Skip to content

Git action test [AllBridgeFacet v3.0.1] [@coderabbit ignore] #33

Git action test [AllBridgeFacet v3.0.1] [@coderabbit ignore]

Git action test [AllBridgeFacet v3.0.1] [@coderabbit ignore] #33

Workflow file for this run

name: Audit Verifier
# - checks if an audit is required and assigns a (protected) label based on the result ('AuditRequired' or 'AuditNotRequired')
# - if an audit is required, it will verify that the audit was actually completed and then assign label "AuditCompleted"
# - verification includes:
# - ensuring the audit log contains an entry for all added/modified contracts in their latest version
# - ensuring that an audit report has been added
# - ensuring that the PR is approved by the auditor (uses auditor git handle from audit log)
# - ensuring that the commit hash that was audited is actually part of this PR
# KNOWN LIMITATIONS
# - will only check the last 100 commits for any matches with audit commit hashes
# - only one audit can be registered per contract (in a specific version)
on:
pull_request:
types: [opened, synchronize, reopened]
jobs:
verify-audit:
# will only run once the PR is in "Ready for Review" state
if: ${{ github.event.pull_request.draft == false }}
runs-on: ubuntu-latest
env:
GITHUB_TOKEN: ${{ secrets.GIT_ACTIONS_BOT_PAT_CLASSIC }}
AUDIT_LOG_PATH: 'audit/auditLog.json'
PR_NUMBER: ${{ github.event.pull_request.number }}
permissions:
pull-requests: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0 ##### Fetch all history for all branches
- name: Check PR for changes in protected folders ('src/*')
id: check_git_diff_for_protectected_folders
run: |
##### Get all files modified by this PR
FILES=$(git diff --name-only origin/main HEAD)
##### Make sure that there are modified files
if [[ -z $FILES ]]; then
echo -e "\033[31mNo files found. This should not happen. Please check the code of the Github action. Aborting now.\033[0m"
echo "CONTINUE=false" >> "$GITHUB_ENV"
fi
##### Initialize empty variables
PROTECTED_CONTRACTS=""
##### Go through all modified file names/paths and identify contracts with path 'src/*'
while IFS= read -r FILE; do
if echo "$FILE" | grep -E '^src/.*\.sol$'; then
##### Contract found
PROTECTED_CONTRACTS="${PROTECTED_CONTRACTS}${FILE}"$'\n'
fi
done <<< "$FILES"
##### Determine if audit is required
if [[ -z "$PROTECTED_CONTRACTS" ]]; then
echo -e "\033[32mNo protected contracts found in this PR.\033[0m"
echo "AUDIT_REQUIRED=false" >> "$GITHUB_ENV"
else
echo -e "\033[31mProtected contracts found in this PR.\033[0m"
echo "PROTECTED_CONTRACTS: $PROTECTED_CONTRACTS"
echo "AUDIT_REQUIRED=true" >> "$GITHUB_ENV"
echo "$AUDIT_REQUIRED" > audit_required.txt
echo -e "$PROTECTED_CONTRACTS" > protected_contracts.txt
fi
- name: Assign, update, and verify labels based on check outcome
uses: actions/github-script@v7
env:
AUDIT_REQUIRED: ${{ env.AUDIT_REQUIRED }}
with:
script: |
const { execSync } = require('child_process');
// ANSI escape codes for colors (used for colored output in Git action console)
const colors = {
reset: "\033[0m",
red: "\033[31m",
green: "\033[32m",
};
// Fetch currently assigned labels from GitHub using GitHub CLI
let assignedLabels = [];
try {
// Fetch the labels directly from the pull request
const labelsOutput = execSync(`gh pr view ${{ github.event.pull_request.number }} --json labels --jq '.labels[].name'`).toString();
// Split the labels output into an array and trim each label
assignedLabels = labelsOutput.split('\n').map(label => label.trim()).filter(Boolean);
} catch (error) {
console.error(`${colors.red}Error fetching assigned labels: ${error.message}${colors.reset}`);
process.exit(1);
}
// check if audit is required (determined by previous step)
const auditRequired = process.env.AUDIT_REQUIRED === 'true';
// determine which label should be assigned and which should be removed
const labelToAssign = auditRequired ? 'AuditRequired' : 'AuditNotRequired';
const oppositeLabel = auditRequired ? 'AuditNotRequired' : 'AuditRequired';
console.log(`Currently assigned labels: ${JSON.stringify(assignedLabels)}`);
console.log(`Label '${labelToAssign}' has to be assigned to this PR`);
console.log(`Label '${oppositeLabel}' will be removed, if currently present`);
// Assign the required label if not already present
if (!assignedLabels.includes(labelToAssign)) {
console.log(`Assigning label: ${labelToAssign}`);
execSync(`gh pr edit ${{ github.event.pull_request.number }} --add-label "${labelToAssign}"`, { stdio: 'inherit' });
} else {
console.log(`${colors.green}Label "${labelToAssign}" is already assigned. No action needed.${colors.reset}`);
}
// Remove the opposite label if it is present
if (assignedLabels.includes(oppositeLabel)) {
console.log(`Removing opposite label: ${oppositeLabel}`);
execSync(`gh pr edit ${{ github.event.pull_request.number }} --remove-label "${oppositeLabel}"`, { stdio: 'inherit' });
} else {
console.log(`${colors.green}Opposite label "${oppositeLabel}" is not assigned. No action needed.${colors.reset}`);
}
// Verify that exactly one of the two labels is assigned
const requiredLabelCount = assignedLabels.filter(label => label === 'AuditRequired').length;
const notRequiredLabelCount = assignedLabels.filter(label => label === 'AuditNotRequired').length;
const totalLabelsAssigned = requiredLabelCount + notRequiredLabelCount;
if (totalLabelsAssigned !== 1) {
console.error(`${colors.red}Error: Exactly one of the two protected labels should be assigned but found ${totalLabelsAssigned} assigned labels.${colors.reset}`);
process.exit(1);
} else {
console.log(`${colors.green}Verified that exactly one label is assigned. Check passed :)${colors.reset}`);
}
- name: Check Audit Log
id: check-audit-log
if: env.AUDIT_REQUIRED == 'true'
run: |
# load list of protected contracts
PROTECTED_CONTRACTS=$(cat protected_contracts.txt)
# create temp files to store commit hashes and auditor handles
COMMIT_HASHES_FILE="commit_hashes.txt"
AUDITOR_GIT_HANDLES_FILE="auditor_handles.txt"
##### make sure that there are any protected contracts
if [[ -z $PROTECTED_CONTRACTS ]]; then
echo -e "\033[31mNo protected contracts found. This should not happen (action should stop earlier). Please check the code of the Github action. Aborting now.\033[0m"
echo "CONTINUE=false" >> $GITHUB_ENV
exit 1
fi
# iterate through all contracts
while IFS= read -r FILE; do
echo "now processing file $FILE"
# load contract version
VERSION=$(sed -nE 's/^\/\/\/ @custom:version ([0-9]+\.[0-9]+\.[0-9]+).*/\1/p' "$FILE")
echo "Version $VERSION"
##### make sure that contract version was extracted successfully
if [[ -z $VERSION ]]; then
echo -e "\033[31mCould not find version of contract $FILE. This should not happen. Please check the Github action code. Aborting now.\033[0m"
echo "CONTINUE=false" >> $GITHUB_ENV
exit 1
fi
# see if audit log contains an entry with those values
FILENAME=$(basename "$FILE" .sol)
# Check if the contract and version exist in the JSON and get the audit IDs
AUDIT_IDS=$(jq -r --arg filename "$FILENAME" --arg version "$VERSION" \
'if .auditedContracts[$filename][$version] != null then .auditedContracts[$filename][$version][] else empty end' "$AUDIT_LOG_PATH")
echo "AUDIT_IDS: ($AUDIT_IDS)"
# Count the number of audits found
if [[ -z "$AUDIT_IDS" ]]; then
AUDIT_COUNT=0
else
# Properly count the number of non-empty audit IDs using awk
AUDIT_COUNT=$(echo "$AUDIT_IDS" | wc -l)
fi
echo "AUDIT_COUNT: $AUDIT_COUNT"
# Ensure exactly one audit is logged; handle errors if not
if [[ $AUDIT_COUNT -ne 1 ]]; then
echo "CONTINUE=false" >> $GITHUB_ENV
echo "AUDIT_VERIFIED=false" >> $GITHUB_ENV
if [[ $AUDIT_COUNT -gt 1 ]]; then
echo -e "\033[31mError: Multiple audits found for contract $FILENAME in version $VERSION.\033[0m"
echo -e "\033[31mOnly one audit should be logged per contract version.\033[0m"
echo -e "\033[31mPlease fix the audit log and try again.\033[0m"
else
echo -e "\033[31mCould not find a logged audit for contract $FILENAME in version $VERSION.\033[0m"
echo -e "\033[31mThis GitHub action cannot complete until the audit log contains a logged audit for this file.\033[0m"
fi
exit 1
fi
# Extract the single audit ID
AUDIT_ID=$(echo "$AUDIT_IDS" | head -n 1)
echo "Processing audit ID: $AUDIT_ID"
# Extract audit entry details for the single audit ID
AUDIT_ENTRY=$(jq -r --arg audit_id "$AUDIT_ID" '.audits[$audit_id]' "$AUDIT_LOG_PATH")
# Check if AUDIT_ENTRY is valid JSON
if [[ -z "$AUDIT_ENTRY" || "$AUDIT_ENTRY" == "null" ]]; then
echo -e "\033[31mError: The logged audit ID ($AUDIT_ID) for contract $FILE seems to be invalid.\033[0m"
echo "CONTINUE=false" >> $GITHUB_ENV
exit 1
fi
echo -e "\033[32mContract $FILENAME was audited in audit $AUDIT_ID.\033[0m"
# Extract log entry values into variables
AUDIT_COMPLETED_ON=$(echo "$AUDIT_ENTRY" | jq -r '.auditCompletedOn')
AUDITED_BY=$(echo "$AUDIT_ENTRY" | jq -r '.auditedBy')
AUDITOR_GIT_HANDLE=$(echo "$AUDIT_ENTRY" | jq -r '.auditorGitHandle')
AUDIT_REPORT_PATH=$(echo "$AUDIT_ENTRY" | jq -r '.auditReportPath')
AUDIT_COMMIT_HASH=$(echo "$AUDIT_ENTRY" | jq -r '.auditCommitHash')
# make sure that audit log entry contains date
if [ -z "$AUDIT_COMPLETED_ON" ]; then
echo -e "\033[31mThe audit log entry for file $FILE contains an invalid or no 'auditCompletedOn' date.\033[0m"
echo -e "\033[31mThis github action cannot complete before the audit log is complete.\033[0m"
echo -e "\033[31mAborting now.\033[0m"
echo "CONTINUE=false" >> $GITHUB_ENV
exit 1
else
echo -e "\033[32mThe audit log contains a date for $AUDIT_ID.\033[0m"
fi
# make sure that audit log entry contains auditor's (company) name
if [ -z "$AUDITED_BY" ]; then
echo -e "\033[31mThe audit log entry for file $FILE contains invalid or no 'auditedBy' information.\033[0m"
echo -e "\033[31mThis github action cannot complete before the audit log is complete.\033[0m"
echo -e "\033[31mAborting now.\033[0m"
echo "CONTINUE=false" >> $GITHUB_ENV
exit 1
else
echo -e "\033[32mThe audit log contains the auditor's name for $AUDIT_ID: $AUDITED_BY.\033[0m"
fi
# make sure that audit log entry contains auditor's git handle
if [ -z "$AUDITOR_GIT_HANDLE" ]; then
echo -e "\033[31mThe audit log entry for file $FILE contains invalid or no 'auditorGitHandle' information.\033[0m"
echo -e "\033[31mThis github action cannot complete before the audit log is complete.\033[0m"
echo -e "\033[31mAborting now.\033[0m"
echo "CONTINUE=false" >> $GITHUB_ENV
exit 1
else
echo -e "\033[32mThe audit log contains the auditor's github handle for $AUDIT_ID: $AUDITOR_GIT_HANDLE.\033[0m"
fi
# make sure that audit log entry contains audit report path
if [ -z "$AUDIT_REPORT_PATH" ]; then
echo -e "\033[31mThe audit log entry for file $FILE contains invalid or no 'auditReportPath' information.\033[0m"
echo -e "\033[31mThis github action cannot complete before the audit log is complete.\033[0m"
echo -e "\033[31mAborting now.\033[0m"
echo "CONTINUE=false" >> $GITHUB_ENV
exit 1
else
echo -e "\033[32mThe audit log contains the path to the audit report for $AUDIT_ID: $AUDIT_REPORT_PATH.\033[0m"
fi
# make sure that a file exists at the audit report path
if [ ! -f "$AUDIT_REPORT_PATH" ]; then
echo -e "\033[31mCould not find an audit report in path $AUDIT_REPORT_PATH for contract "$FILENAME".\033[0m"
echo -e "\033[31mThis github action cannot complete before the audit report is uploaded to 'audit/reports/'.\033[0m"
echo -e "\033[31mAborting now.\033[0m"
echo "CONTINUE=false" >> $GITHUB_ENV
exit 1
else
echo -e "\033[32mThe audit report for $AUDIT_ID was found in path $AUDIT_REPORT_PATH.\033[0m"
fi
# make sure that audit log entry contains audit commit hash
if [ -z "$AUDIT_COMMIT_HASH" ]; then
echo -e "\033[31mThe audit log entry for file $FILE contains invalid or no 'auditCommitHash' information.\033[0m"
echo -e "\033[31mThis github action cannot complete before the audit log is complete.\033[0m"
echo -e "\033[31mAborting now.\033[0m"
echo "CONTINUE=false" >> $GITHUB_ENV
exit 1
else
echo -e "\033[32mThe audit log contains the commit hash that was audited in $AUDIT_ID: $AUDIT_COMMIT_HASH.\033[0m"
fi
echo -e "\033[32mThe audit log contains all required information for contract $FILE.\033[0m"
echo "now checking if audit commit hash ($AUDIT_COMMIT_HASH) is associated with this PR ($PR_NUMBER)"
# Fetch the list of commits associated with the PR
COMMIT_LIST=$(gh pr view "$PR_NUMBER" --json commits --jq '.commits[].oid')
# Check if the target commit is in the list
if echo "$COMMIT_LIST" | grep -q "$TARGET_COMMIT"; then
echo -e "\033[32mCommit $TARGET_COMMIT is associated with PR #$PR_NUMBER.\033[0m"
else
echo -e "\033[31mCommit $TARGET_COMMIT is NOT associated with PR #$PR_NUMBER.\033[0m"
exit 1
fi
echo "now checking if the the auditor has approved this PR"
done <<< "$PROTECTED_CONTRACTS"
# store the commit hash in a temporary file to check its validity in a following step
# echo "$AUDIT_COMMIT_HASH" >> "$COMMIT_HASHES_FILE"
# echo "$AUDIT_COMMIT_HASH" >> commit_hashes.txt
# store the auditor git handle to check it in a following step if this auditor has reviewed the PR
# echo "$AUDITOR_GIT_HANDLE" >> "$AUDITOR_GIT_HANDLES_FILE"
# echo "$AUDITOR_GIT_HANDLE" >> auditor_handles.txt
# # read the temp files into variables
# AUDIT_COMMIT_HASHES=$(cat "$COMMIT_HASHES_FILE" | tr '\n' ' ')
# AUDITOR_GIT_HANDLES=$(cat "$AUDITOR_GIT_HANDLES_FILE" | tr '\n' ' ')
# echo "AUDIT_COMMIT_HASHES=$AUDIT_COMMIT_HASHES"
# echo "AUDIT_COMMIT_HASHES=$AUDIT_COMMIT_HASHES" >> $GITHUB_ENV
# echo "AUDITOR_GIT_HANDLES=$AUDITOR_GIT_HANDLES"
# echo "AUDITOR_GIT_HANDLES=$AUDITOR_GIT_HANDLES" >> $GITHUB_ENV
- name: Assign correct label based on check outcome
uses: actions-ecosystem/action-add-labels@v1
id: assign_label
with:
github_token: ${{ secrets.GIT_ACTIONS_BOT_PAT_CLASSIC }} # we use the token of the git action user so the label protection check will pass
labels: ${{ env.CONTINUE == 'true' && 'AuditCompleted' || 'AuditNotRequired' }} # if the action made it until here and CONTINUE was true then all checks passed. It CONTINUE was false then no audit is required
number: ${{ github.event.pull_request.number }}