Clone specific software-layer-commit and implement CI to check merged status

.github/workflows/test_software_layer_scripts.yml

@@ -0,0 +1,127 @@
+# documentation: https://help.github.com/en/articles/workflow-syntax-for-github-actions
+#
+# This workflow verifies that the correct version of software-layer-scripts is used.
+# 
+# First, check_bot_build_checksums checks if the bot/build.sh code that clones software-layer-scripts is untouched,
+# as this normally shouldn't change (a change could mean a contributor is trying to inject something
+# malicious). Having this CI means that a change in bot/build.sh should at least be accompanied by
+# a change in this CI, making it stand out to reviewers and increasing the likelihood of this being caught.
+# 
+# Second, check-software_layer_scripts_commit checks if the commit used in bot/commit_sha is a merge-commit for a
+# merge into the default branch of software-layer-scripts. This guarantees that everything that is associated with
+# that commit was approved by a reviewer (and deployed, if needed)
+name: Verify software-layer-scripts
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+  workflow_dispatch:
+permissions:
+  contents: read # to fetch code (actions/checkout)
+jobs:
+  check_bot_build_checksum:
+    runs-on: ubuntu-24.04
+    steps:
+        - name: Check out software-layer repository (shallow)
+          uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+          with:
+              fetch-depth: 1  # We only need the current revision to read bot/commit_sha
+
+        - name: Compute bot/build.sh checksum and verify it
+          run: |
+            # Print clear error if file doesn't exist at all
+            if [[ ! -f bot/build.sh ]]; then
+              echo "ERROR: File bot/build.sh not found!"
+              exit 1
+            fi
+
+            # Reference checksum
+            # UPDATE THIS CHECKSUM IF AND ONLY IF WE ACTUALLY WANT TO CHANGE bot/build.sh
+            EXPECTED_CHECKSUM="9d33368cac2e38e10147eeb0aafc321651ebaa5912387ecef97683570906773a"
+
+            # Compute checksum
+            COMPUTED_CHECKSUM=$(sha256sum bot/build.sh | awk '{print $1}')
+            echo "Computed checksum: $COMPUTED_CHECKSUM"
+            echo "Reference checksum: $EXPECTED_CHECKSUM"
+
+            # Compare checksums
+            if [[ "$COMPUTED_CHECKSUM" != "$EXPECTED_CHECKSUM" ]]; then
+              echo "ERROR: Checksum mismatch! The file bot/build.sh has been modified."
+              exit 1
+            else
+              echo "Checksum for bot/build.sh matches the reference value"
+            fi
+  check_software_layer_scripts_commit:
+    runs-on: ubuntu-24.04
+    steps:
+        - name: Check out software-layer repository (shallow)
+          uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+          with:
+              fetch-depth: 1  # We only need the current revision to read bot/commit_sha
+        - name: Checkout software-layer-scripts (full history)
+          uses: actions/checkout@v4
+          with:
+            repository: EESSI/software-layer-scripts
+            path: upstream-scripts
+            fetch-depth: 0 # full history → required for ancestry checks
+
+        - name: Read commit SHA
+          id: read_sha
+          run: |
+            SHA=$(cat bot/commit_sha | tr -d '[:space:]')
+            echo "sha=$SHA" >> $GITHUB_OUTPUT
+            echo "Found SHA: $SHA"
+
+        - name: Verify SHA exists in software‑layer‑scripts
+          working-directory: upstream-scripts
+          run: |
+            SHA="${{ steps.read_sha.outputs.sha }}"
+
+            echo "Checking out commit ${SHA} from software-layer-scripts"
+            git fetch --depth=1 origin ${SHA}
+            git checkout --detach ${SHA}
+
+            # Validate that this object is _actually_ a commit
+            if ! git cat-file -e "${SHA}^{commit}" 2>/dev/null; then
+              echo "Commit $SHA not found in software‑layer‑scripts."
+              exit 1
+            fi
+            echo "Commit $SHA exists in software‑layer‑scripts."
+
+        - name: Check that SHA is merged into the default branch
+          working-directory: upstream-scripts
+          run: |
+            SHA="${{ steps.read_sha.outputs.sha }}"
+
+            # git merge‑base --is‑ancestor returns 0 if $SHA is an ancestor of origin/main
+            if git merge-base --is-ancestor "$SHA" origin/main; then
+              echo "Commit $SHA is merged into origin/main."
+            else
+              echo "Commit $SHA is NOT merged into origin/main."
+              exit 1
+            fi
+
+        - name: Verify commit is signed by GitHub’s web‑flow key
+          working-directory: upstream-scripts
+          env:
+            GIT_TRACE: 1   # extra debug output if something goes wrong
+          run: |
+            SHA="${{ steps.read_sha.outputs.sha }}"
+
+            # Import the public key that GitHub uses for UI‑generated merges
+            echo "Importing GitHub web‑flow GPG key…"
+            curl -sSfL https://github.com/web-flow.gpg | gpg --dearmor > web-flow.gpg
+            gpg --import web-flow.gpg
+            # (optional) show the fingerprint for debugging
+            echo "Fingerprint of the web-flow GPG key:"
+            gpg --list-keys --fingerprint | grep -i "web-flow" -A1
+
+            # Verify the commit’s GPG signature
+            echo "Verifying the signature of commit $SHA…"
+            if git verify-commit "$SHA"; then
+              echo "Commit $SHA is signed and the signature validates with the web‑flow key."
+              echo "All verification steps succeeded."
+            else
+              echo "Commit $SHA is either unsigned or not signed by the web‑flow key."
+              exit 1
+            fi

bot/build.sh

@@ -3,7 +3,19 @@
 # give up as soon as any error occurs
 set -e
 
-git clone https://github.com/EESSI/software-layer-scripts
+TOPDIR=$(dirname $(realpath $0))
+
+# Clone a the commit from software-layer-script that corresponds to `bot/commit_sha`
+commit_sha=$(cat ${TOPDIR}/commit_sha)
+
+# Get a shallow clone first
+git clone --depth 1 --filter=blob:none --no-checkout https://github.com/EESSI/software-layer-scripts
+
+# Fetch the relevant commit & check it out
+cd software-layer-scripts
+git fetch --depth=1 origin ${commit_sha}
+git checkout --detach ${commit_sha}
+cd ..
 
 # symlink everything, except for:
 # - common files like LICENSE and README.md

bot/commit_sha

@@ -0,0 +1 @@
+f5c45bf7810eb83d2f13e7d94260772cbe5b484d

easystacks/software.eessi.io/2025.06/eessi-2025.06-eb-5.1.2-001-system.yml

@@ -8,3 +8,4 @@ easyconfigs:
       options:
         # see https://github.com/easybuilders/easybuild-easyconfigs/pull/24974
         from-commit: 775394fc355a53422ef7dfffdc72e88c2de8f703
+  - cowsay-3.04.eb