chore(ci): verify commit on release

Enforce commit being associated to a tag. The tag must be committed by a member of the release team. In addition, the tag needs to be verified. Finally, triggering actor must also be a member of the release team.
zama-ai · Oct 28, 2024 · a13fa00 · a13fa00
1 parent 776c95c
commit a13fa00
Show file tree

Hide file tree

Showing 6 changed files with 96 additions and 0 deletions.
diff --git a/.github/workflows/make_release.yml b/.github/workflows/make_release.yml
@@ -30,8 +30,15 @@ env:
   NPM_TAG: ""
 
 jobs:
+  verify_tag:
+    uses: ./.github/workflows/verify_tagged_commit.yml
+    secrets:
+      RELEASE_TEAM: ${{ secrets.RELEASE_TEAM }}
+      READ_ORG_TOKEN: ${{ secrets.READ_ORG_TOKEN }}
+
   package:
     runs-on: ubuntu-latest
+    needs: verify_tag
     outputs:
       hash: ${{ steps.hash.outputs.hash }}
     steps:

diff --git a/.github/workflows/make_release_concrete_csprng.yml b/.github/workflows/make_release_concrete_csprng.yml
@@ -12,8 +12,15 @@ env:
   ACTION_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
 
 jobs:
+  verify_tag:
+    uses: ./.github/workflows/verify_tagged_commit.yml
+    secrets:
+      RELEASE_TEAM: ${{ secrets.RELEASE_TEAM }}
+      READ_ORG_TOKEN: ${{ secrets.READ_ORG_TOKEN }}
+
   publish_release:
     name: Publish concrete-csprng Release
+    needs: verify_tag
     runs-on: ubuntu-latest
     steps:
       - name: Checkout

diff --git a/.github/workflows/make_release_cuda.yml b/.github/workflows/make_release_cuda.yml
@@ -21,8 +21,15 @@ env:
   SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
 
 jobs:
+  verify_tag:
+    uses: ./.github/workflows/verify_tagged_commit.yml
+    secrets:
+      RELEASE_TEAM: ${{ secrets.RELEASE_TEAM }}
+      READ_ORG_TOKEN: ${{ secrets.READ_ORG_TOKEN }}
+
   setup-instance:
     name: Setup instance (publish-cuda-release)
+    needs: verify_tag
     runs-on: ubuntu-latest
     outputs:
       runner-name: ${{ steps.start-instance.outputs.label }}

diff --git a/.github/workflows/make_release_tfhe_versionable.yml b/.github/workflows/make_release_tfhe_versionable.yml
@@ -12,8 +12,15 @@ env:
   ACTION_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
 
 jobs:
+  verify_tag:
+    uses: ./.github/workflows/verify_tagged_commit.yml
+    secrets:
+      RELEASE_TEAM: ${{ secrets.RELEASE_TEAM }}
+      READ_ORG_TOKEN: ${{ secrets.READ_ORG_TOKEN }}
+
   publish_release:
     name: Publish tfhe-versionable Release
+    needs: verify_tag
     runs-on: ubuntu-latest
     steps:
       - name: Checkout

diff --git a/.github/workflows/make_release_zk_pok.yml b/.github/workflows/make_release_zk_pok.yml
@@ -13,8 +13,15 @@ env:
   ACTION_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
 
 jobs:
+  verify_tag:
+    uses: ./.github/workflows/verify_tagged_commit.yml
+    secrets:
+      RELEASE_TEAM: ${{ secrets.RELEASE_TEAM }}
+      READ_ORG_TOKEN: ${{ secrets.READ_ORG_TOKEN }}
+
   publish_release:
     name: Publish tfhe-zk-pok Release
+    needs: verify_tag
     runs-on: ubuntu-latest
     steps:
       - name: Checkout

diff --git a/.github/workflows/verify_tagged_commit.yml b/.github/workflows/verify_tagged_commit.yml
@@ -0,0 +1,61 @@
+# Verify a tagged commit
+name: Verify tagged commit
+
+on:
+  workflow_call:
+    secrets:
+      RELEASE_TEAM:
+        required: true
+      READ_ORG_TOKEN:
+        required: true
+
+jobs:
+  checks:
+    runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/tags/')
+    steps:
+      - name: Get commit details
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          {
+            echo "COMMITTER_LOGIN=$(gh api repos/${{ github.repository }}/commits/${{ github.sha }} --jq '.committer.login')";
+            echo "VERIFICATION_STATUS=$(gh api repos/${{ github.repository }}/commits/${{ github.sha }} --jq '.commit.verification.verified')";
+          } >> "${GITHUB_ENV}"
+
+      # Check author of the tag membership
+      - name: Author verification
+        id: author_check
+        uses: morfien101/actions-authorized-user@4a3cfbf0bcb3cafe4a71710a278920c5d94bb38b
+        with:
+          username: ${{ env.COMMITTER_LOGIN }}
+          org: ${{ github.repository_owner }}
+          team: ${{ secrets.RELEASE_TEAM }}
+          github_token: ${{ secrets.READ_ORG_TOKEN }}
+
+      # Check triggering actor membership
+      - name: Actor verification
+        id: actor_check
+        uses: morfien101/actions-authorized-user@4a3cfbf0bcb3cafe4a71710a278920c5d94bb38b
+        with:
+          username: ${{ github.actor }}
+          org: ${{ github.repository_owner }}
+          team: ${{ secrets.RELEASE_TEAM }}
+          github_token: ${{ secrets.READ_ORG_TOKEN }}
+
+      - name: Commit verification
+        run: |
+          if [ "${{ steps.author_check.outputs.authorized }}" == "false" ]; then
+            echo "Author '${{ env.COMMITTER_LOGIN }}' is not part of authorized team"
+            exit 1
+          fi
+          
+          if [ "${{ steps.actor_check.outputs.authorized }}" == "false" ]; then
+            echo "Actor '${{ github.actor }}' is not authorized to perform release"
+            exit 1
+          fi
+
+          if [ "${{ env.VERIFICATION_STATUS }}" == "false" ]; then
+            echo "Commit is not verified"
+            exit 1
+          fi