Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix audit verifier action (and add variable initializations to other actions) #921

Open
wants to merge 17 commits into
base: main
Choose a base branch
from
1 change: 1 addition & 0 deletions .github/workflows/ensureSCCoreDevApproval.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ jobs:
env:
GH_PAT: ${{ secrets.GIT_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
CONTINUE: false # makes sure that variable is correctly initialized in all cases
0xDEnYO marked this conversation as resolved.
Show resolved Hide resolved
run: |
##### unset the default git token (does not have sufficient rights to get team members)
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/protectAuditLabels.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@ on:
jobs:
protect_audit_labels:
runs-on: ubuntu-latest
env:
CONTINUE: false # makes sure that variable is correctly initialized in all cases

steps:
- name: Checkout repository
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/protectSecurityRelevantCode.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,8 @@ jobs:
protect-critical-code:
if: ${{ github.event.pull_request.draft == false }}
runs-on: ubuntu-latest
env:
CONTINUE: false # makes sure that variable is correctly initialized in all cases
permissions:
pull-requests: write
steps:
Expand Down
28 changes: 21 additions & 7 deletions .github/workflows/verifyAudit.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ jobs:
GITHUB_TOKEN: ${{ secrets.GIT_ACTIONS_BOT_PAT_CLASSIC }}
AUDIT_LOG_PATH: 'audit/auditLog.json'
PR_NUMBER: ${{ github.event.pull_request.number }}
CONTINUE: false # makes sure that variable is correctly initialized in all cases

permissions:
pull-requests: write
Expand All @@ -45,7 +46,8 @@ jobs:
##### Make sure that there are modified files
if [[ -z $FILES ]]; then
echo -e "\033[31mNo files found. This should not happen. Please check the code of the Github action. Aborting now.\033[0m"
echo "CONTINUE=false" >> "$GITHUB_ENV"
echo "CONTINUE=false" >> "$GITHUB_ENV" # explicit assignment, even though already initialized with false
exit 1
fi

##### Initialize empty variables
Expand All @@ -67,14 +69,14 @@ jobs:
echo -e "\033[31mProtected contracts found in this PR.\033[0m"
echo "PROTECTED_CONTRACTS: $PROTECTED_CONTRACTS"
echo "AUDIT_REQUIRED=true" >> "$GITHUB_ENV"
echo "$AUDIT_REQUIRED" > audit_required.txt
echo -e "$PROTECTED_CONTRACTS" > protected_contracts.txt
fi

- name: Assign, update, and verify labels based on check outcome
uses: actions/github-script@v7
env:
AUDIT_REQUIRED: ${{ env.AUDIT_REQUIRED }}
CONTINUE: ${{ env.CONTINUE }}
0xDEnYO marked this conversation as resolved.
Show resolved Hide resolved
with:
script: |
const { execSync } = require('child_process');
Expand Down Expand Up @@ -126,6 +128,12 @@ jobs:
console.log(`${colors.green}Opposite label "${oppositeLabel}" is not assigned. No action needed.${colors.reset}`);
}

// Remove the AuditCompleted label if it is present
if (assignedLabels.includes('AuditCompleted')) {
console.log(`Now removing AuditCompleted label`);
execSync(`gh pr edit ${{ github.event.pull_request.number }} --remove-label "AuditCompleted"`, { stdio: 'inherit' });
}

// fetch all currently assigned labels again
assignedLabels = []
try {
Expand Down Expand Up @@ -154,17 +162,23 @@ jobs:
core.exportVariable('AUDIT_COMPLETED_ASSIGNED', 'true');
}
else
console.log(`Label 'AuditCompleted' is currently not assigned`);
console.log(`${colors.green}Label 'AuditCompleted' is currently not assigned${colors.reset}`);

// set CONTINUE to true to make sure the following steps are executed
core.exportVariable('CONTINUE', 'true');

- name: Check Audit Log
continue-on-error: true
id: check-audit-log
if: env.AUDIT_REQUIRED == 'true'
if: ${{ always() && env.AUDIT_REQUIRED == 'true' && env.CONTINUE == 'true' }} # always() ensures that validation is always executed, even if env variable is not set
run: |

echo "This step will make sure that an audit is logged for each contract modified/added by this PR."
echo "It will also make sure that no information is missing in the audit log and that the information is meaningful."

# set CONTINUE to false to ensure that action fails (correctly) if an error occurs unexpectedly
echo "CONTINUE=false" >> "$GITHUB_ENV"

# load list of protected contracts
PROTECTED_CONTRACTS=$(cat protected_contracts.txt)

Expand Down Expand Up @@ -381,7 +395,7 @@ jobs:
echo "Assigning label 'AuditCompleted' next"

- name: Assign label "AuditCompleted" if all checks passed
if: ${{ env.AUDIT_REQUIRED == 'true' && env.CONTINUE == 'true' }}
if: ${{ always() && env.AUDIT_REQUIRED == 'true' && env.CONTINUE == 'true' }}
uses: actions-ecosystem/action-add-labels@v1
id: assign_label
with:
Expand All @@ -392,14 +406,14 @@ jobs:
- name: Remove label "AuditCompleted" in case check was not successful but label was assigned in earlier checks
continue-on-error: true # This ensures the step will execute even if the job has a failed status.
uses: actions-ecosystem/action-remove-labels@v1
if: ${{ env.AUDIT_COMPLETED_ASSIGNED && (env.CONTINUE == 'false' || (env.CONTINUE == 'true' && env.AUDIT_REQUIRED == 'false'))}}
if: ${{ always() && env.AUDIT_COMPLETED_ASSIGNED && (env.CONTINUE == 'false' || (env.CONTINUE == 'true' && env.AUDIT_REQUIRED == 'false'))}}
with:
github_token: ${{ secrets.GIT_ACTIONS_BOT_PAT_CLASSIC }} # we use the token of the lifi-action-bot so the label protection check will pass
labels: 'AuditCompleted'
number: ${{ env.PR_NUMBER }}

- name: Fail the git action if any critical step failed
if: env.CONTINUE == 'false' # This step runs only if a failure was recorded
if: always() && env.CONTINUE == 'false' # This step runs only if a failure was recorded
run: |

echo -e "\033[31mError: One or more critical steps failed. Failing the job.\033[0m"
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/versionCheck.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ jobs:
# will only run once the PR is in "Ready for Review" state
if: ${{ github.event.pull_request.draft == false }}
runs-on: ubuntu-latest
env:
CONTINUE: false # makes sure that variable is correctly initialized in all cases
steps:
- name: Checkout repository
uses: actions/checkout@v4
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ on:
jobs:
protect-security-system:
runs-on: ubuntu-latest
env:
CONTINUE: false # makes sure that variable is correctly initialized in all cases
permissions:
pull-requests: write
steps:
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows_deactivated/ensureSCCoreDevApproval.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ jobs:
core-dev-approval:
if: ${{ github.event.pull_request.draft == false }} # will only run once the PR is in "Ready for Review" state
runs-on: ubuntu-latest
env:
CONTINUE: false # makes sure that variable is correctly initialized in all cases
0xDEnYO marked this conversation as resolved.
Show resolved Hide resolved
steps:
- name: Get smart-contract-core Team Members
env:
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows_deactivated/protectAuditFolder.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@ on:
jobs:
protect-audit-folder:
runs-on: ubuntu-latest
env:
CONTINUE: false # makes sure that variable is correctly initialized in all cases

steps:
- name: Checkout code
Expand Down
Loading
Loading