Skip to content
Gerrit Required Verify

Gerrit Required Verify #2076

Sign in to view logs

Gerrit Required Verify

Gerrit Required Verify #2076

Workflow file for this run

.github/workflows/gerrit-required-verify.yaml at f047f83
---
name: Gerrit Required Verify
# yamllint disable-line rule:truthy
on:
workflow_dispatch:
inputs:
GERRIT_BRANCH:
description: "Branch that change is against"
required: true
type: string
GERRIT_CHANGE_ID:
description: "The ID for the change"
required: true
type: string
GERRIT_CHANGE_NUMBER:
description: "The Gerrit number"
required: true
type: string
GERRIT_CHANGE_URL:
description: "URL to the change"
required: true
type: string
GERRIT_EVENT_TYPE:
description: "Gerrit event type"
required: true
type: string
GERRIT_PATCHSET_NUMBER:
description: "The patch number for the change"
required: true
type: string
GERRIT_PATCHSET_REVISION:
description: "The revision sha"
required: true
type: string
GERRIT_PROJECT:
description: "Project in Gerrit"
required: true
type: string
GERRIT_REFSPEC:
description: "Gerrit refspec of change"
required: true
type: string
TARGET_REPO:
# yamllint disable-line rule:line-length
description: "The target GitHub repository needing the required workflow"
required: true
type: string
concurrency:
group: ${{ github.event.inputs.GERRIT_CHANGE_ID || github.run_id }}
cancel-in-progress: true
jobs:
clear-vote:
runs-on: ubuntu-latest
steps:
- name: Clear votes
uses: lfit/gerrit-review-action@9627b9a144f2a2cad70707ddfae87c87dce60729 # v0.8
with:
host: ${{ vars.LFIT_GERRIT_SERVER }}
username: ${{ vars.LFIT_GERRIT_SSH_REQUIRED_USER }}
key: ${{ secrets.LFIT_GERRIT_SSH_REQUIRED_PRIVKEY }}
known_hosts: ${{ vars.LFIT_GERRIT_KNOWN_HOSTS }}
gerrit-change-number: ${{ inputs.GERRIT_CHANGE_NUMBER }}
gerrit-patchset-number: ${{ inputs.GERRIT_PATCHSET_NUMBER }}
vote-type: clear
- name: Allow replication
run: sleep 10s
needs-validate:
runs-on: ubuntu-latest
outputs:
validate: ${{ steps.repo-name.outputs.VALIDATE }}
steps:
- name: Check repo name
id: repo-name
env:
TARGET_REPO: ${{ inputs.TARGET_REPO }}
run: |
if [[ "${TARGET_REPO}" == "lfit/puppet-"* || \
"${TARGET_REPO}" == "lfit/lfcore-"* || \
"${TARGET_REPO}" == "lfit/ci-management" ]]; then
echo "VALIDATE=true" >> "$GITHUB_OUTPUT"
else
echo "VALIDATE=false" >> "$GITHUB_OUTPUT"
fi
shell: bash
gpg-validate:
runs-on: ubuntu-latest
needs: [clear-vote, needs-validate]
if: needs.needs-validate.outputs.validate == 'true'
steps:
- name: Checkout change
uses: lfit/checkout-gerrit-change-action@54d751e8bd167bc91f7d665dabe33fae87aaaa63 # v0.9
with:
gerrit-refspec: ${{ inputs.GERRIT_REFSPEC }}
delay: "0s"
repository: ${{ inputs.TARGET_REPO }}
ref: refs/heads/${{ inputs.GERRIT_BRANCH }}
token: ${{ secrets.REPLICATION_TOKEN }}
- name: Install SSH Key
uses: shimataro/ssh-key-action@d4fffb50872869abe2d9a9098a6d9c5aa7d16be4 # v2.7.0
with:
key: ${{ secrets.LFIT_GERRIT_SSH_REQUIRED_PRIVKEY }}
known_hosts: ${{ vars.LFIT_GERRIT_KNOWN_HOSTS }}
config: |
Host ${{ vars.LFIT_GERRIT_SERVER }}
User ${{ vars.LFIT_GERRIT_SSH_REQUIRED_USER }}
Port 29418
PubkeyAcceptedKeyTypes +ssh-rsa
IdentityFile ~/.ssh/id_rsa
- name: Clone gpg key repo
shell: bash
run: |
CLONE_URL="ssh://${{ vars.LFIT_GERRIT_SERVER }}/password-store.git"
git clone "${CLONE_URL}" .password-store --depth 1
- name: Setup GNUPGHOME
shell: bash
run: |
GNUPGHOME=$(mktemp -d)
echo "GNUPGHOME=${GNUPGHOME}" >> "$GITHUB_ENV"
- name: Import keys
shell: bash
run: |
gpg --import .password-store/.gpg-keys/*.asc
- name: Cleanup gpg key repo
shell: bash
run: |
rm -rf .password-store
- name: Setup Trust Anchors
shell: bash
run: |
OWNERTRUST=$(mktemp)
TRUST_ANCHORS="${{ vars.TRUST_ANCHORS }}"
for i in ${TRUST_ANCHORS}
do
owner=$(echo "${i}" | tr -d '[:space:]')
echo "${owner}:6:" >> "${OWNERTRUST}"
done
cat "${OWNERTRUST}"
gpg --import-ownertrust "${OWNERTRUST}"
rm "${OWNERTRUST}"
gpg --check-trustdb
- name: Verify Commit Signature
shell: bash
run: |
if VERIFY=$(git verify-commit --raw HEAD 2>&1)
then
COUNT=$(echo "${VERIFY}" | \
grep -c -E '^\[GNUPG:\] (GOODSIG|VALIDSIG|TRUST_FULLY|TRUST_ULTIMATE)')
if [ "${COUNT}" -eq "3" ]
then
echo "Trusted signature found"
else
echo "ERROR: PGP Signature does not pass validation"
echo
echo "VERIFY is:"
echo "${VERIFY}"
exit 1
fi
else
echo "ERROR: PGP signature missing or not trusted"
echo
echo "VERIFY is:"
echo "${VERIFY}"
exit 1
fi
- name: Cleanup GNUPGHOME
if: ${{ always() }}
shell: bash
run: |
rm -rf "${GNUPGHOME}"
vote:
if: ${{ always() }}
needs: [clear-vote, needs-validate, gpg-validate]
runs-on: ubuntu-latest
steps:
- name: Get workflow conclusion
# yamllint disable-line rule:line-length
uses: im-open/workflow-conclusion@e4f7c4980600fbe0818173e30931d3550801b992 # v2.2.3
- name: Set vote
uses: lfit/gerrit-review-action@9627b9a144f2a2cad70707ddfae87c87dce60729 # v0.8
with:
host: ${{ vars.LFIT_GERRIT_SERVER }}
username: ${{ vars.LFIT_GERRIT_SSH_REQUIRED_USER }}
key: ${{ secrets.LFIT_GERRIT_SSH_REQUIRED_PRIVKEY }}
known_hosts: ${{ vars.LFIT_GERRIT_KNOWN_HOSTS }}
gerrit-change-number: ${{ inputs.GERRIT_CHANGE_NUMBER }}
gerrit-patchset-number: ${{ inputs.GERRIT_PATCHSET_NUMBER }}
vote-type: ${{ env.WORKFLOW_CONCLUSION }}