/
action.yml
95 lines (74 loc) · 2.81 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
name: 'Gitsign Verify'
description: 'Uses `gitsign` to verify commit signatures of a branch'
inputs:
version:
description: 'Version of `gitsign` binary'
required: true
default: '0.3.1'
ref:
description: 'Git ref to check against'
required: true
default: 'origin/master'
email-domains:
description: 'Email Domains that are allowed to sign commits (space-separated list)'
required: false
default: ""
connector-ids:
description: 'The Identity Providers that are trusted to authenticate the signers (space-separated list)'
required: true
# default: Officialy supported IdPs (Github, Google, Microsoft)
default: "https://github.com/login/oauth https://accounts.google.com https://login.microsoftonline.com"
check-signing-date:
description: "Whether to verify that the Commit Date is in the SigningCertificate's Validity Period (Not Before <= Commit Date <= Not After)"
required: false
default: false
runs:
using: "composite"
steps:
- run: echo "${{ github.action_path }}" >> $GITHUB_PATH
shell: bash
- name: '[Gitsign] install'
shell: bash
run: |
# Get gitsign binary
wget -q https://github.com/sigstore/gitsign/releases/download/v${{ inputs.version }}/gitsign_${{ inputs.version }}_linux_amd64 -O gitsign
chmod +x ./gitsign
./gitsign -v
- name: '[Git] Setup signing program'
shell: bash
run: |
# Set gitsign as git commit verifier
git config --local gpg.x509.program ./gitsign
git config --local gpg.format x509
- name: '[Git] Fetch all git refs'
shell: bash
run: |
# Fetch git refs to recognise 'ref' input
git fetch origin ${{ github.ref }} --shallow-exclude ${{ inputs.ref }}
git fetch origin ${{ inputs.ref }}
- name: '[GithubActionMatcher] Add matcher'
shell: bash
run: |
# Add matcher for Github Action Warnings
echo "::add-matcher::${GITHUB_ACTION_PATH}/matcher.json"
- name: '[Gitsign] Verify Commits'
shell: bash
run: |
# Loop though commits HEAD to 'ref' and check signatures
COMMITS="$(git log origin/${{ inputs.ref }}..${{ github.ref }} --pretty=format:'%H')"
echo "[*] Verifying commits: [$COMMITS]"
for commit in ${COMMITS}; do
# If script fails, the action stops
verify-commit.sh "$commit"
done
echo "[+] All signatures verified!"
env:
EMAIL_DOMAINS: '${{ inputs.email-domains }}'
ACCEPTED_CONNECTOR_IDS: '${{ inputs.connector-ids }}'
CHECK_SIGNING_DATE: '${{ inputs.check-signing-date }}'
- name: '[GithubActionMatcher] Remove matcher'
if: always()
shell: bash
run: |
# Remove Github Action matcher
echo "::remove-matcher owner=gitsign-verify-sh::"