46 lines
1.6 KiB
Python
46 lines
1.6 KiB
Python
# SPDX-License-Identifier: GPL-3.0-or-later
|
|
|
|
from os import environ
|
|
from pathlib import Path
|
|
from typing import List
|
|
|
|
from .git import git_changed_files
|
|
from .util import get_parent_cert_paths
|
|
from .verify import verify
|
|
|
|
|
|
def ci(working_dir: Path, keyring_root: Path, project_root: Path) -> None:
|
|
"""Verify certificates against modern expectations using `sq keyring lint` and hokey
|
|
|
|
Currently only newly added certificates will be checked against the expectations as existing
|
|
keys are not all fully compatible with those assumptions.
|
|
New certificates are determined by using $CI_MERGE_REQUEST_DIFF_BASE_SHA as the base,
|
|
|
|
Parameters
|
|
----------
|
|
working_dir: A directory to use for temporary files
|
|
keyring_root: The keyring root directory to look up username shorthand sources
|
|
project_root: Path to the root of the git repository
|
|
"""
|
|
|
|
ci_merge_request_diff_base = environ.get("CI_MERGE_REQUEST_DIFF_BASE_SHA")
|
|
created, deleted, modified = git_changed_files(
|
|
git_path=project_root, base=ci_merge_request_diff_base, paths=[Path("keyring")]
|
|
)
|
|
|
|
changed_certificates: List[Path] = list(get_parent_cert_paths(paths=created + deleted + modified))
|
|
|
|
verify(
|
|
working_dir=working_dir,
|
|
keyring_root=keyring_root,
|
|
sources=changed_certificates,
|
|
lint_hokey=False,
|
|
lint_sq_keyring=False,
|
|
)
|
|
|
|
added_certificates: List[Path] = [
|
|
path for path in changed_certificates if (path / f"{path.name}.asc").relative_to(project_root) in created
|
|
]
|
|
if added_certificates:
|
|
verify(working_dir=working_dir, keyring_root=keyring_root, sources=added_certificates)
|