-
Notifications
You must be signed in to change notification settings - Fork 353
33 lines (33 loc) · 1.22 KB
/
verify-locked-down-signatures.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
---
name: Verify lockfile signatures
on:
pull_request:
paths:
- .github/workflows/verify-locked-down-signatures.yml
- Cargo.lock
- gui/package-lock.json
- wireguard/libwg/go.sum
- ci/keys/**
- ci/verify-locked-down-signatures.sh
- ios/MullvadVPN.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved
- android/gradle/verification-metadata.xml
- android/gradle/wrapper/gradle-wrapper.properties
- building/build-and-publish-container-image.sh
- building/mullvad-app-container-signing.asc
- building/linux-container-image.txt
- building/android-container-image.txt
- building/sigstore/**
jobs:
verify-signatures:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Verify signatures
run: |-
base_ref=${{ github.event.pull_request.base.sha }}
head_ref=${{ github.event.pull_request.head.sha }}
git fetch --no-recurse-submodules --shallow-exclude=main origin main $base_ref $head_ref
git fetch --deepen=1
ci/verify-locked-down-signatures.sh --import-gpg-keys --whitelist origin/main