From 093fe5d73bb237cd2172f430a3043dda1ba2e34e Mon Sep 17 00:00:00 2001
From: user <user@user.user>
Date: Fri, 3 Jun 2022 21:20:37 +0200
Subject: [PATCH] Deduplicate locked down files list

Remove the list of locked down files from locked_down_files.txt and
instead use the .github workflow as a single source of truth. This
requires some complicated parsing in the verification script as well as
a dependency from the verification script to the workflow YAML. These
are not ideal design choices however the alternative is to not have a
single source of truth for the locked down files as the github workflow
can not depend on an external file.
---
 .github/workflows/verify-locked-down-signatures.yml |  2 ++
 ci/locked_down_files.txt                            |  6 ------
 ci/verify-locked-down-signatures.sh                 | 12 ++++++++++--
 3 files changed, 12 insertions(+), 8 deletions(-)
 delete mode 100644 ci/locked_down_files.txt

diff --git a/.github/workflows/verify-locked-down-signatures.yml b/.github/workflows/verify-locked-down-signatures.yml
index a59e969c4fe4..a487b7d8c667 100644
--- a/.github/workflows/verify-locked-down-signatures.yml
+++ b/.github/workflows/verify-locked-down-signatures.yml
@@ -5,6 +5,8 @@ on:
             - .github/workflows/verify-locked-down-signatures.yml
             - Cargo.lock
             - gui/package-lock.json
+            - ci/keys/
+            - ci/verify-locked-down-signatures.sh
     workflow_dispatch:
 jobs:
     verify-signatures:
diff --git a/ci/locked_down_files.txt b/ci/locked_down_files.txt
deleted file mode 100644
index 3813cf866c2c..000000000000
--- a/ci/locked_down_files.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-Cargo.lock
-gui/package-lock.json
-ci/keys/
-ci/locked_down_files.txt
-ci/verify-locked-down-signatures.sh
-.github/workflows/verify-locked-down-signatures.yml
diff --git a/ci/verify-locked-down-signatures.sh b/ci/verify-locked-down-signatures.sh
index 5add8e25389b..c2bae58ff38f 100755
--- a/ci/verify-locked-down-signatures.sh
+++ b/ci/verify-locked-down-signatures.sh
@@ -38,9 +38,17 @@ if [[ "$import_gpg_keys" == "true" ]]; then
     done
 fi
 
+# Parse the locked down files from the github actions workflow file.
+# We need to define them there since github has no way to trigger on filepaths specified in a file.
+# We parse them from there in order to avoid duplicating the locked down files in multiple places.
+#
+# This regexp line is using a regexp to parse the github .yml file for the YAML list that follows the `paths` key.
+# It uses `tr` in order to turn the multi-lined file into a single-line that sed can parse correctly. This is done by replacing all new-lines with a `;`
+SEPARATOR=';'
+locked_down_files=$(cat $SCRIPT_DIR/../.github/workflows/verify-locked-down-signatures.yml | tr '\n' $SEPARATOR | sed "s/.*paths:$SEPARATOR\(\(\s*-\s[a-zA-Z\/\.-]*$SEPARATOR\)*\).*/\1/" | tr $SEPARATOR '\n' | awk '{print $2}')
+
 unsigned_commits_exist=0
-LOCKED_DOWN_FILES=$(cat $SCRIPT_DIR/locked_down_files.txt)
-for locked_file in $LOCKED_DOWN_FILES; do
+for locked_file in $locked_down_files; do
     locked_file_commit_hashes=$(git rev-list --oneline $whitelisted_commit..HEAD $SCRIPT_DIR/../$locked_file | awk '{print $1}')
     for commit in $locked_file_commit_hashes;
     do