-
Notifications
You must be signed in to change notification settings - Fork 51
301 lines (246 loc) · 14.3 KB
/
verifyAudit.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
name: Audit Verifier
# - checks if an audit is required and assigns a (protected) label based on the result ('AuditRequired' or 'AuditNotRequired')
# - if an audit is required, it will verify that the audit was actually completed and then assign label "AuditCompleted"
# - verification includes:
# - ensuring the audit log contains an entry for all added/modified contracts in their latest version
# - ensuring that an audit report has been added
# - ensuring that the PR is approved by the auditor (uses auditor git handle from audit log)
# - ensuring that the commit hash that was audited is actually part of this PR
# KNOWN LIMITATIONS
# - will only check the last 100 commits for any matches with audit commit hashes
# - only one audit can be registered per contract (in a specific version)
on:
pull_request:
types: [opened, synchronize, reopened]
jobs:
verify-audit:
# will only run once the PR is in "Ready for Review" state
if: ${{ github.event.pull_request.draft == false }}
runs-on: ubuntu-latest
env:
GITHUB_TOKEN: ${{ secrets.GIT_ACTIONS_BOT_PAT_CLASSIC }}
AUDIT_LOG_PATH: 'audit/auditLog.json'
permissions:
pull-requests: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0 ##### Fetch all history for all branches
- name: Check PR for changes in protected folders ('src/*')
id: check_git_diff_for_protectected_folders
run: |
##### Get all files modified by this PR
FILES=$(git diff --name-only origin/main HEAD)
##### Make sure that there are modified files
if [[ -z $FILES ]]; then
echo -e "\033[31mNo files found. This should not happen. Please check the code of the Github action. Aborting now.\033[0m"
echo "CONTINUE=false" >> "$GITHUB_ENV"
fi
##### Initialize empty variables
PROTECTED_CONTRACTS=""
##### Go through all modified file names/paths and identify contracts with path 'src/*'
while IFS= read -r FILE; do
if echo "$FILE" | grep -E '^src/.*\.sol$'; then
##### Contract found
PROTECTED_CONTRACTS="${PROTECTED_CONTRACTS}${FILE}"$'\n'
fi
done <<< "$FILES"
##### Determine if audit is required
if [[ -z "$PROTECTED_CONTRACTS" ]]; then
echo -e "\033[32mNo protected contracts found in this PR.\033[0m"
echo "AUDIT_REQUIRED=false" >> "$GITHUB_ENV"
else
echo -e "\033[31mProtected contracts found in this PR.\033[0m"
echo "PROTECTED_CONTRACTS: $PROTECTED_CONTRACTS"
echo "AUDIT_REQUIRED=true" >> "$GITHUB_ENV"
echo "$AUDIT_REQUIRED" > audit_required.txt
echo -e "$PROTECTED_CONTRACTS" > protected_contracts.txt
fi
- name: Assign, update, and verify labels based on check outcome
uses: actions/github-script@v7
env:
AUDIT_REQUIRED: ${{ env.AUDIT_REQUIRED }}
with:
script: |
const { execSync } = require('child_process');
// ANSI escape codes for colors (used for colored output in Git action console)
const colors = {
reset: "\033[0m",
red: "\033[31m",
green: "\033[32m",
};
// Fetch currently assigned labels from GitHub using GitHub CLI
let assignedLabels = [];
try {
// Fetch the labels directly from the pull request
const labelsOutput = execSync(`gh pr view ${{ github.event.pull_request.number }} --json labels --jq '.labels[].name'`).toString();
// Split the labels output into an array and trim each label
assignedLabels = labelsOutput.split('\n').map(label => label.trim()).filter(Boolean);
} catch (error) {
console.error(`${colors.red}Error fetching assigned labels: ${error.message}${colors.reset}`);
process.exit(1);
}
// check if audit is required (determined by previous step)
const auditRequired = process.env.AUDIT_REQUIRED === 'true';
// determine which label should be assigned and which should be removed
const labelToAssign = auditRequired ? 'AuditRequired' : 'AuditNotRequired';
const oppositeLabel = auditRequired ? 'AuditNotRequired' : 'AuditRequired';
console.log(`Currently assigned labels: ${JSON.stringify(assignedLabels)}`);
console.log(`Label '${labelToAssign}' has to be assigned to this PR`);
console.log(`Label '${oppositeLabel}' will be removed, if currently present`);
// Assign the required label if not already present
if (!assignedLabels.includes(labelToAssign)) {
console.log(`Assigning label: ${labelToAssign}`);
execSync(`gh pr edit ${{ github.event.pull_request.number }} --add-label "${labelToAssign}"`, { stdio: 'inherit' });
} else {
console.log(`${colors.green}Label "${labelToAssign}" is already assigned. No action needed.${colors.reset}`);
}
// Remove the opposite label if it is present
if (assignedLabels.includes(oppositeLabel)) {
console.log(`Removing opposite label: ${oppositeLabel}`);
execSync(`gh pr edit ${{ github.event.pull_request.number }} --remove-label "${oppositeLabel}"`, { stdio: 'inherit' });
} else {
console.log(`${colors.green}Opposite label "${oppositeLabel}" is not assigned. No action needed.${colors.reset}`);
}
// Verify that exactly one of the two labels is assigned
const requiredLabelCount = assignedLabels.filter(label => label === 'AuditRequired').length;
const notRequiredLabelCount = assignedLabels.filter(label => label === 'AuditNotRequired').length;
const totalLabelsAssigned = requiredLabelCount + notRequiredLabelCount;
if (totalLabelsAssigned !== 1) {
console.error(`${colors.red}Error: Exactly one of the two protected labels should be assigned but found ${totalLabelsAssigned} assigned labels.${colors.reset}`);
process.exit(1);
} else {
console.log(`${colors.green}Verified that exactly one label is assigned. Check passed :)${colors.reset}`);
}
- name: Verify Audit Log
id: verify-audit-log
if: env.AUDIT_REQUIRED == 'true'
run: |
# load list of protected contracts
PROTECTED_CONTRACTS=$(cat protected_contracts.txt)
# create temp files to store commit hashes and auditor handles
COMMIT_HASHES_FILE="commit_hashes.txt"
AUDITOR_GIT_HANDLES_FILE="auditor_handles.txt"
##### make sure that there are any protected contracts
if [[ -z $PROTECTED_CONTRACTS ]]; then
echo -e "\033[31mNo protected contracts found. This should not happen (action should stop earlier). Please check the code of the Github action. Aborting now.\033[0m"
echo "CONTINUE=false" >> $GITHUB_ENV
exit 1
fi
# iterate through all contracts
while IFS= read -r FILE; do
echo "now processing file $FILE"
# load contract version
VERSION=$(sed -nE 's/^\/\/\/ @custom:version ([0-9]+\.[0-9]+\.[0-9]+).*/\1/p' "$FILE")
echo "Version $VERSION"
##### make sure that contract version was extracted successfully
if [[ -z $VERSION ]]; then
echo -e "\033[31mCould not find version of contract $FILE. This should not happen. Please check the Github action code. Aborting now.\033[0m"
echo "CONTINUE=false" >> $GITHUB_ENV
exit 1
fi
# see if audit log contains an entry with those values
FILENAME=$(basename "$FILE" .sol)
# Check if the contract and version exist in the JSON and get the audit IDs
AUDIT_IDS=$(jq -r --arg filename "$FILENAME" --arg version "$VERSION" \
'if .auditedContracts[$filename][$version] != null then .auditedContracts[$filename][$version][] else empty end' "$AUDIT_LOG_PATH")
echo "AUDIT_IDS: ($AUDIT_IDS)"
# Count the number of audits found
AUDIT_COUNT=$(echo "$AUDIT_IDS" | grep -c '^[^[:space:]]')
echo "AUDIT_COUNT: $AUDIT_COUNT"
# Ensure exactly one audit is logged; handle errors if not
if [[ $AUDIT_COUNT -ne 1 ]]; then
echo "CONTINUE=false" >> $GITHUB_ENV
echo "AUDIT_VERIFIED=false" >> $GITHUB_ENV
if [[ $AUDIT_COUNT -gt 1 ]]; then
echo -e "\033[31mError: Multiple audits found for contract $FILENAME in version $VERSION.\033[0m"
echo -e "\033[31mOnly one audit should be logged per contract version. Aborting now.\033[0m"
else
echo -e "\033[31mCould not find a logged audit for contract $FILENAME in version $VERSION.\033[0m"
echo -e "\033[31mThis GitHub action cannot complete until the audit log contains a logged audit for this file.\033[0m"
fi
exit 1
fi
# Extract the single audit ID
AUDIT_ID=$(echo "$AUDIT_IDS" | head -n 1)
echo "Processing audit ID: $AUDIT_ID"
# Extract audit entry details for the single audit ID
AUDIT_ENTRY=$(jq -r --arg audit_id "$AUDIT_ID" '.audits[$audit_id]' "$AUDIT_LOG_PATH")
# Check if AUDIT_ENTRY is valid JSON
if [[ -z "$AUDIT_ENTRY" || "$AUDIT_ENTRY" == "null" ]]; then
echo -e "\033[31mError: The logged audit ID ($AUDIT_ID) for contract $FILE seems to be invalid.\033[0m"
echo "CONTINUE=false" >> $GITHUB_ENV
exit 1
fi
# Extract log entry values into variables
AUDIT_COMPLETED_ON=$(echo "$AUDIT_ENTRY" | jq -r '.auditCompletedOn')
AUDITED_BY=$(echo "$AUDIT_ENTRY" | jq -r '.auditedBy')
AUDITOR_GIT_HANDLE=$(echo "$AUDIT_ENTRY" | jq -r '.auditorGitHandle')
AUDIT_REPORT_PATH=$(echo "$AUDIT_ENTRY" | jq -r '.auditReportPath')
AUDIT_COMMIT_HASH=$(echo "$AUDIT_ENTRY" | jq -r '.auditCommitHash')
# make sure that audit log entry contains date
if [ -z "$AUDIT_COMPLETED_ON" ]; then
echo -e "\033[31mThe audit log entry for file $FILE contains an invalid or no 'auditCompletedOn' date.\033[0m"
echo -e "\033[31mThis github action cannot complete before the audit log is complete.\033[0m"
echo -e "\033[31mAborting now.\033[0m"
echo "CONTINUE=false" >> $GITHUB_ENV
exit 1
fi
echo "D"
# make sure that audit log entry contains auditor's (company) name
if [ -z "$AUDITED_BY" ]; then
echo -e "\033[31mThe audit log entry for file $FILE contains invalid or no 'auditedBy' information.\033[0m"
echo -e "\033[31mThis github action cannot complete before the audit log is complete.\033[0m"
echo -e "\033[31mAborting now.\033[0m"
echo "CONTINUE=false" >> $GITHUB_ENV
exit 1
fi
# make sure that audit log entry contains auditor's git handle
if [ -z "$AUDITOR_GIT_HANDLE" ]; then
echo -e "\033[31mThe audit log entry for file $FILE contains invalid or no 'auditorGitHandle' information.\033[0m"
echo -e "\033[31mThis github action cannot complete before the audit log is complete.\033[0m"
echo -e "\033[31mAborting now.\033[0m"
echo "CONTINUE=false" >> $GITHUB_ENV
exit 1
fi
# make sure that audit log entry contains audit report path
if [ -z "$AUDIT_REPORT_PATH" ]; then
echo -e "\033[31mThe audit log entry for file $FILE contains invalid or no 'auditReportPath' information.\033[0m"
echo -e "\033[31mThis github action cannot complete before the audit log is complete.\033[0m"
echo -e "\033[31mAborting now.\033[0m"
echo "CONTINUE=false" >> $GITHUB_ENV
exit 1
fi
# make sure that a file exists at the audit report path
if [ ! -f "$AUDIT_REPORT_PATH" ]; then
echo -e "\033[31mCould not find an audit report in path $AUDIT_REPORT_PATH for contract "$FILENAME".\033[0m"
echo -e "\033[31mThis github action cannot complete before the audit report is uploaded to 'audit/reports/'.\033[0m"
echo -e "\033[31mAborting now.\033[0m"
echo "CONTINUE=false" >> $GITHUB_ENV
exit 1
fi
# make sure that audit log entry contains audit report path
if [ -z "$AUDIT_COMMIT_HASH" ]; then
echo -e "\033[31mThe audit log entry for file $FILE contains invalid or no 'auditCommitHash' information.\033[0m"
echo -e "\033[31mThis github action cannot complete before the audit log is complete.\033[0m"
echo -e "\033[31mAborting now.\033[0m"
echo "CONTINUE=false" >> $GITHUB_ENV
exit 1
fi
# store the commit hash in a temporary file to check its validity in a following step
# echo "$AUDIT_COMMIT_HASH" >> "$COMMIT_HASHES_FILE"
echo "$AUDIT_COMMIT_HASH" >> commit_hashes.txt
# store the auditor git handle to check it in a following step if this auditor has reviewed the PR
# echo "$AUDITOR_GIT_HANDLE" >> "$AUDITOR_GIT_HANDLES_FILE"
echo "$AUDITOR_GIT_HANDLE" >> auditor_handles.txt
echo "E"
echo -e "\033[32mAn audit was found for contract $FILENAME.\033[0m"
done <<< "$PROTECTED_CONTRACTS"
# # read the temp files into variables
# AUDIT_COMMIT_HASHES=$(cat "$COMMIT_HASHES_FILE" | tr '\n' ' ')
# AUDITOR_GIT_HANDLES=$(cat "$AUDITOR_GIT_HANDLES_FILE" | tr '\n' ' ')
# echo "AUDIT_COMMIT_HASHES=$AUDIT_COMMIT_HASHES"
# echo "AUDIT_COMMIT_HASHES=$AUDIT_COMMIT_HASHES" >> $GITHUB_ENV
# echo "AUDITOR_GIT_HANDLES=$AUDITOR_GIT_HANDLES"
# echo "AUDITOR_GIT_HANDLES=$AUDITOR_GIT_HANDLES" >> $GITHUB_ENV