foster/atmoz-sftp
0
0
Fork 0
mirror of https://github.com/atmoz/sftp.git synced 2024-11-17 12:51:33 -05:00
Code Packages 2 Activity

Use atmoz/git-verify-ref

Browse source
This commit is contained in:
Adrian Dvergsdal 2020-07-18 15:44:46 +02:00
parent 9c1a449561
commit 2da6d177e6
No known key found for this signature in database
GPG key ID: C1E9E2D9552A42D2
5 changed files with 3 additions and 80 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
.github/actions/git-verify-ref/Dockerfile vendored
View file

@ -1,13 +0,0 @@
FROM debian:buster-slim
RUN apt update && \
apt install -y git gnupg && \
rm -rf /var/lib/apt/lists/*
#RUN apk add --no-cache git gnupg
COPY ./public-keys/atmoz.asc /tmp/atmoz.asc
RUN gpg --import /tmp/atmoz.asc
COPY ./entrypoint.sh /
ENTRYPOINT ["/entrypoint.sh"]

6
.github/actions/git-verify-ref/action.yml vendored
View file

@ -1,6 +0,0 @@
name: 'Verify git ref'
description: 'Verify GPG signed commits or tags'
runs:
using: 'docker'
image: 'Dockerfile'

60
.github/actions/git-verify-ref/entrypoint.sh vendored
View file

@ -1,60 +0,0 @@
#!/bin/bash
set -eo pipefail
# Git reference
ref="${1:-HEAD}"
# Number of required signatures
required="${2:-"1"}"
# Options passed to git
git_options="${*:3}"
# GitHub Actions fix
if [ -e "/github/home/" ]; then
cp -r /root/.gnupg /github/home/
fi
# Show imported public keys
gpg --list-keys --keyid LONG
# Check signatures
raw_gpg_status=$(
# shellcheck disable=SC2086
git $git_options verify-commit --raw "$ref" 2>&1
tags="$(git tag --points-at "$ref")"
if [ -n "$tags" ]; then
# shellcheck disable=SC2046,SC2086
git $git_options verify-tag --raw $tags 2>&1
fi
)
goodsig=0
readarray -t status_line <<<"$raw_gpg_status"
# read -r -a info <<<"$status"
for status in "${status_line[@]}"; do
#readarray -t -d" " info <<<"$status"
read -r -a info <<<"$status"
case "${info[1]}" in
"GOODSIG")
echo "Verified signature from ${info[2]}"
((goodsig++)) || true
;;
"NO_PUBKEY")
echo "WARNING: Missing public key for ${info[2]}"
;;
esac
done
echo "RESULT: Found $goodsig good signatures"
if [ "$goodsig" -lt "$required" ]; then
echo "FAIL: Not enough signatures ($required was required)"
exit 1
else
exit 0
fi

0
.github/actions/git-verify-ref/public-keys/atmoz.asc → .github/public-keys/atmoz.asc vendored
View file

4
.github/workflows/build.yml vendored
View file

@ -63,7 +63,9 @@ jobs:
- name: Verify signature - name: Verify signature
if: github.event_name != 'pull_request' && github.ref == 'refs/heads/master' if: github.event_name != 'pull_request' && github.ref == 'refs/heads/master'
uses: ./.github/actions/git-verify-ref uses: atmoz/git-verify-ref@master
with:
public_key_dir: ./github/public-keys
- name: Push images to Docker Hub registry - name: Push images to Docker Hub registry
if: github.event_name != 'pull_request' && github.ref == 'refs/heads/master' if: github.event_name != 'pull_request' && github.ref == 'refs/heads/master'