-
Notifications
You must be signed in to change notification settings - Fork 0
413 lines (372 loc) · 16.6 KB
/
sign-modules.yml
File metadata and controls
413 lines (372 loc) · 16.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
# Auto-sign changed module manifests on push to dev/main, then strict-verify. PRs use full payload
# checksum + version bump without `--require-signature` until `main`.
name: Module Signature Hardening
on:
workflow_dispatch:
inputs:
base_branch:
description: Remote branch to compare for --changed-only (fetches origin/<branch>)
type: choice
options:
- dev
- main
default: dev
version_bump:
description: Auto-bump when module version is still unchanged from the base ref
type: choice
options:
- patch
- minor
- major
default: patch
resign_all_manifests:
description: Sign every packages/*/module-package.yaml (not only --changed-only vs base). Use when manifests match the base but lack signatures.
type: boolean
default: false
push:
branches: [dev, main]
paths:
- "packages/**"
# Registry-only publish merges do not touch packages/**; still run signing so git manifests
# stay aligned with dev→main --require-signature checks.
- "registry/**"
- "scripts/sign-modules.py"
- "scripts/verify-modules-signature.py"
- ".github/workflows/sign-modules.yml"
- ".github/workflows/sign-modules-on-approval.yml"
pull_request:
branches: [dev, main]
paths:
- "packages/**"
- "registry/**"
- "scripts/sign-modules.py"
- "scripts/verify-modules-signature.py"
- ".github/workflows/sign-modules.yml"
- ".github/workflows/sign-modules-on-approval.yml"
concurrency:
group: sign-modules-${{ github.ref }}
cancel-in-progress: false
jobs:
verify:
name: Verify Module Signatures
runs-on: ubuntu-latest
outputs:
# Skip reproducibility when we only opened a PR: origin/main is still unsigned until merge.
opened_sign_pr: ${{ steps.commit_auto_sign.outputs.opened_sign_pr }}
permissions:
contents: write
pull-requests: write
# Same public-key env as pr-orchestrator so strict verify can check signatures against the
# configured release key (not only resources/keys/module-signing-public.pem in the checkout).
env:
SPECFACT_MODULE_PUBLIC_SIGN_KEY: ${{ secrets.SPECFACT_MODULE_PUBLIC_SIGN_KEY }}
SPECFACT_MODULE_SIGNING_PUBLIC_KEY_PEM: ${{ secrets.SPECFACT_MODULE_SIGNING_PUBLIC_KEY_PEM }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
- name: Fetch workflow_dispatch comparison base
if: github.event_name == 'workflow_dispatch'
run: git fetch --no-tags origin "${{ github.event.inputs.base_branch }}"
- name: Fetch pull_request comparison base
if: github.event_name == 'pull_request'
run: git fetch --no-tags origin "${{ github.event.pull_request.base.ref }}"
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Install signer dependencies
run: |
python -m pip install --upgrade pip
python -m pip install pyyaml beartype icontract cryptography cffi
- name: Auto-sign changed module manifests (push to dev/main, non-bot actors)
if: >-
github.event_name == 'push' &&
(github.ref_name == 'dev' || github.ref_name == 'main') &&
github.actor != 'github-actions[bot]'
env:
SPECFACT_MODULE_PRIVATE_SIGN_KEY: ${{ secrets.SPECFACT_MODULE_PRIVATE_SIGN_KEY }}
SPECFACT_MODULE_PRIVATE_SIGN_KEY_PASSPHRASE: ${{ secrets.SPECFACT_MODULE_PRIVATE_SIGN_KEY_PASSPHRASE }}
run: |
set -euo pipefail
if [ -z "${SPECFACT_MODULE_PRIVATE_SIGN_KEY}" ]; then
echo "::error::Missing SPECFACT_MODULE_PRIVATE_SIGN_KEY. Configure the secret so pushes to ${GITHUB_REF_NAME} can auto-sign module manifests."
exit 1
fi
BEFORE="${{ github.event.before }}"
if [ "$BEFORE" = "0000000000000000000000000000000000000000" ]; then
BEFORE="$(git rev-parse HEAD~1 2>/dev/null || true)"
fi
if [ -z "$BEFORE" ]; then
echo "::error::Unable to resolve parent commit for --changed-only signing."
exit 1
fi
python scripts/sign-modules.py \
--changed-only \
--base-ref "$BEFORE" \
--bump-version patch \
--payload-from-filesystem
# Registry-only merges leave packages/** unchanged, so --changed-only signs nothing.
# Sign any manifest still missing integrity.signature (same CI key as publish-modules).
python - <<'PY'
import os
import subprocess
import sys
from pathlib import Path
import yaml
if not os.environ.get("SPECFACT_MODULE_PRIVATE_SIGN_KEY", "").strip():
raise SystemExit(0)
def manifest_has_signature(data: dict) -> bool:
integrity_obj = data.get("integrity")
if not isinstance(integrity_obj, dict):
return False
return bool(str(integrity_obj.get("signature") or "").strip())
root = Path(".").resolve()
for manifest in sorted((root / "packages").glob("*/module-package.yaml")):
raw = yaml.safe_load(manifest.read_text(encoding="utf-8"))
if not isinstance(raw, dict) or manifest_has_signature(raw):
continue
print(f"Signing unsigned manifest {manifest} (post --changed-only sweep).", flush=True)
subprocess.run(
[
sys.executable,
"scripts/sign-modules.py",
"--payload-from-filesystem",
"--allow-same-version",
str(manifest),
],
cwd=str(root),
check=True,
)
PY
- name: Auto-sign changed module manifests (same-repo PRs, non-bot actors)
if: >-
github.event_name == 'pull_request' &&
github.event.pull_request.head.repo.full_name == github.repository &&
github.actor != 'github-actions[bot]'
env:
PR_HEAD_REF: ${{ github.event.pull_request.head.ref }}
SPECFACT_MODULE_PRIVATE_SIGN_KEY: ${{ secrets.SPECFACT_MODULE_PRIVATE_SIGN_KEY }}
SPECFACT_MODULE_PRIVATE_SIGN_KEY_PASSPHRASE: ${{ secrets.SPECFACT_MODULE_PRIVATE_SIGN_KEY_PASSPHRASE }}
run: |
set -euo pipefail
if [ -z "${SPECFACT_MODULE_PRIVATE_SIGN_KEY}" ]; then
echo "::error::Missing SPECFACT_MODULE_PRIVATE_SIGN_KEY. Configure the secret so same-repo PRs can auto-sign module manifests."
exit 1
fi
MERGE_BASE="$(git merge-base HEAD "origin/${{ github.event.pull_request.base.ref }}")"
python scripts/sign-modules.py \
--changed-only \
--base-ref "$MERGE_BASE" \
--bump-version patch \
--payload-from-filesystem
if [ -z "$(git status --porcelain -- packages/)" ]; then
echo "No manifest signing changes to commit."
exit 0
fi
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
git add -u -- packages/
git commit -m "chore(modules): ci sign changed modules"
git push origin "HEAD:${PR_HEAD_REF}"
- name: Strict verify module manifests (push to dev/main)
if: github.event_name == 'push' && (github.ref_name == 'dev' || github.ref_name == 'main')
run: |
set -euo pipefail
BEFORE="${{ github.event.before }}"
if [ "$BEFORE" = "0000000000000000000000000000000000000000" ]; then
BEFORE="HEAD~1"
fi
python scripts/verify-modules-signature.py \
--require-signature \
--payload-from-filesystem \
--enforce-version-bump \
--version-check-base "$BEFORE"
- name: PR or dispatch verify (checksum-only, no signature required on head)
if: github.event_name != 'push'
run: |
set -euo pipefail
BASE_REF=""
if [ "${{ github.event_name }}" = "pull_request" ]; then
BASE_REF="origin/${{ github.event.pull_request.base.ref }}"
elif [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
BASE_REF="origin/${{ github.event.inputs.base_branch }}"
fi
if [ -z "$BASE_REF" ]; then
echo "::error::Missing comparison base for module verification."
exit 1
fi
python scripts/verify-modules-signature.py \
--payload-from-filesystem \
--enforce-version-bump \
--version-check-base "$BASE_REF"
- name: Commit auto-signed manifests (push to dev/main, non-bot actors)
id: commit_auto_sign
if: >-
github.event_name == 'push' &&
(github.ref_name == 'dev' || github.ref_name == 'main') &&
github.actor != 'github-actions[bot]'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -euo pipefail
echo "opened_sign_pr=false" >> "$GITHUB_OUTPUT"
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
git add -u -- packages/
if git diff --cached --quiet; then
echo "No manifest signing changes to commit."
exit 0
fi
git commit -m "chore(modules): auto-sign module manifests"
TARGET_BRANCH="${GITHUB_REF_NAME}"
SIGN_BRANCH="auto/sign-${TARGET_BRANCH}-${GITHUB_RUN_ID}"
git push origin "HEAD:refs/heads/${SIGN_BRANCH}"
gh pr create \
--base "${TARGET_BRANCH}" \
--head "${SIGN_BRANCH}" \
--title "chore(modules): auto-sign module manifests" \
--body "Automated signing from [workflow run ${GITHUB_RUN_ID}](${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}).
Branch \`${TARGET_BRANCH}\` is protected; merge this PR to land signed \`packages/**/module-package.yaml\` updates."
echo "opened_sign_pr=true" >> "$GITHUB_OUTPUT"
echo "::notice::Opened a pull request to merge signed manifests into ${TARGET_BRANCH}."
reproducibility:
name: Assert signing reproducibility
if: >-
github.event_name == 'push' &&
github.ref_name == 'main' &&
needs.verify.outputs.opened_sign_pr != 'true'
runs-on: ubuntu-latest
needs: [verify]
permissions:
contents: read
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Sync to remote branch tip (after verify job; merge sign PR before expecting new signatures on main)
run: |
set -euo pipefail
git fetch origin "${GITHUB_REF_NAME}"
git reset --hard "origin/${GITHUB_REF_NAME}"
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Install signer dependencies
run: |
python -m pip install --upgrade pip
python -m pip install pyyaml beartype icontract cryptography cffi
- name: Re-sign manifests and assert no diff
env:
SPECFACT_MODULE_PRIVATE_SIGN_KEY: ${{ secrets.SPECFACT_MODULE_PRIVATE_SIGN_KEY }}
SPECFACT_MODULE_PRIVATE_SIGN_KEY_PASSPHRASE: ${{ secrets.SPECFACT_MODULE_PRIVATE_SIGN_KEY_PASSPHRASE }}
run: |
if [ -z "${SPECFACT_MODULE_PRIVATE_SIGN_KEY}" ]; then
echo "::notice::Skipping reproducibility check because SPECFACT_MODULE_PRIVATE_SIGN_KEY is not configured."
exit 0
fi
mapfile -t MANIFESTS < <(find packages -name 'module-package.yaml' -type f | sort)
if [ "${#MANIFESTS[@]}" -eq 0 ]; then
echo "No module manifests found"
exit 0
fi
python scripts/sign-modules.py --payload-from-filesystem "${MANIFESTS[@]}"
if ! git diff --exit-code -- packages/; then
echo "::error::Module signatures are stale for the configured signing key. Re-sign and commit manifest updates."
git --no-pager diff --name-only -- packages/
exit 1
fi
sign-and-push:
name: Sign changed modules (manual dispatch)
if: github.event_name == 'workflow_dispatch'
runs-on: ubuntu-latest
needs: [verify]
permissions:
contents: write
pull-requests: write
steps:
- name: Require module signing key secret
env:
SPECFACT_MODULE_PRIVATE_SIGN_KEY: ${{ secrets.SPECFACT_MODULE_PRIVATE_SIGN_KEY }}
run: |
if [ -z "${SPECFACT_MODULE_PRIVATE_SIGN_KEY}" ]; then
echo "::error::Missing or empty repository secret SPECFACT_MODULE_PRIVATE_SIGN_KEY."
exit 1
fi
- name: Checkout branch
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ github.ref }}
persist-credentials: true
- name: Fetch comparison base
run: git fetch --no-tags origin "${{ github.event.inputs.base_branch }}"
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Install signer dependencies
run: |
python -m pip install --upgrade pip
python -m pip install pyyaml beartype icontract cryptography cffi
- name: Sign module manifests
env:
SPECFACT_MODULE_PRIVATE_SIGN_KEY: ${{ secrets.SPECFACT_MODULE_PRIVATE_SIGN_KEY }}
SPECFACT_MODULE_PRIVATE_SIGN_KEY_PASSPHRASE: ${{ secrets.SPECFACT_MODULE_PRIVATE_SIGN_KEY_PASSPHRASE }}
run: |
set -euo pipefail
MERGE_BASE="$(git merge-base HEAD "origin/${{ github.event.inputs.base_branch }}")"
BUMP="${{ github.event.inputs.version_bump }}"
if [ "${{ github.event.inputs.resign_all_manifests }}" = "true" ]; then
mapfile -t MANIFESTS < <(find packages -name 'module-package.yaml' -type f | sort)
if [ "${#MANIFESTS[@]}" -eq 0 ]; then
echo "No module manifests found"
exit 0
fi
python scripts/sign-modules.py --payload-from-filesystem "${MANIFESTS[@]}"
else
python scripts/sign-modules.py \
--changed-only \
--base-ref "$MERGE_BASE" \
--bump-version "${BUMP}" \
--payload-from-filesystem
fi
- name: Commit and push signed manifests
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -euo pipefail
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
if git diff --quiet; then
echo "No manifest changes to commit."
echo "## No signing changes" >> "${GITHUB_STEP_SUMMARY}"
exit 0
fi
git add -u -- packages/
if git diff --cached --quiet; then
echo "No staged module manifest updates."
exit 0
fi
git commit -m "chore(modules): manual workflow_dispatch sign changed modules"
TARGET_BRANCH="${GITHUB_REF_NAME}"
if [ "${TARGET_BRANCH}" = "dev" ] || [ "${TARGET_BRANCH}" = "main" ]; then
SIGN_BRANCH="auto/sign-dispatch-${TARGET_BRANCH}-${GITHUB_RUN_ID}"
git push origin "HEAD:refs/heads/${SIGN_BRANCH}"
gh pr create \
--base "${TARGET_BRANCH}" \
--head "${SIGN_BRANCH}" \
--title "chore(modules): manual sign changed modules" \
--body "Manual signing from [workflow run ${GITHUB_RUN_ID}](${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}).
Protected branch \`${TARGET_BRANCH}\`: merge this PR to land updates (base compare: \`origin/${{ github.event.inputs.base_branch }}\`)."
echo "## Opened pull request" >> "${GITHUB_STEP_SUMMARY}"
else
git push origin "HEAD:${TARGET_BRANCH}"
echo "## Signed manifests pushed" >> "${GITHUB_STEP_SUMMARY}"
fi
echo "Branch: \`${GITHUB_REF_NAME}\` (base: \`origin/${{ github.event.inputs.base_branch }}\`, bump: \`${{ github.event.inputs.version_bump }}\`, resign_all: \`${{ github.event.inputs.resign_all_manifests }}\`)." >> "${GITHUB_STEP_SUMMARY}"