Git action test [AllBridgeFacet v3.0.1] [@coderabbit ignore] #30

# - Github Audit Checker
# - checks if an audit is required
# YES, if:
# > contract in src/*.sol (no test or script contracts)
# - checks if an audit was conducted
# > is there at least one complete entry in the audit log for that contract/version
# - checks if all audit-related files are updated accordingly
# > is the audit report uploaded to ./audit/reports/ ?
# - checks if there is one approving review of an auditor (do we really want this?)
# - checks if the logged audit commit hash is part of the commits of this PULL_REQUEST
name: Audit Check
runs-on: ubuntu-latest
auditLogPath: 'audit/auditLog.json'
- name: Checkout repository
uses: actions/checkout@v4
fetch-depth: 0 ##### Fetch all history for all branches
- name: Check modified files for protected contracts
id: check_eligibility
run: |
##### get all files modified by this PR
FILES=$(git diff --name-only origin/main HEAD)
##### make sure that there are modified files
if [[ -z $FILES ]]; then
echo -e "\033[31mNo files found. This should not happen. Please check the code of the Github action. Aborting now.\033[0m"
echo "CONTINUE=false" >> $GITHUB_ENV
exit 1
##### Initialize empty variables
##### go through all modified file names/paths and identify contracts with path 'src/*'
while IFS= read -r FILE; do
if echo "$FILE" | grep -E '^src/.*\.sol$'; then
# if echo "$FILE" | grep -E '^src/*\.sol$'; then
##### contract found
done <<< "$FILES"
##### if none found, exit here as there is nothing to do
if [[ -z "$PROTECTED_CONTRACTS" ]]; then
echo -e "\033[31mNo protected contracts found in files modified/added by this PR.\033[0m"
echo -e "\033[31mNo further checks are required.\033[0m"
# set action output to false
echo "CONTINUE=false" >> $GITHUB_ENV
exit 0
# set action output to true
echo "CONTINUE=true" >> $GITHUB_ENV
##### Write filenames to temporary files (using variables here was causing issues due to the file names)
echo -e "$PROTECTED_CONTRACTS" > protected_contracts.txt
- name: Check audit log
id: check-audit-log
if: env.CONTINUE == 'true'
run: |
# load list of protected contracts
PROTECTED_CONTRACTS=$(cat protected_contracts.txt)
# create temp files to store commit hashes and auditor handles
##### make sure that there are any protected contracts
if [[ -z $PROTECTED_CONTRACTS ]]; then
echo -e "\033[31mNo protected contracts found. This should not happen (action should stop earlier). Please check the code of the Github action. Aborting now.\033[0m"
echo "CONTINUE=false" >> $GITHUB_ENV
exit 1
# iterate through all contracts
while IFS= read -r FILE; do
# load contract version
VERSION=$(sed -nE 's/^\/\/\/ @custom:version ([0-9]+\.[0-9]+\.[0-9]+).*/\1/p' "$FILE")
##### make sure that contract version was extracted successfully
if [[ -z $VERSION ]]; then
echo -e "\033[31mCould not find version of contract $FILE. This should not happen. Please check the Github action code. Aborting now.\033[0m"
echo "CONTINUE=false" >> $GITHUB_ENV
exit 1
# see if audit log contains an entry with those values
FILENAME=$(basename "$FILE" .sol)
LOG_ENTRIES=$(jq -r --arg filename "$FILENAME" --arg version "$VERSION" '.[$filename][$version][]' "$auditLogPath")
##### make sure that audit log entries were found
if [[ -z $LOG_ENTRIES || "${#LOG_ENTRIES}" -eq 0 ]]; then
echo -e "\033[31mCould not find a logged audit for contract $FILENAME in version $VERSION.\033[0m"
echo -e "\033[31mThis github action cannot complete until the audit log contains a logged audit for this file.\033[0m"
echo "CONTINUE=false" >> $GITHUB_ENV
exit 1
# Iterate through all log entries
echo "$LOG_ENTRIES" | jq -c '.' | while IFS= read -r entry; do
# extract log entry values into variables
AUDIT_COMPLETED_ON=$(echo "$entry" | jq -r '.auditCompletedOn')
AUDITED_BY=$(echo "$entry" | jq -r '.auditedBy')
AUDITOR_GIT_HANDLE=$(echo "$entry" | jq -r '.auditorGitHandle')
AUDIT_REPORT_PATH=$(echo "$entry" | jq -r '.auditReportPath')
AUDIT_COMMIT_HASH=$(echo "$entry" | jq -r '.auditCommitHash')
# make sure that audit log entry contains date
if [ -z "$AUDIT_COMPLETED_ON" ]; then
echo -e "\033[31mThe audit log entry for file $FILE contains an invalid or no 'auditCompletedOn' date.\033[0m"
echo -e "\033[31mThis github action cannot complete before the audit log is complete.\033[0m"
echo -e "\033[31mAborting now.\033[0m"
echo "CONTINUE=false" >> $GITHUB_ENV
exit 1
# make sure that audit log entry contains auditor's (company) name
if [ -z "$AUDITED_BY" ]; then
echo -e "\033[31mThe audit log entry for file $FILE contains invalid or no 'auditedBy' information.\033[0m"
echo -e "\033[31mThis github action cannot complete before the audit log is complete.\033[0m"
echo -e "\033[31mAborting now.\033[0m"
echo "CONTINUE=false" >> $GITHUB_ENV
exit 1
# make sure that audit log entry contains auditor's git handle
if [ -z "$AUDITOR_GIT_HANDLE" ]; then
echo -e "\033[31mThe audit log entry for file $FILE contains invalid or no 'auditorGitHandle' information.\033[0m"
echo -e "\033[31mThis github action cannot complete before the audit log is complete.\033[0m"
echo -e "\033[31mAborting now.\033[0m"
echo "CONTINUE=false" >> $GITHUB_ENV
exit 1
# make sure that audit log entry contains audit report path
if [ -z "$AUDIT_REPORT_PATH" ]; then
echo -e "\033[31mThe audit log entry for file $FILE contains invalid or no 'auditReportPath' information.\033[0m"
echo -e "\033[31mThis github action cannot complete before the audit log is complete.\033[0m"
echo -e "\033[31mAborting now.\033[0m"
echo "CONTINUE=false" >> $GITHUB_ENV
exit 1
# make sure that a file exists at the audit report path
if [ ! -f "$AUDIT_REPORT_PATH" ]; then
echo -e "\033[31mCould not find an audit report in path $AUDIT_REPORT_PATH for contract "$FILENAME".\033[0m"
echo -e "\033[31mThis github action cannot complete before the audit report is uploaded to 'audit/reports/'.\033[0m"
echo -e "\033[31mAborting now.\033[0m"
echo "CONTINUE=false" >> $GITHUB_ENV
exit 1
# make sure that audit log entry contains audit report path
if [ -z "$AUDIT_COMMIT_HASH" ]; then
echo -e "\033[31mThe audit log entry for file $FILE contains invalid or no 'auditCommitHash' information.\033[0m"
echo -e "\033[31mThis github action cannot complete before the audit log is complete.\033[0m"
echo -e "\033[31mAborting now.\033[0m"
echo "CONTINUE=false" >> $GITHUB_ENV
exit 1
# store the commit hash in a temporary file to check its validity in a following step
echo "adding commit hash $AUDIT_COMMIT_HASH"
echo "$AUDIT_COMMIT_HASH" >> commit_hashes.txt
# store the auditor git handle to check it in a following step if this auditor has reviewed the PR
echo "adding auditor handle $AUDITOR_GIT_HANDLE"
echo "$AUDITOR_GIT_HANDLE" >> auditor_handles.txt
echo -e "\033[32mAll audit log entries are complete.\033[0m"
# # read the temp files into variables
# - name: Check if PR is approved by auditor(s)
# id: check-auditor-approval
# uses: actions/github-script@v5
# if: env.CONTINUE == 'true'
# with:
# script: |
# const fs = require('fs');
# const auditorHandlesFile = 'auditor_handles.txt'; // Adjust this if needed
# // Read auditor handles from file
# const auditorHandles = fs.readFileSync(auditorHandlesFile, 'utf-8').split(/\r?\n/).filter(Boolean);
# const { data: reviews } = await github.pulls.listReviews({
# owner: context.repo.owner,
# repo: context.repo.repo,
# pull_number: context.issue.number,
# });
# let allApproved = true;
# auditorHandles.forEach(handle => {
# const approved = reviews.some(review => review.user.login === handle && review.state === 'APPROVED');
# if (!approved) {
# console.log(`PR is not approved by ${handle}`);
# allApproved = false;
# } else {
# console.log(`PR is approved by ${handle}`);
# }
# });
# if (!allApproved) {
# core.setFailed("Not all required auditors have approved the PR.");
# } else {
# core.setOutput('approved', 'true');
# }
- name: Check if all required commits are part of the PR
id: check_commit_hashes
if: env.CONTINUE == 'true'
uses: actions/github-script@v5
script: |
const fs = require('fs');
// Read commit hashes from file
const commitHashesFile = 'commit_hashes.txt'; // Adjust this if needed
const commitHashes = fs.readFileSync(commitHashesFile, 'utf-8').split(/\r?\n/).filter(Boolean);
console.log(`${commitHashes.length} commitHashes found`)
const { data: commits } = await{
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: context.issue.number,
const prCommitHashes = => commit.sha);
let allCommitsFound = true;
console.log(`${prCommitHashes.length} prCommitHashes found`)
commitHashes.forEach(hash => {
console.log(`now checking pr commit hash: ${hash}`)
if (!prCommitHashes.includes(hash)) {
console.log(`Commit ${hash} is not part of the PR`);
allCommitsFound = false;
} else {
console.log(`Commit ${hash} is part of the PR`);
if (!allCommitsFound) {
console.log("CHECK FAILED")
core.setFailed("Not all required commits are part of the PR.");
} else {
console.log("CHECK PASSED")
core.setOutput('all_commits_present', 'true');
# - name: Assign "Ready_For_PROD_Deployment" label