI passes again
72fbb29
Merge branch 'improve_software_layer_scripts_workflow' of github.com:…
1530fca
Rename the CI
cc18733
Merge into a single workflow file
77167ac
See if the bot/build.sh checksum test runs this way...
bce9bbc
See if the bot/build.sh checksum test still runs after uncommenting
bee1d29
Change sha checksum to see if this causes CI to fail (as expected)
2c752d2
Change SHA to an actual merge commit and change bot/build.sh to see i…
6d2714e
Change bot/build.sh back to the intended content so that all CI shoul…
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,127 @@ | ||
| # documentation: https://help.github.com/en/articles/workflow-syntax-for-github-actions | ||
| # | ||
| # This workflow verifies that the correct version of software-layer-scripts is used. | ||
| # | ||
| # First, check_bot_build_checksums checks if the bot/build.sh code that clones software-layer-scripts is untouched, | ||
| # as this normally shouldn't change (a change could mean a contributor is trying to inject something | ||
| # malicious). Having this CI means that a change in bot/build.sh should at least be accompanied by | ||
| # a change in this CI, making it stand out to reviewers and increasing the likelihood of this being caught. | ||
| # | ||
| # Second, check-software_layer_scripts_commit checks if the commit used in bot/commit_sha is a merge-commit for a | ||
| # merge into the default branch of software-layer-scripts. This guarantees that everything that is associated with | ||
| # that commit was approved by a reviewer (and deployed, if needed) | ||
| name: Verify software-layer-scripts | ||
| on: | ||
| push: | ||
| branches: [ "main" ] | ||
| pull_request: | ||
| workflow_dispatch: | ||
| permissions: | ||
| contents: read # to fetch code (actions/checkout) | ||
| jobs: | ||
| check_bot_build_checksum: | ||
| runs-on: ubuntu-24.04 | ||
| steps: | ||
| - name: Check out software-layer repository (shallow) | ||
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | ||
| with: | ||
| fetch-depth: 1 # We only need the current revision to read bot/commit_sha | ||
|
|
||
| - name: Compute bot/build.sh checksum and verify it | ||
| run: | | ||
| # Print clear error if file doesn't exist at all | ||
| if [[ ! -f bot/build.sh ]]; then | ||
| echo "ERROR: File bot/build.sh not found!" | ||
| exit 1 | ||
| fi | ||
|
|
||
| # Reference checksum | ||
| # UPDATE THIS CHECKSUM IF AND ONLY IF WE ACTUALLY WANT TO CHANGE bot/build.sh | ||
| EXPECTED_CHECKSUM="9d33368cac2e38e10147eeb0aafc321651ebaa5912387ecef97683570906773a" | ||
|
|
||
| # Compute checksum | ||
| COMPUTED_CHECKSUM=$(sha256sum bot/build.sh | awk '{print $1}') | ||
| echo "Computed checksum: $COMPUTED_CHECKSUM" | ||
| echo "Reference checksum: $EXPECTED_CHECKSUM" | ||
|
|
||
| # Compare checksums | ||
| if [[ "$COMPUTED_CHECKSUM" != "$EXPECTED_CHECKSUM" ]]; then | ||
| echo "ERROR: Checksum mismatch! The file bot/build.sh has been modified." | ||
| exit 1 | ||
| else | ||
| echo "Checksum for bot/build.sh matches the reference value" | ||
| fi | ||
| check_software_layer_scripts_commit: | ||
| runs-on: ubuntu-24.04 | ||
| steps: | ||
| - name: Check out software-layer repository (shallow) | ||
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | ||
| with: | ||
| fetch-depth: 1 # We only need the current revision to read bot/commit_sha | ||
| - name: Checkout software-layer-scripts (full history) | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| repository: EESSI/software-layer-scripts | ||
| path: upstream-scripts | ||
| fetch-depth: 0 # full history → required for ancestry checks | ||
|
|
||
| - name: Read commit SHA | ||
| id: read_sha | ||
| run: | | ||
| SHA=$(cat bot/commit_sha | tr -d '[:space:]') | ||
| echo "sha=$SHA" >> $GITHUB_OUTPUT | ||
| echo "Found SHA: $SHA" | ||
|
|
||
| - name: Verify SHA exists in software‑layer‑scripts | ||
| working-directory: upstream-scripts | ||
| run: | | ||
| SHA="${{ steps.read_sha.outputs.sha }}" | ||
|
|
||
| echo "Checking out commit ${SHA} from software-layer-scripts" | ||
| git fetch --depth=1 origin ${SHA} | ||
| git checkout --detach ${SHA} | ||
|
|
||
| # Validate that this object is _actually_ a commit | ||
| if ! git cat-file -e "${SHA}^{commit}" 2>/dev/null; then | ||
| echo "Commit $SHA not found in software‑layer‑scripts." | ||
| exit 1 | ||
| fi | ||
| echo "Commit $SHA exists in software‑layer‑scripts." | ||
|
|
||
| - name: Check that SHA is merged into the default branch | ||
| working-directory: upstream-scripts | ||
| run: | | ||
| SHA="${{ steps.read_sha.outputs.sha }}" | ||
|
|
||
| # git merge‑base --is‑ancestor returns 0 if $SHA is an ancestor of origin/main | ||
| if git merge-base --is-ancestor "$SHA" origin/main; then | ||
| echo "Commit $SHA is merged into origin/main." | ||
| else | ||
| echo "Commit $SHA is NOT merged into origin/main." | ||
| exit 1 | ||
| fi | ||
|
|
||
| - name: Verify commit is signed by GitHub’s web‑flow key | ||
| working-directory: upstream-scripts | ||
| env: | ||
| GIT_TRACE: 1 # extra debug output if something goes wrong | ||
| run: | | ||
| SHA="${{ steps.read_sha.outputs.sha }}" | ||
|
|
||
| # Import the public key that GitHub uses for UI‑generated merges | ||
| echo "Importing GitHub web‑flow GPG key…" | ||
| curl -sSfL https://github.com/web-flow.gpg | gpg --dearmor > web-flow.gpg | ||
| gpg --import web-flow.gpg | ||
| # (optional) show the fingerprint for debugging | ||
| echo "Fingerprint of the web-flow GPG key:" | ||
| gpg --list-keys --fingerprint | grep -i "web-flow" -A1 | ||
|
|
||
| # Verify the commit’s GPG signature | ||
| echo "Verifying the signature of commit $SHA…" | ||
| if git verify-commit "$SHA"; then | ||
| echo "Commit $SHA is signed and the signature validates with the web‑flow key." | ||
| echo "All verification steps succeeded." | ||
| else | ||
| echo "Commit $SHA is either unsigned or not signed by the web‑flow key." | ||
| exit 1 | ||
| fi |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| f5c45bf7810eb83d2f13e7d94260772cbe5b484d |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would make it clear that this sha belongs to a software-layer-scripts commit, so maybe rename it to
software-layer-scripts.commit_shaor something?