-
Notifications
You must be signed in to change notification settings - Fork 51
206 lines (169 loc) · 9.12 KB
/
checkAudit.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
# - Github Audit Checker
# - checks if an audit is required
# YES, if:
# > contract in src/*.sol (no test or script contracts)
# - checks if an audit was conducted
# > is there at least one complete entry in the audit log for that contract/version
# - checks if all audit-related files are updated accordingly
# > is the audit report uploaded to ./audit/reports/ ?
# - checks if there is one approving review of an auditor (do we really want this?)
name: Audit Check
on:
pull_request:
jobs:
check-version:
runs-on: ubuntu-latest
env:
auditLogPath: 'audit/auditLog.json'
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0 ##### Fetch all history for all branches
- name: Check modified files for protected contracts
id: check_eligibility
run: |
##### get all files modified by this PR
FILES=$(git diff --name-only origin/main HEAD)
##### make sure that there are modified files
if [[ -z $FILES ]]; then
echo -e "\033[31mNo files found. This should not happen. Please check the code of the Github action. Aborting now.\033[0m"
echo "CONTINUE=false" >> $GITHUB_ENV
exit 1
fi
##### Initialize empty variables
PROTECTED_CONTRACTS=""
##### go through all modified file names/paths and identify contracts with path 'src/*'
while IFS= read -r FILE; do
if echo "$FILE" | grep -E '^src/.*\.sol$'; then
# if echo "$FILE" | grep -E '^src/*\.sol$'; then
##### contract found
PROTECTED_CONTRACTS="${PROTECTED_CONTRACTS}${FILE}"$'\n'
fi
done <<< "$FILES"
##### if none found, exit here as there is nothing to do
if [[ -z "$PROTECTED_CONTRACTS" ]]; then
echo -e "\033[31mNo protected contracts found in files modified/added by this PR.\033[0m"
echo -e "\033[31mNo further checks are required.\033[0m"
# set action output to false
echo "CONTINUE=false" >> $GITHUB_ENV
exit 0
else
# set action output to true
echo "CONTINUE=true" >> $GITHUB_ENV
fi
echo "PROTECTED_CONTRACTS: $PROTECTED_CONTRACTS"
##### Write filenames to temporary files (using variables here was causing issues due to the file names)
echo -e "$PROTECTED_CONTRACTS" > protected_contracts.txt
- name: Check audit log
id: check-audit-log
if: env.CONTINUE == 'true'
run: |
# load list of protected contracts
PROTECTED_CONTRACTS=$(cat protected_contracts.txt)
##### make sure that there are any protected contracts
if [[ -z $PROTECTED_CONTRACTS ]]; then
echo -e "\033[31mNo protected contracts found. This should not happen (action should stop earlier). Please check the code of the Github action. Aborting now.\033[0m"
echo "CONTINUE=false" >> $GITHUB_ENV
exit 1
fi
# iterate through all contracts
while IFS= read -r FILE; do
# load contract version
VERSION=$(sed -nE 's/^\/\/\/ @custom:version ([0-9]+\.[0-9]+\.[0-9]+).*/\1/p' "$FILE")
##### make sure that contract version was extracted successfully
if [[ -z $VERSION ]]; then
echo -e "\033[31mCould not find version of contract $FILE. This should not happen. Please check the Github action code. Aborting now.\033[0m"
echo "CONTINUE=false" >> $GITHUB_ENV
exit 1
fi
# see if audit log contains an entry with those values
FILENAME=$(basename "$FILE" .sol)
LOG_ENTRIES=$(jq -r --arg filename "$FILENAME" --arg version "$VERSION" '.[$filename][$version][]' "$auditLogPath")
##### make sure that audit log entries were found
if [[ -z $LOG_ENTRIES || "${#LOG_ENTRIES}" -eq 0 ]]; then
echo -e "\033[31mCould not find a logged audit for contract $FILENAME in version $VERSION.\033[0m"
echo -e "\033[31mThis github action cannot complete until the audit log contains a logged audit for this file.\033[0m"
echo "CONTINUE=false" >> $GITHUB_ENV
exit 1
fi
echo "---------------------------------------------------"
echo "Found log entries for $FILENAME version $VERSION:"
echo "$LOG_ENTRIES"
echo "---------------------------------------------------"
# initialize variables for output
COMMIT_HASHES=""
AUDITOR_HANDLES=""
# Iterate through each log entry
echo "$LOG_ENTRIES" | jq -c '.' | while IFS= read -r entry; do
# extract log entry values into variables
AUDIT_COMPLETED_ON=$(echo "$entry" | jq -r '.auditCompletedOn')
AUDITED_BY=$(echo "$entry" | jq -r '.auditedBy')
AUDITOR_GIT_HANDLE=$(echo "$entry" | jq -r '.auditorGitHandle')
AUDIT_REPORT_PATH=$(echo "$entry" | jq -r '.auditReportPath')
AUDIT_COMMIT_HASH=$(echo "$entry" | jq -r '.auditCommitHash')
# echo "Audit Completed On: $AUDIT_COMPLETED_ON"
# echo "Audited By: $AUDITED_BY"
# echo "AUDITOR_GIT_HANDLE: $AUDITOR_GIT_HANDLE"
# echo "Audit Report Path: $AUDIT_REPORT_PATH"
# echo "Audit Commit Hash: $AUDIT_COMMIT_HASH"
# make sure that audit log entry contains date
if [ -z "$AUDIT_COMPLETED_ON" ]; then
echo -e "\033[31mThe audit log entry for file $FILE contains an invalid or no 'auditCompletedOn' date.\033[0m"
echo -e "\033[31mThis github action cannot complete before the audit log is complete.\033[0m"
echo -e "\033[31mAborting now.\033[0m"
echo "CONTINUE=false" >> $GITHUB_ENV
exit 1
fi
# make sure that audit log entry contains auditor's (company) name
if [ -z "$AUDITED_BY" ]; then
echo -e "\033[31mThe audit log entry for file $FILE contains invalid or no 'auditedBy' information.\033[0m"
echo -e "\033[31mThis github action cannot complete before the audit log is complete.\033[0m"
echo -e "\033[31mAborting now.\033[0m"
echo "CONTINUE=false" >> $GITHUB_ENV
exit 1
fi
# make sure that audit log entry contains auditor's git handle
if [ -z "$AUDITOR_GIT_HANDLE" ]; then
echo -e "\033[31mThe audit log entry for file $FILE contains invalid or no 'auditorGitHandle' information.\033[0m"
echo -e "\033[31mThis github action cannot complete before the audit log is complete.\033[0m"
echo -e "\033[31mAborting now.\033[0m"
echo "CONTINUE=false" >> $GITHUB_ENV
exit 1
fi
# make sure that audit log entry contains audit report path
if [ -z "$AUDIT_REPORT_PATH" ]; then
echo -e "\033[31mThe audit log entry for file $FILE contains invalid or no 'auditReportPath' information.\033[0m"
echo -e "\033[31mThis github action cannot complete before the audit log is complete.\033[0m"
echo -e "\033[31mAborting now.\033[0m"
echo "CONTINUE=false" >> $GITHUB_ENV
exit 1
fi
# make sure that a file exists at the audit report path
if [ ! -f "$AUDIT_REPORT_PATH" ]; then
echo -e "\033[31mCould not find an audit report in path $AUDIT_REPORT_PATH for contract "$FILENAME".\033[0m"
echo -e "\033[31mThis github action cannot complete before the audit report is uploaded to 'audit/reports/'.\033[0m"
echo -e "\033[31mAborting now.\033[0m"
echo "CONTINUE=false" >> $GITHUB_ENV
exit 1
fi
# make sure that audit log entry contains audit report path
if [ -z "$AUDIT_COMMIT_HASH" ]; then
echo -e "\033[31mThe audit log entry for file $FILE contains invalid or no 'auditCommitHash' information.\033[0m"
echo -e "\033[31mThis github action cannot complete before the audit log is complete.\033[0m"
echo -e "\033[31mAborting now.\033[0m"
echo "CONTINUE=false" >> $GITHUB_ENV
exit 1
fi
# store the commit hash to check it in a following step
COMMIT_HASHES="${COMMIT_HASHES} $AUDIT_COMMIT_HASH"
# store the commit hash to check it in a following step
AUDITOR_GIT_HANDLES="${AUDITOR_GIT_HANDLES} $AUDITOR_GIT_HANDLE"
done
done <<< "$PROTECTED_CONTRACTS"
echo "COMMIT_HASHES=$COMMIT_HASHES" >> $GITHUB_ENV
echo "COMMIT_HASHES=$COMMIT_HASHES"
echo "AUDITOR_GIT_HANDLES=$AUDITOR_GIT_HANDLES" >> $GITHUB_ENV
echo "AUDITOR_GIT_HANDLES=$AUDITOR_GIT_HANDLES"
# - name: Check auditor review
# - name: Assign "Ready_For_PROD_Deployment" label