Deduplicate locked down files list

Remove the list of locked down files from locked_down_files.txt and instead use the .github workflow as a single source of truth. This requires some complicated parsing in the verification script as well as a dependency from the verification script to the workflow YAML. These are not ideal design choices however the alternative is to not have a single source of truth for the locked down files as the github workflow can not depend on an external file.
mullvad · Jun 3, 2022 · 093fe5d · 093fe5d
1 parent aff845a
commit 093fe5d
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 8 deletions.
diff --git a/.github/workflows/verify-locked-down-signatures.yml b/.github/workflows/verify-locked-down-signatures.yml
@@ -5,6 +5,8 @@ on:
             - .github/workflows/verify-locked-down-signatures.yml
             - Cargo.lock
             - gui/package-lock.json
+            - ci/keys/
+            - ci/verify-locked-down-signatures.sh
     workflow_dispatch:
 jobs:
     verify-signatures:

diff --git a/ci/locked_down_files.txt b/ci/locked_down_files.txt
diff --git a/ci/verify-locked-down-signatures.sh b/ci/verify-locked-down-signatures.sh
@@ -38,9 +38,17 @@ if [[ "$import_gpg_keys" == "true" ]]; then
     done
 fi
 
+# Parse the locked down files from the github actions workflow file.
+# We need to define them there since github has no way to trigger on filepaths specified in a file.
+# We parse them from there in order to avoid duplicating the locked down files in multiple places.
+#
+# This regexp line is using a regexp to parse the github .yml file for the YAML list that follows the `paths` key.
+# It uses `tr` in order to turn the multi-lined file into a single-line that sed can parse correctly. This is done by replacing all new-lines with a `;`
+SEPARATOR=';'
+locked_down_files=$(cat $SCRIPT_DIR/../.github/workflows/verify-locked-down-signatures.yml | tr '\n' $SEPARATOR | sed "s/.*paths:$SEPARATOR\(\(\s*-\s[a-zA-Z\/\.-]*$SEPARATOR\)*\).*/\1/" | tr $SEPARATOR '\n' | awk '{print $2}')
+
 unsigned_commits_exist=0
-LOCKED_DOWN_FILES=$(cat $SCRIPT_DIR/locked_down_files.txt)
-for locked_file in $LOCKED_DOWN_FILES; do
+for locked_file in $locked_down_files; do
     locked_file_commit_hashes=$(git rev-list --oneline $whitelisted_commit..HEAD $SCRIPT_DIR/../$locked_file | awk '{print $1}')
     for commit in $locked_file_commit_hashes;
     do