edge-microvisor-toolkit/.github/workflows/check-source-signatures.yml at 3.0 · open-edge-platform/edge-microvisor-toolkit · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
# Copyright (c) Microsoft Corporation.
# Licensed under the MIT License.
---
name: Source Signature Check

on:
  pull_request:
    branches: [3.0*,next,26.06*]
    types: [opened, synchronize, reopened]
    paths:
      - .github/workflows/check-source-signatures.yml
      - '**.spec'

permissions: read-all

jobs:
  spec-check:
    name: Source Signature Check
    runs-on: ubuntu-latest
    strategy:
      matrix:
        specs-dir: [SPECS, SPECS-EXTENDED]

    steps:
      # Checkout the branch of our repo that triggered this action
      - name: Workflow trigger checkout
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5    #v4
        with:
          persist-credentials: false
          fetch-depth: 0

      # For consistency, we use the same major/minor version of Python that Azure Linux ships
      - name: Setup Python 3.12
        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065    #v5
        with:
          python-version: 3.12

      - name: Get Python dependencies
        run: python3 -m pip install -r toolkit/scripts/requirements.txt

      - name: Get base commit for PRs
        if: ${{ github.event_name == 'pull_request' }}
        run: |
          base_ref="${BASE_REF}"
          echo "base_sha=$(git rev-parse origin/$base_ref)" >> "$GITHUB_ENV"
          echo "Merging ${{ github.sha }} into $base_ref"
        env:
          BASE_REF: ${{ github.base_ref }}

      - name: Get base commit for Pushes
        if: ${{ github.event_name == 'push' }}
        run: |
          echo "base_sha=${{ github.event.before }}" >> "$GITHUB_ENV"
          echo "Merging ${{ github.sha }} into ${{ github.event.before }}"

      - name: Get changed packages
        run: |
          # Find the packages that have been modified in the current PR. They will be of the form '/path/to/SPECS/<pkgname>/**/.*', and we want to extract
          # the package's directory name (ie the folder inside ./SPECS).
          changed_pkg_dirs=$(git diff-tree --diff-filter=d --no-commit-id --name-only -r ${{ env.base_sha }} ${{ github.sha }} | { grep -oP "(?<=^${{ matrix.specs-dir }}/)([^/]+)" || [[ $? -eq 1 ]]; } | sort -u | xargs)

          echo "Folders with modified files in this PR:"
          echo "${{ matrix.specs-dir }}/*: '${changed_pkg_dirs}'"

          # For each package directory, get the names of all .spec files contained and add them to the list of SRPMS to repack.
          # We need to filter since some directories may not contain .spec files we can rebuild, or the naming may not be 1:1.
          changed_pkgs=""
          for pkg in $changed_pkg_dirs; do
            changed_pkgs="$changed_pkgs $(find "${{ matrix.specs-dir }}/$pkg" -name '*.spec' -exec basename {} .spec \; | xargs)"
          done

          echo "Packages modified in this PR:"
          echo "${{ matrix.specs-dir }}: '${changed_pkgs}'"
          echo "changed_pkgs=${changed_pkgs}" >> "$GITHUB_ENV"

      - name: Prepare the build environment
        run: |
          if [ -z "${{ env.changed_pkgs }}" ] && [ -z "${{ env.changed_pkgs_extended }}" ]; then
            echo "No package changes detected."
            exit 0
          fi

          echo "Checking for invalid signatures..."
          # Call this script to sync the toolchain manifests with the LKG daily build.
          #./toolkit/scripts/setuplkgtoolchain.sh
          # Determine the LKG daily build ID.
          #LKG_BUILD_ID=$(wget -qO - https://mariner3dailydevrepo.blob.core.windows.net/lkg/lkg-3.0-dev.json | jq -r ".dailybuildid" | tr '\.' '-')
          #echo "LKG_BUILD_ID=${LKG_BUILD_ID}" >> "$GITHUB_ENV"

          sudo make -C toolkit -j"$(nproc)" chroot-tools REBUILD_TOOLS=y DAILY_BUILD_ID=lkg

      - name: Check for invalid source signatures
        run: |
          if [ -z "${{ env.changed_pkgs }}" ]; then
            echo "No package changes detected in '${{ matrix.specs-dir }}''."
            exit 0
          fi

          set -x
          if ! sudo make -C toolkit -j"$(nproc)" input-srpms REBUILD_TOOLS=y DAILY_BUILD_ID=lkg SRPM_PACK_LIST="${{ env.changed_pkgs }}" SPECS_DIR="../${{ matrix.specs-dir }}"; then
            set +x
            printf "\n\n******************************\n"
            echo "Failed to check the signatures of the modified packages."
            echo "Check the logs above for details on the mismatches files and their expected hashes."
            echo "Consider running: sudo make -C toolkit input-srpms REBUILD_TOOLS=y SRPM_PACK_LIST='${{ env.changed_pkgs }}' SPECS_DIR=../${{ matrix.specs-dir }}"
            printf "******************************\n\n"
            exit 1
          else
            echo "All modified packages have valid source signatures."
          fi