condorcore-keyring/libkeyringctl/ci.py

46 lines
1.6 KiB
Python
Raw Normal View History

# SPDX-License-Identifier: GPL-3.0-or-later
from os import environ
from pathlib import Path
from typing import List
from .git import git_changed_files
from .util import get_parent_cert_paths
from .verify import verify
def ci(working_dir: Path, keyring_root: Path, project_root: Path) -> None:
"""Verify certificates against modern expectations using `sq keyring lint` and hokey
Currently only newly added certificates will be checked against the expectations as existing
keys are not all fully compatible with those assumptions.
New certificates are determined by using $CI_MERGE_REQUEST_DIFF_BASE_SHA as the base,
Parameters
----------
working_dir: A directory to use for temporary files
keyring_root: The keyring root directory to look up username shorthand sources
project_root: Path to the root of the git repository
"""
ci_merge_request_diff_base = environ.get("CI_MERGE_REQUEST_DIFF_BASE_SHA")
created, deleted, modified = git_changed_files(
git_path=project_root, base=ci_merge_request_diff_base, paths=[Path("keyring")]
)
changed_certificates: List[Path] = list(get_parent_cert_paths(paths=created + deleted + modified))
verify(
working_dir=working_dir,
keyring_root=keyring_root,
sources=changed_certificates,
lint_hokey=False,
lint_sq_keyring=False,
)
added_certificates: List[Path] = [
path for path in changed_certificates if (path / f"{path.name}.asc").relative_to(project_root) in created
]
if added_certificates:
verify(working_dir=working_dir, keyring_root=keyring_root, sources=added_certificates)