|
1 | | -name: 'SigScanner Check' |
| 1 | +name: "SigScanner Check" |
2 | 2 |
|
3 | 3 | on: |
| 4 | + pull_request: |
4 | 5 | merge_group: |
5 | 6 | push: |
| 7 | + branches: |
| 8 | + - develop |
| 9 | + - release/* |
| 10 | + |
| 11 | +permissions: {} |
| 12 | + |
| 13 | +# Public key for chainlink-release-pusher[bot]. Commits signed with the |
| 14 | +# corresponding private key are exempt from SigScanner. Stored here (not |
| 15 | +# in Secrets) so that any change requires code-review approval. |
| 16 | +env: |
| 17 | + BOT_SIGN_KEY_PUB_RELEASE_PUSHER: | |
| 18 | + -----BEGIN PGP PUBLIC KEY BLOCK----- |
| 19 | + REPLACE_WITH_ACTUAL_PUBLIC_KEY |
| 20 | + -----END PGP PUBLIC KEY BLOCK----- |
6 | 21 |
|
7 | 22 | jobs: |
8 | 23 | sigscanner-check: |
| 24 | + # Skip merge_group events — github.actor there is whoever enqueued |
| 25 | + # the merge, not the PR author, so we can't reliably attribute commits. |
| 26 | + # Especially since it's expected that we squash merge for this repo. |
| 27 | + if: github.event_name != 'merge_group' |
9 | 28 | runs-on: ubuntu-latest |
| 29 | + permissions: |
| 30 | + contents: read |
| 31 | + env: |
| 32 | + # On pull_request, github.sha is a temporary merge commit; use the |
| 33 | + # actual PR head commit so we verify the developer's signed commit. |
| 34 | + # On push, github.sha is the real commit on develop. |
| 35 | + COMMIT_SHA: ${{ github.event.pull_request.head.sha || github.sha }} |
10 | 36 | steps: |
11 | | - - name: "SigScanner checking ${{ github.sha }} by ${{ github.actor }}" |
| 37 | + - name: Checkout commit |
| 38 | + uses: actions/checkout@v6 |
| 39 | + with: |
| 40 | + ref: ${{ github.event.pull_request.head.sha || github.sha }} |
| 41 | + fetch-depth: 1 |
| 42 | + persist-credentials: false |
| 43 | + |
| 44 | + - name: Check if commit is signed by release-pusher bot |
| 45 | + id: bot-sig-check |
| 46 | + run: | |
| 47 | + echo "🔑 Importing release-pusher bot public key …" |
| 48 | + echo "${BOT_SIGN_KEY_PUB_RELEASE_PUSHER}" | gpg --import 2>/dev/null |
| 49 | +
|
| 50 | + # Grab the fingerprint we just imported so we can match it |
| 51 | + BOT_FP=$(echo "${BOT_SIGN_KEY_PUB_RELEASE_PUSHER}" | gpg --with-colons --import-options show-only --import 2>/dev/null \ |
| 52 | + | awk -F: '/^fpr/{print $10; exit}') |
| 53 | + echo "Bot key fingerprint: ${BOT_FP}" |
| 54 | +
|
| 55 | + # Try to verify the commit signature |
| 56 | + if git verify-commit "${COMMIT_SHA}" 2>/dev/null; then |
| 57 | + # Extract the fingerprint that signed this commit |
| 58 | + SIGN_FP=$(git log --format='%GF' -1 "${COMMIT_SHA}") |
| 59 | + if [[ "${SIGN_FP}" == "${BOT_FP}" ]]; then |
| 60 | + echo "✅ Commit is signed by the release-pusher bot — skipping SigScanner" |
| 61 | + echo "signed_by_bot=true" | tee -a "$GITHUB_OUTPUT" |
| 62 | + else |
| 63 | + echo "ℹ️ Commit is GPG-signed but NOT by the bot (signer: ${SIGN_FP})" |
| 64 | + echo "signed_by_bot=false" | tee -a "$GITHUB_OUTPUT" |
| 65 | + fi |
| 66 | + else |
| 67 | + echo "ℹ️ Commit has no valid GPG signature" |
| 68 | + echo "signed_by_bot=false" | tee -a "$GITHUB_OUTPUT" |
| 69 | + fi |
| 70 | +
|
| 71 | + - name: "SigScanner checking ${{ env.COMMIT_SHA }} by ${{ github.actor }}" |
| 72 | + if: steps.bot-sig-check.outputs.signed_by_bot == 'false' |
12 | 73 | env: |
13 | 74 | API_TOKEN: ${{ secrets.SIGSCANNER_API_TOKEN }} |
14 | 75 | API_URL: ${{ secrets.SIGSCANNER_API_URL }} |
15 | 76 | run: | |
16 | | - echo "🔎 Checking commit ${{ github.sha }} by ${{ github.actor }} in ${{ github.repository }} - ${{ github.event_name }}" |
17 | | - CODE=`curl --write-out '%{http_code}' -X POST -H "Content-Type: application/json" -H "Authorization: $API_TOKEN" --silent --output /dev/null --url "$API_URL" --data '{"commit":"${{ github.sha }}","repository":"${{ github.repository }}","author":"${{ github.actor }}"}'` |
| 77 | + echo "🔎 Checking commit ${COMMIT_SHA} by ${GITHUB_ACTOR} in ${GITHUB_REPOSITORY} - ${GITHUB_EVENT_NAME}" |
| 78 | + CODE=$(curl \ |
| 79 | + --write-out '%{http_code}' \ |
| 80 | + -X POST \ |
| 81 | + -H "Content-Type: application/json" \ |
| 82 | + -H "Authorization: $API_TOKEN" \ |
| 83 | + --silent \ |
| 84 | + --output /dev/null \ |
| 85 | + --url "$API_URL" \ |
| 86 | + --data "{\"commit\":\"${COMMIT_SHA}\",\"repository\":\"${GITHUB_REPOSITORY}\",\"author\":\"${GITHUB_ACTOR}\"}" |
| 87 | + ) |
18 | 88 | echo "Received $CODE" |
19 | 89 | if [[ "$CODE" == "200" ]]; then |
20 | 90 | echo "✅ Commit is verified" |
|
0 commit comments