-
Notifications
You must be signed in to change notification settings - Fork 51
113 lines (90 loc) · 4.16 KB
/
checkAudit.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
# - Github Audit Checker
# - checks if an audit is required
# YES, if:
# > contract in src/*.sol (no test or script contracts)
# - checks if an audit was conducted
# > is there an entry in the audit log for that contract/version
# - checks if all audit-related files are updated accordingly
# > is the audit report uploaded to ./audit/reports/ ?
# - checks if there is one approving review of an auditor (do we really want this?)
name: Audit Check
on:
pull_request:
jobs:
check-version:
runs-on: ubuntu-latest
env:
auditLogPath: 'audit/auditLog.json'
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Check modified files for protected contracts
id: check_eligibility
run: |
##### get all files modified by this PR
FILES=$(git diff --name-only origin/${BASE_REF} HEAD)
##### make sure that there are modified files
if [[ -z $FILES ]]; then
echo -e "\033[31mNo files found. This should not happen. Please check the code of the Github action. Aborting now.\033[0m"
echo "CONTINUE=false" >> $GITHUB_ENV
exit 1
fi
##### Initialize empty variables
PROTECTED_CONTRACTS=""
##### go through all modified file names/paths and identify contracts with path 'src/*'
while IFS= read -r FILE; do
if echo "$FILE" | grep -E '^src/.*\.sol$'; then
# if echo "$FILE" | grep -E '^src/*\.sol$'; then
##### contract found
PROTECTED_CONTRACTS="${PROTECTED_CONTRACTS}${FILE}"$'\n'
fi
done <<< "$FILES"
##### if none found, exit here as there is nothing to do
if [[ -z "$PROTECTED_CONTRACTS" ]]; then
echo -e "\033[31mNo protected contracts found in files modified/added by this PR.\033[0m"
echo -e "\033[31mNo further checks are required.\033[0m"
# set action output to false
echo "CONTINUE=false" >> $GITHUB_ENV
exit 0
else
# set action output to true
echo "CONTINUE=true" >> $GITHUB_ENV
fi
echo "PROTECTED_CONTRACTS: $PROTECTED_CONTRACTS"
##### Write filenames to temporary files (using variables here was causing issues due to the file names)
echo -e "$PROTECTED_CONTRACTS" > protected_contracts.txt
- name: Check audit log
id: check-audit-log
if: env.CONTINUE == 'true'
run: |
# load list of protected contracts
PROTECTED_CONTRACTS=$(cat protected_contracts.txt)
##### make sure that there are any protected contracts
if [[ -z $PROTECTED_CONTRACTS ]]; then
echo -e "\033[31mNo protected contracts found. This should not happen (action should stop earlier). Please check the code of the Github action. Aborting now.\033[0m"
echo "CONTINUE=false" >> $GITHUB_ENV
exit 1
fi
# iterate through all contracts
while IFS= read -r FILE; do
# load contract version
VERSION=$(sed -nE 's/^\/\/\/ @custom:version ([0-9]+\.[0-9]+\.[0-9]+).*/\1/p' "$FILE")
##### make sure that contract version was extracted successfully
if [[ -z $VERSION ]]; then
echo -e "\033[31mCould not find version of contract $FILE. This should not happen. Please check the Github action code. Aborting now.\033[0m"
echo "CONTINUE=false" >> $GITHUB_ENV
exit 1
fi
# see if audit log contains an entry with those values
FILENAME=$(basename "$FILE" .sol)
LOG_ENTRIES=$(jq -r ".${FILENAME}.${VERSION}[]" "$env.auditLogPath")
echo "${#LOG_ENTRIES} LOG_ENTRIES:"
echo "LOG_ENTRIES:"
# go through array of log entries
# extract audit report path
# extract audit commit hash
# make sure that file exists at path
# make sure that commit hash exists in this PR's history
done <<< "$PROTECTED_CONTRACTS"
# - name: Check auditor review
# - name: Assign "Ready_For_PROD_Deployment" label