Skip to content

Commit

Permalink
test
Browse files Browse the repository at this point in the history
  • Loading branch information
@0xDEnYO
0xDEnYO committed Sep 5, 2024
1 parent f473107 commit fed0764
Showing 1 changed file with 58 additions and 53 deletions.
111 changes: 58 additions & 53 deletions .github/workflows/verifyAudit.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -162,7 +162,7 @@ jobs:
while IFS= read -r FILE; do
echo "-----------"
echo "now checking file $FILE"
# load contract version
##### load contract version
VERSION=$(sed -nE 's/^\/\/\/ @custom:version ([0-9]+\.[0-9]+\.[0-9]+).*/\1/p' "$FILE")
##### make sure that contract version was extracted successfully
Expand All @@ -172,21 +172,21 @@ jobs:
exit 1
fi
# see if audit log contains an entry with those values
##### see if audit log contains an entry with those values
FILENAME=$(basename "$FILE" .sol)
# Check if the contract and version exist in the JSON and get the audit IDs
##### Check if the contract and version exist in the JSON and get the audit IDs
AUDIT_IDS=$(jq -r --arg filename "$FILENAME" --arg version "$VERSION" \
'if .auditedContracts[$filename][$version] != null then .auditedContracts[$filename][$version][] else empty end' "$AUDIT_LOG_PATH")
# Count the number of audits found in the log for this contract/version
##### Count the number of audits found in the log for this contract/version
if [[ -z "$AUDIT_IDS" ]]; then
AUDIT_COUNT=0
else
AUDIT_COUNT=$(echo "$AUDIT_IDS" | wc -l)
fi
# Ensure exactly one audit is logged; handle errors if not
##### Ensure exactly one audit is logged; handle errors if not
if [[ $AUDIT_COUNT -ne 1 ]]; then
echo "CONTINUE=false" >> $GITHUB_ENV
Expand All @@ -203,14 +203,14 @@ jobs:
fi
# Extract the single audit ID
##### Extract the single audit ID
AUDIT_ID=$(echo "$AUDIT_IDS" | head -n 1)
echo "Processing audit ID: $AUDIT_ID"
# Extract audit entry details for the single audit ID
##### Extract audit entry details for the single audit ID
AUDIT_ENTRY=$(jq -r --arg audit_id "$AUDIT_ID" '.audits[$audit_id]' "$AUDIT_LOG_PATH")
# Check if AUDIT_ENTRY is valid JSON
##### Check if AUDIT_ENTRY is valid JSON
if [[ -z "$AUDIT_ENTRY" || "$AUDIT_ENTRY" == "null" ]]; then
echo -e "\033[31mError: The logged audit ID ($AUDIT_ID) for contract $FILE seems to be invalid.\033[0m"
echo "CONTINUE=false" >> $GITHUB_ENV
Expand All @@ -220,14 +220,14 @@ jobs:
echo "File $FILE was audited in $AUDIT_ID"
echo "Now checking if all required information is logged for this audit..."
# Extract log entry values into variables
##### Extract log entry values into variables
AUDIT_COMPLETED_ON=$(echo "$AUDIT_ENTRY" | jq -r '.auditCompletedOn')
AUDITED_BY=$(echo "$AUDIT_ENTRY" | jq -r '.auditedBy')
AUDITOR_GIT_HANDLE=$(echo "$AUDIT_ENTRY" | jq -r '.auditorGitHandle')
AUDIT_REPORT_PATH=$(echo "$AUDIT_ENTRY" | jq -r '.auditReportPath')
AUDIT_COMMIT_HASH=$(echo "$AUDIT_ENTRY" | jq -r '.auditCommitHash')
# make sure that audit log entry contains date
##### make sure that audit log entry contains date
if [ -z "$AUDIT_COMPLETED_ON" ]; then
echo -e "\033[31mThe audit log entry for file $FILE contains an invalid or no 'auditCompletedOn' date.\033[0m"
echo -e "\033[31mThis github action cannot complete before the audit log is complete.\033[0m"
Expand All @@ -238,7 +238,7 @@ jobs:
echo "The audit log contains a date for $AUDIT_ID: $AUDIT_COMPLETED_ON"
fi
# make sure that audit log entry contains auditor's (company) name
##### make sure that audit log entry contains auditor's (company) name
if [ -z "$AUDITED_BY" ]; then
echo -e "\033[31mThe audit log entry for file $FILE contains invalid or no 'auditedBy' information.\033[0m"
echo -e "\033[31mThis github action cannot complete before the audit log is complete.\033[0m"
Expand All @@ -249,7 +249,7 @@ jobs:
echo "The audit log contains the auditor's name for $AUDIT_ID: $AUDITED_BY"
fi
# make sure that audit log entry contains auditor's git handle
##### make sure that audit log entry contains auditor's git handle
if [ -z "$AUDITOR_GIT_HANDLE" ]; then
echo -e "\033[31mThe audit log entry for file $FILE contains invalid or no 'auditorGitHandle' information.\033[0m"
echo -e "\033[31mThis github action cannot complete before the audit log is complete.\033[0m"
Expand All @@ -260,7 +260,7 @@ jobs:
echo "The audit log contains the auditor's github handle for $AUDIT_ID: $AUDITOR_GIT_HANDLE"
fi
# make sure that a file exists at the audit report path
##### make sure that a file exists at the audit report path
if [ ! -f "$AUDIT_REPORT_PATH" ]; then
echo -e "\033[31mCould not find an audit report in path $AUDIT_REPORT_PATH for contract "$FILENAME".\033[0m"
echo -e "\033[31mThis github action cannot complete before the audit report is uploaded to 'audit/reports/'.\033[0m"
Expand All @@ -271,7 +271,7 @@ jobs:
echo "The audit report for $AUDIT_ID was found in path $AUDIT_REPORT_PATH"
fi
# make sure that audit log entry contains audit commit hash
##### make sure that audit log entry contains audit commit hash
if [ -z "$AUDIT_COMMIT_HASH" ]; then
echo -e "\033[31mThe audit log entry for file $FILE contains invalid or no 'auditCommitHash' information.\033[0m"
echo -e "\033[31mThis github action cannot complete before the audit log is complete.\033[0m"
Expand All @@ -284,10 +284,10 @@ jobs:
echo -e "\033[32mThe audit log contains all required information for contract $FILE\033[0m"
echo "now checking if audit commit hash $AUDIT_COMMIT_HASH is associated with PR $PR_NUMBER"
# Fetch the list of commits associated with the PR
##### Fetch the list of commits associated with the PR
COMMIT_LIST=$(gh pr view "$PR_NUMBER" --json commits --jq '.commits[].oid')
# Check if the target commit is in the list
##### Check if the target commit is in the list
if echo "$COMMIT_LIST" | grep -q "$TARGET_COMMIT"; then
echo -e "\033[32mCommit $AUDIT_COMMIT_HASH is associated with PR #$PR_NUMBER.\033[0m"
else
Expand All @@ -296,45 +296,50 @@ jobs:
exit 1
fi
# Fetch PR reviews using the GitHub API via gh cli
echo "now checking if the auditor ($AUDITOR_GIT_HANDLE) approved this PR ($PR_NUMBER)"
REVIEWS=$(gh api repos/lifinance/contracts/pulls/$PR_NUMBER/reviews --jq '.[] | select(.state == "APPROVED") | @json')
# ##### -----------------------------------------------------------------------------
# ##### DISABLED FOR NOW (NEED TO CHECK IF THIS IS COMPATIBLE WITH OUR FLOW)
# ##### Fetch PR reviews using the GitHub API via gh cli
# echo "now checking if the auditor ($AUDITOR_GIT_HANDLE) approved this PR ($PR_NUMBER)"
# REVIEWS=$(gh api repos/lifinance/contracts/pulls/$PR_NUMBER/reviews --jq '.[] | select(.state == "APPROVED") | @json')
# ##### Check if the output is empty or not valid JSON
# if [[ -z "$REVIEWS" ]]; then
# echo "ERROR: No reviews found or failed to fetch reviews for PR #$PR_NUMBER"
# exit 1
# fi
# ##### Flag to track if the review by the specified person is found
# FOUND_REVIEW=false
# ##### Check if the desired reviewer is present among the reviews
# echo "$REVIEWS" | jq -c '.' | while read -r REVIEW; do
# AUTHOR=$(echo "$REVIEW" | jq -r '.user.login // empty')
# STATE=$(echo "$REVIEW" | jq -r '.state // empty')
# echo "found review by $AUTHOR with state $STATE"
# ##### Check if the reviewer is the person we're looking for
# if [ "$AUTHOR" == "$REVIEWER" ]; then
# echo "Approving review found by $REVIEWER"
# FOUND_REVIEW=true
# exit 0
# fi
# done
# ##### If no matching review was found, exit with an error
# if [ "$FOUND_REVIEW" == true ]; then
# echo -e "\033[32mPR $PR_NUMBER has an approving review by $AUDITOR_GIT_HANDLE\033[0m"
# echo -e "\033[32mCheck passed\033[0m"
# exit 0
# else
# echo -e "\033[31mERROR: No review found by git user '$AUDITOR_GIT_HANDLE' (= the auditor)\033[0m"
# echo -e "\033[31mCheck failed\033[0m"
# echo "CONTINUE=false" >> $GITHUB_ENV
# exit 1
# fi
# ##### -----------------------------------------------------------------------------
# Check if the output is empty or not valid JSON
if [[ -z "$REVIEWS" ]]; then
echo "ERROR: No reviews found or failed to fetch reviews for PR #$PR_NUMBER"
exit 1
fi
# Flag to track if the review by the specified person is found
FOUND_REVIEW=false
# Check if the desired reviewer is present among the reviews
echo "$REVIEWS" | jq -c '.' | while read -r REVIEW; do
AUTHOR=$(echo "$REVIEW" | jq -r '.user.login // empty')
STATE=$(echo "$REVIEW" | jq -r '.state // empty')
echo "found review by $AUTHOR with state $STATE"
# Check if the reviewer is the person we're looking for
if [ "$AUTHOR" == "$REVIEWER" ]; then
echo "Approving review found by $REVIEWER"
FOUND_REVIEW=true
exit 0
fi
done
# If no matching review was found, exit with an error
if [ "$FOUND_REVIEW" == true ]; then
echo -e "\033[32mPR $PR_NUMBER has an approving review by $AUDITOR_GIT_HANDLE\033[0m"
echo -e "\033[32mCheck passed\033[0m"
exit 0
else
echo -e "\033[31mERROR: No review found by git user '$AUDITOR_GIT_HANDLE' (= the auditor)\033[0m"
echo -e "\033[31mCheck failed\033[0m"
echo "CONTINUE=false" >> $GITHUB_ENV
exit 1
fi
done <<< "$PROTECTED_CONTRACTS"
- name: Assign label "AuditCompleted" if all checks passed
Expand Down

0 comments on commit fed0764

Please sign in to comment.