Merge pull request #2 from cashapp/yoav.checkout-all-git-history

Fetch tags to verify the current release
cashapp · Oct 11, 2022 · 4af6119 · 4af6119
2 parents c7a9b72 + 9f06bc1
commit 4af6119
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 2 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -21,13 +21,18 @@ jobs:
         run: |
           sudo apt update
           sudo apt install -y libpcsclite-dev
+      - if: ${{ matrix.os == 'macos-latest' }}
+        name: "Install dependencies (MacOS)"
+        run: |
+          brew install openssh
       - name: "Checkout code"
         uses: actions/checkout@v2
       - name: "Verify release tag"
         run: |
           set -euxo pipefail
           cd ${{ github.workspace }}
           git config gpg.ssh.allowedSignersFile ./config/allowed_release_signers
+          git fetch --tags
           git tag -v ${{ github.ref_name }}
       - name: "Build"
         run: |

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -11,5 +11,18 @@ sure your code compiles by running `make build`.
 Before your code can be accepted into the project you must also sign the
 [Individual Contributor License Agreement (CLA)][1].
 
+Verified commits and releases
+=============================
 
-[1]: https://spreadsheets.google.com/spreadsheet/viewform?formkey=dDViT2xzUHAwRkI3X3k5Z0lQM091OGc6MQ&ndplr=1
+Pivit is a command line tool that deals with security, and as such, we require that 
+every code change in it will be [signed as well][2].
+
+These signatures help us attest that code changes were made by real people, and provide
+and additional layer of security.
+
+In addition to only allowing verified commits, we also require signing every Pivit release tag
+with key that matches one of the allowed signers listed in `config/allowed_release_signers`.  
+Release tags are verified during the release workflow in `.github/workflows/release.yaml`.
+
+[1]: https://spreadsheets.google.com/spreadsheet/viewform?formkey=dDViT2xzUHAwRkI3X3k5Z0lQM091OGc6MQ&ndplr=1
+[2]: https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits
diff --git a/config/allowed_release_signers b/config/allowed_release_signers
@@ -1 +1 @@
-#[email protected] [email protected] AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBBlLyEqGb3PVFxch6JQT20zKb/FAbrtn/yDL21tUxEQcbuxF3BiURyjx2dw6iZbHYEeEK83x4WBO7R7Hlra1iqQAAAAEc3NoOg==
+[email protected] [email protected] AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBBlLyEqGb3PVFxch6JQT20zKb/FAbrtn/yDL21tUxEQcbuxF3BiURyjx2dw6iZbHYEeEK83x4WBO7R7Hlra1iqQAAAAEc3NoOg==
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		#[email protected] [email protected] AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBBlLyEqGb3PVFxch6JQT20zKb/FAbrtn/yDL21tUxEQcbuxF3BiURyjx2dw6iZbHYEeEK83x4WBO7R7Hlra1iqQAAAAEc3NoOg==
		[email protected] [email protected] AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBBlLyEqGb3PVFxch6JQT20zKb/FAbrtn/yDL21tUxEQcbuxF3BiURyjx2dw6iZbHYEeEK83x4WBO7R7Hlra1iqQAAAAEc3NoOg==