Merge branch 'main' of github.com:lifinance/contracts into LF-10403 #360
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Protect Auditors Group | |
| # - makes sure that members of the auditor group cannot be members of a any smart-contract group | |
| # - this ensures that no member can have multiple roles and use this to bypass audit requirements | |
| name: Protect Auditors Group | |
| on: | |
| push: | |
| jobs: | |
| protect-auditors-group: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Compare Group Members | |
| env: | |
| GH_PAT: ${{ secrets.GIT_ACTIONS_BOT_PAT_CLASSIC }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| ##### unset the default git token (does not have sufficient rights to get team members) | |
| unset GITHUB_TOKEN | |
| ##### use the Personal Access Token to log into git CLI | |
| echo $GH_PAT | gh auth login --with-token || { echo "GitHub authentication failed"; exit 1; } | |
| # Function to get team members | |
| getTeamMembers() { | |
| local org=$1 | |
| local team=$2 | |
| gh api \ | |
| -H "Accept: application/vnd.github+json" \ | |
| -H "X-GitHub-Api-Version: 2022-11-28" \ | |
| "/orgs/$org/teams/$team/members" | jq -r '.[].login' | |
| } | |
| ORG_NAME="lifinance" | |
| SC_ADMINS="smart-contract-admins" | |
| SC_CORE="smart-contract-core" | |
| AUDITORS="auditors" | |
| ##### Get members of each group | |
| echo "Fetching members of $SC_ADMINS..." | |
| SC_ADMINS_MEMBERS=$(getTeamMembers "$ORG_NAME" "$SC_ADMINS") || { echo "Failed to fetch members of $SC_ADMINS"; exit 1; } | |
| echo "Fetching members of $SC_CORE..." | |
| SC_CORE_MEMBERS=$(getTeamMembers "$ORG_NAME" "$SC_CORE") || { echo "Failed to fetch members of $SC_CORE"; exit 1; } | |
| echo "Fetching members of $AUDITORS..." | |
| AUDITORS_MEMBERS=$(getTeamMembers "$ORG_NAME" "$AUDITORS") || { echo "Failed to fetch members of $AUDITORS"; exit 1; } | |
| # Convert string to sorted lines and remove empty lines | |
| echo "$SC_ADMINS_MEMBERS" | tr ' ' '\n' | sort | uniq > sc_admins_sorted.txt | |
| echo "$SC_CORE_MEMBERS" | tr ' ' '\n' | sort | uniq > sc_core_sorted.txt | |
| echo "$AUDITORS_MEMBERS" | tr ' ' '\n' | sort | uniq > auditors_sorted.txt | |
| # Check if both files exist and are not empty | |
| if [ ! -s sc_admins_sorted.txt ] || [ ! -s auditors_sorted.txt ]; then | |
| echo -e "\033[31mERROR: One of the membership lists is empty or failed to be generated.\033[0m" | |
| exit 1 | |
| fi | |
| echo "Checking for git users that are members of both $SC_ADMINS and $AUDITORS team..." | |
| OVERLAP=$(comm -12 sc_admins_sorted.txt auditors_sorted.txt) | |
| if [ -n "$OVERLAP" ]; then | |
| echo -e "\033[31mERROR: The following git users are members of both $SC_ADMINS and $AUDITORS groups: $OVERLAP\033[0m" | |
| echo -e "\033[31mAuditors must be external personnel and cannot be team members or admins\033[0m" | |
| exit 1 | |
| else | |
| echo -e "\033[32mNo overlap found between $SC_ADMINS and $AUDITORS.\033[0m" | |
| fi | |
| echo "Checking for git users that are members of both $SC_CORE and $AUDITORS team..." | |
| OVERLAP=$(comm -12 sc_admins_sorted.txt auditors_sorted.txt) | |
| if [ -n "$OVERLAP" ]; then | |
| echo -e "\033[31mERROR: The following git users are members of both $SC_CORE and $AUDITORS groups: $OVERLAP\033[0m" | |
| echo -e "\033[31mAuditors must be external personnel and cannot be team members or admins\033[0m" | |
| exit 1 | |
| else | |
| echo -e "\033[32mNo overlap found between $SC_CORE and $AUDITORS.\033[0m" | |
| echo -e "\033[32mAll checks passed\033[0m" | |
| fi |