Git action test [AllBridgeFacet v3.0.1] [@coderabbit ignore] #35
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Audit Verifier | |
# - checks if an audit is required and assigns a (protected) label based on the result ('AuditRequired' or 'AuditNotRequired') | |
# - if an audit is required, it will verify that the audit was actually completed and then assign label "AuditCompleted" | |
# - verification includes: | |
# - ensuring the audit log contains an entry for all added/modified contracts in their latest version | |
# - ensuring that an audit report has been added | |
# - ensuring that the PR is approved by the auditor (uses auditor git handle from audit log) | |
# - ensuring that the commit hash that was audited is actually part of this PR | |
# KNOWN LIMITATIONS | |
# - will only check the last 100 commits for any matches with audit commit hashes | |
# - only one audit can be registered per contract (in a specific version) | |
on: | |
pull_request: | |
types: [opened, synchronize, reopened] | |
jobs: | |
verify-audit: | |
# will only run once the PR is in "Ready for Review" state | |
if: ${{ github.event.pull_request.draft == false }} | |
runs-on: ubuntu-latest | |
env: | |
GITHUB_TOKEN: ${{ secrets.GIT_ACTIONS_BOT_PAT_CLASSIC }} | |
AUDIT_LOG_PATH: 'audit/auditLog.json' | |
PR_NUMBER: ${{ github.event.pull_request.number }} | |
permissions: | |
pull-requests: write | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 ##### Fetch all history for all branches | |
- name: Check PR for changes in protected folders ('src/*') | |
id: check_git_diff_for_protectected_folders | |
run: | | |
##### Get all files modified by this PR | |
FILES=$(git diff --name-only origin/main HEAD) | |
##### Make sure that there are modified files | |
if [[ -z $FILES ]]; then | |
echo -e "\033[31mNo files found. This should not happen. Please check the code of the Github action. Aborting now.\033[0m" | |
echo "CONTINUE=false" >> "$GITHUB_ENV" | |
fi | |
##### Initialize empty variables | |
PROTECTED_CONTRACTS="" | |
##### Go through all modified file names/paths and identify contracts with path 'src/*' | |
while IFS= read -r FILE; do | |
if echo "$FILE" | grep -E '^src/.*\.sol$'; then | |
##### Contract found | |
PROTECTED_CONTRACTS="${PROTECTED_CONTRACTS}${FILE}"$'\n' | |
fi | |
done <<< "$FILES" | |
##### Determine if audit is required | |
if [[ -z "$PROTECTED_CONTRACTS" ]]; then | |
echo -e "\033[32mNo protected contracts found in this PR.\033[0m" | |
echo "AUDIT_REQUIRED=false" >> "$GITHUB_ENV" | |
else | |
echo -e "\033[31mProtected contracts found in this PR.\033[0m" | |
echo "PROTECTED_CONTRACTS: $PROTECTED_CONTRACTS" | |
echo "AUDIT_REQUIRED=true" >> "$GITHUB_ENV" | |
echo "$AUDIT_REQUIRED" > audit_required.txt | |
echo -e "$PROTECTED_CONTRACTS" > protected_contracts.txt | |
fi | |
- name: Assign, update, and verify labels based on check outcome | |
uses: actions/github-script@v7 | |
env: | |
AUDIT_REQUIRED: ${{ env.AUDIT_REQUIRED }} | |
with: | |
script: | | |
const { execSync } = require('child_process'); | |
// ANSI escape codes for colors (used for colored output in Git action console) | |
const colors = { | |
reset: "\033[0m", | |
red: "\033[31m", | |
green: "\033[32m", | |
}; | |
// Fetch currently assigned labels from GitHub using GitHub CLI | |
let assignedLabels = []; | |
try { | |
// Fetch the labels directly from the pull request | |
const labelsOutput = execSync(`gh pr view ${{ github.event.pull_request.number }} --json labels --jq '.labels[].name'`).toString(); | |
// Split the labels output into an array and trim each label | |
assignedLabels = labelsOutput.split('\n').map(label => label.trim()).filter(Boolean); | |
} catch (error) { | |
console.error(`${colors.red}Error fetching assigned labels: ${error.message}${colors.reset}`); | |
process.exit(1); | |
} | |
// check if audit is required (determined by previous step) | |
const auditRequired = process.env.AUDIT_REQUIRED === 'true'; | |
// determine which label should be assigned and which should be removed | |
const labelToAssign = auditRequired ? 'AuditRequired' : 'AuditNotRequired'; | |
const oppositeLabel = auditRequired ? 'AuditNotRequired' : 'AuditRequired'; | |
console.log(`Currently assigned labels: ${JSON.stringify(assignedLabels)}`); | |
console.log(`Label '${labelToAssign}' has to be assigned to this PR`); | |
console.log(`Label '${oppositeLabel}' will be removed, if currently present`); | |
// Assign the required label if not already present | |
if (!assignedLabels.includes(labelToAssign)) { | |
console.log(`Assigning label: ${labelToAssign}`); | |
execSync(`gh pr edit ${{ github.event.pull_request.number }} --add-label "${labelToAssign}"`, { stdio: 'inherit' }); | |
} else { | |
console.log(`${colors.green}Label "${labelToAssign}" is already assigned. No action needed.${colors.reset}`); | |
} | |
// Remove the opposite label if it is present | |
if (assignedLabels.includes(oppositeLabel)) { | |
console.log(`Removing opposite label: ${oppositeLabel}`); | |
execSync(`gh pr edit ${{ github.event.pull_request.number }} --remove-label "${oppositeLabel}"`, { stdio: 'inherit' }); | |
} else { | |
console.log(`${colors.green}Opposite label "${oppositeLabel}" is not assigned. No action needed.${colors.reset}`); | |
} | |
// Verify that exactly one of the two labels is assigned | |
const requiredLabelCount = assignedLabels.filter(label => label === 'AuditRequired').length; | |
console.log(`requiredLabelCount: ${requiredLabelCount}`) | |
const notRequiredLabelCount = assignedLabels.filter(label => label === 'AuditNotRequired').length; | |
console.log(`notRequiredLabelCount: ${notRequiredLabelCount}`) | |
const totalLabelsAssigned = requiredLabelCount + notRequiredLabelCount; | |
console.log(`totalLabelsAssigned: ${totalLabelsAssigned}`) | |
if (totalLabelsAssigned !== 1) { | |
console.error(`${colors.red}Error: Exactly one of the two protected labels should be assigned but found ${totalLabelsAssigned} assigned labels.${colors.reset}`); | |
process.exit(1); | |
} else { | |
console.log(`${colors.green}Verified that exactly one label is assigned. Check passed :)${colors.reset}`); | |
} | |
- name: Check Audit Log | |
id: check-audit-log | |
if: env.AUDIT_REQUIRED == 'true' | |
run: | | |
# load list of protected contracts | |
PROTECTED_CONTRACTS=$(cat protected_contracts.txt) | |
# create temp files to store commit hashes and auditor handles | |
COMMIT_HASHES_FILE="commit_hashes.txt" | |
AUDITOR_GIT_HANDLES_FILE="auditor_handles.txt" | |
##### make sure that there are any protected contracts | |
if [[ -z $PROTECTED_CONTRACTS ]]; then | |
echo -e "\033[31mNo protected contracts found. This should not happen (action should stop earlier). Please check the code of the Github action. Aborting now.\033[0m" | |
echo "CONTINUE=false" >> $GITHUB_ENV | |
exit 1 | |
fi | |
# iterate through all contracts | |
while IFS= read -r FILE; do | |
echo "now processing file $FILE" | |
# load contract version | |
VERSION=$(sed -nE 's/^\/\/\/ @custom:version ([0-9]+\.[0-9]+\.[0-9]+).*/\1/p' "$FILE") | |
echo "Version $VERSION" | |
##### make sure that contract version was extracted successfully | |
if [[ -z $VERSION ]]; then | |
echo -e "\033[31mCould not find version of contract $FILE. This should not happen. Please check the Github action code. Aborting now.\033[0m" | |
echo "CONTINUE=false" >> $GITHUB_ENV | |
exit 1 | |
fi | |
# see if audit log contains an entry with those values | |
FILENAME=$(basename "$FILE" .sol) | |
# Check if the contract and version exist in the JSON and get the audit IDs | |
AUDIT_IDS=$(jq -r --arg filename "$FILENAME" --arg version "$VERSION" \ | |
'if .auditedContracts[$filename][$version] != null then .auditedContracts[$filename][$version][] else empty end' "$AUDIT_LOG_PATH") | |
echo "AUDIT_IDS: ($AUDIT_IDS)" | |
# Count the number of audits found | |
if [[ -z "$AUDIT_IDS" ]]; then | |
AUDIT_COUNT=0 | |
else | |
# Properly count the number of non-empty audit IDs using awk | |
AUDIT_COUNT=$(echo "$AUDIT_IDS" | wc -l) | |
fi | |
echo "AUDIT_COUNT: $AUDIT_COUNT" | |
# Ensure exactly one audit is logged; handle errors if not | |
if [[ $AUDIT_COUNT -ne 1 ]]; then | |
echo "CONTINUE=false" >> $GITHUB_ENV | |
echo "AUDIT_VERIFIED=false" >> $GITHUB_ENV | |
if [[ $AUDIT_COUNT -gt 1 ]]; then | |
echo -e "\033[31mError: Multiple audits found for contract $FILENAME in version $VERSION.\033[0m" | |
echo -e "\033[31mOnly one audit should be logged per contract version.\033[0m" | |
echo -e "\033[31mPlease fix the audit log and try again.\033[0m" | |
else | |
echo -e "\033[31mCould not find a logged audit for contract $FILENAME in version $VERSION.\033[0m" | |
echo -e "\033[31mThis GitHub action cannot complete until the audit log contains a logged audit for this file.\033[0m" | |
fi | |
exit 1 | |
fi | |
# Extract the single audit ID | |
AUDIT_ID=$(echo "$AUDIT_IDS" | head -n 1) | |
echo "Processing audit ID: $AUDIT_ID" | |
# Extract audit entry details for the single audit ID | |
AUDIT_ENTRY=$(jq -r --arg audit_id "$AUDIT_ID" '.audits[$audit_id]' "$AUDIT_LOG_PATH") | |
# Check if AUDIT_ENTRY is valid JSON | |
if [[ -z "$AUDIT_ENTRY" || "$AUDIT_ENTRY" == "null" ]]; then | |
echo -e "\033[31mError: The logged audit ID ($AUDIT_ID) for contract $FILE seems to be invalid.\033[0m" | |
echo "CONTINUE=false" >> $GITHUB_ENV | |
exit 1 | |
fi | |
echo "File $FILE was audited in $AUDIT_ID" | |
# Extract log entry values into variables | |
AUDIT_COMPLETED_ON=$(echo "$AUDIT_ENTRY" | jq -r '.auditCompletedOn') | |
AUDITED_BY=$(echo "$AUDIT_ENTRY" | jq -r '.auditedBy') | |
AUDITOR_GIT_HANDLE=$(echo "$AUDIT_ENTRY" | jq -r '.auditorGitHandle') | |
AUDIT_REPORT_PATH=$(echo "$AUDIT_ENTRY" | jq -r '.auditReportPath') | |
AUDIT_COMMIT_HASH=$(echo "$AUDIT_ENTRY" | jq -r '.auditCommitHash') | |
# make sure that audit log entry contains date | |
if [ -z "$AUDIT_COMPLETED_ON" ]; then | |
echo -e "\033[31mThe audit log entry for file $FILE contains an invalid or no 'auditCompletedOn' date.\033[0m" | |
echo -e "\033[31mThis github action cannot complete before the audit log is complete.\033[0m" | |
echo -e "\033[31mAborting now.\033[0m" | |
echo "CONTINUE=false" >> $GITHUB_ENV | |
exit 1 | |
else | |
echo "The audit log contains a date for $AUDIT_ID: $AUDIT_COMPLETED_ON" | |
fi | |
# make sure that audit log entry contains auditor's (company) name | |
if [ -z "$AUDITED_BY" ]; then | |
echo -e "\033[31mThe audit log entry for file $FILE contains invalid or no 'auditedBy' information.\033[0m" | |
echo -e "\033[31mThis github action cannot complete before the audit log is complete.\033[0m" | |
echo -e "\033[31mAborting now.\033[0m" | |
echo "CONTINUE=false" >> $GITHUB_ENV | |
exit 1 | |
else | |
echo "The audit log contains the auditor's name for $AUDIT_ID: $AUDITED_BY" | |
fi | |
# make sure that audit log entry contains auditor's git handle | |
if [ -z "$AUDITOR_GIT_HANDLE" ]; then | |
echo -e "\033[31mThe audit log entry for file $FILE contains invalid or no 'auditorGitHandle' information.\033[0m" | |
echo -e "\033[31mThis github action cannot complete before the audit log is complete.\033[0m" | |
echo -e "\033[31mAborting now.\033[0m" | |
echo "CONTINUE=false" >> $GITHUB_ENV | |
exit 1 | |
else | |
echo "The audit log contains the auditor's github handle for $AUDIT_ID: $AUDITOR_GIT_HANDLE" | |
fi | |
# make sure that a file exists at the audit report path | |
if [ ! -f "$AUDIT_REPORT_PATH" ]; then | |
echo -e "\033[31mCould not find an audit report in path $AUDIT_REPORT_PATH for contract "$FILENAME".\033[0m" | |
echo -e "\033[31mThis github action cannot complete before the audit report is uploaded to 'audit/reports/'.\033[0m" | |
echo -e "\033[31mAborting now.\033[0m" | |
echo "CONTINUE=false" >> $GITHUB_ENV | |
exit 1 | |
else | |
echo "The audit report for $AUDIT_ID was found in path $AUDIT_REPORT_PATH" | |
fi | |
# make sure that audit log entry contains audit commit hash | |
if [ -z "$AUDIT_COMMIT_HASH" ]; then | |
echo -e "\033[31mThe audit log entry for file $FILE contains invalid or no 'auditCommitHash' information.\033[0m" | |
echo -e "\033[31mThis github action cannot complete before the audit log is complete.\033[0m" | |
echo -e "\033[31mAborting now.\033[0m" | |
echo "CONTINUE=false" >> $GITHUB_ENV | |
exit 1 | |
else | |
echo "The audit log contains the commit hash that was audited in $AUDIT_ID: $AUDIT_COMMIT_HASH" | |
fi | |
echo -e "\033[32mThe audit log contains all required information for contract $FILE.\033[0m" | |
echo "now checking if audit commit hash ($AUDIT_COMMIT_HASH) is associated with this PR ($PR_NUMBER)" | |
# Fetch the list of commits associated with the PR | |
COMMIT_LIST=$(gh pr view "$PR_NUMBER" --json commits --jq '.commits[].oid') | |
# Check if the target commit is in the list | |
if echo "$COMMIT_LIST" | grep -q "$TARGET_COMMIT"; then | |
echo -e "\033[32mCommit $AUDIT_COMMIT_HASH is associated with PR #$PR_NUMBER.\033[0m" | |
else | |
echo -e "\033[31mCommit $AUDIT_COMMIT_HASH is NOT associated with PR #$PR_NUMBER.\033[0m" | |
echo "CONTINUE=false" >> $GITHUB_ENV | |
exit 1 | |
fi | |
echo "now checking if the the auditor has approved this PR" | |
done <<< "$PROTECTED_CONTRACTS" | |
# store the commit hash in a temporary file to check its validity in a following step | |
# echo "$AUDIT_COMMIT_HASH" >> "$COMMIT_HASHES_FILE" | |
# echo "$AUDIT_COMMIT_HASH" >> commit_hashes.txt | |
# store the auditor git handle to check it in a following step if this auditor has reviewed the PR | |
# echo "$AUDITOR_GIT_HANDLE" >> "$AUDITOR_GIT_HANDLES_FILE" | |
# echo "$AUDITOR_GIT_HANDLE" >> auditor_handles.txt | |
# # read the temp files into variables | |
# AUDIT_COMMIT_HASHES=$(cat "$COMMIT_HASHES_FILE" | tr '\n' ' ') | |
# AUDITOR_GIT_HANDLES=$(cat "$AUDITOR_GIT_HANDLES_FILE" | tr '\n' ' ') | |
# echo "AUDIT_COMMIT_HASHES=$AUDIT_COMMIT_HASHES" | |
# echo "AUDIT_COMMIT_HASHES=$AUDIT_COMMIT_HASHES" >> $GITHUB_ENV | |
# echo "AUDITOR_GIT_HANDLES=$AUDITOR_GIT_HANDLES" | |
# echo "AUDITOR_GIT_HANDLES=$AUDITOR_GIT_HANDLES" >> $GITHUB_ENV | |
- name: Assign correct label based on check outcome | |
uses: actions-ecosystem/action-add-labels@v1 | |
id: assign_label | |
with: | |
github_token: ${{ secrets.GIT_ACTIONS_BOT_PAT_CLASSIC }} # we use the token of the git action user so the label protection check will pass | |
labels: ${{ env.CONTINUE == 'true' && 'AuditCompleted' || 'AuditNotRequired' }} # if the action made it until here and CONTINUE was true then all checks passed. It CONTINUE was false then no audit is required | |
number: ${{ github.event.pull_request.number }} |