diff --git a/.github/workflows/attestations.yml b/.github/workflows/attestations.yml new file mode 100644 index 0000000000..a865f5333b --- /dev/null +++ b/.github/workflows/attestations.yml @@ -0,0 +1,62 @@ +name: Attestations + +on: + push: + branches: + - main + pull_request: + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + verify-attestations: + name: Verify attestation signatures + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v7 + + - name: Import builder keys + run: gpg --import builder-keys/*.gpg + + - name: Verify attestations + run: ./asmap-verify + + verify-shasums: + name: Verify attested hashes match committed files + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v7 + + - name: Check committed ASMap files against attested SHA256SUMS + run: | + set -euo pipefail + shopt -s nullglob + + manifests=( attestations/*/*/*/SHA256SUMS ) + if (( ${#manifests[@]} == 0 )); then + echo "Error: No SHA256SUMS manifests found under attestations/." + exit 1 + fi + + failure=0 + for manifest in "${manifests[@]}"; do + year="$(cut -d/ -f2 <<< "$manifest")" + echo "==> ${manifest}" + + if ! grep -E '\.dat$' "$manifest" \ + | (cd "$year" && sha256sum --check --strict); then + failure=1 + fi + echo "" + done + + if (( failure )); then + echo "FAIL: One or more committed ASMap files are missing or do not match their attested hashes." + exit 1 + fi + + echo "OK: All committed ASMap files match their attested hashes." diff --git a/.github/workflows/latest_asmap.yml b/.github/workflows/latest_asmap.yml index 0396a9232d..70b7f5906a 100644 --- a/.github/workflows/latest_asmap.yml +++ b/.github/workflows/latest_asmap.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v7 - name: Find latest ASMap file by timestamp id: find_latest