mmulholla · mmulholla · Dec 1, 2022
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -77,9 +77,11 @@ jobs:
         run: |
           #set environemnt based on repository
           if [ $GITHUB_REPOSITORY == "openshift-helm-charts/charts" ]; then
+            echo "Use latest verifier image"
             echo "::set-output name=insecure_skip_tls_verify::false"
             echo "::set-output name=verifier-action-image::latest"
           else
+            echo "Use dev verifier image"
             echo "::set-output name=insecure_skip_tls_verify::true"
             echo "::set-output name=verifier-action-image::0.1.0"
           fi
@@ -155,6 +157,7 @@ jobs:
         uses: redhat-actions/openshift-tools-installer@v1
         with:
           source: github
+          skip_cache: true
           chart-verifier: ${{ steps.set-env.outputs.verifier-action-image }}
 
       - name: determine verify requirements
@@ -205,6 +208,13 @@ jobs:
             report_type: all
             fail: false
 
+      - name: check-verifier-result
+        id: check-verifier-result
+        if: ${{ always() && steps.run-verifier.outcome == 'failure' }}
+        run: |
+          error_message="The chart verifier returned an error when trying to obtain a verification report for the chart."
+          echo "::set-output name=verifier_error_message::$error_message"
+
       - name: Check Report
         id: check_report
         if: ${{ steps.check_build_required.outputs.run-build == 'true' }}
@@ -214,6 +224,7 @@ jobs:
           REPORT_GENERATED: ${{ steps.verify_requires.outputs.report_needed }}
           GENERATED_REPORT_PATH: ${{ steps.run-verifier.outputs.report_file }}
           REPORT_SUMMARY_PATH: ${{ steps.run-verifier.outputs.report_info_file }}
+          WORKFLOW_WORKING_DIRECTORY: "../pr"
         run: |
           cd pr-branch
           ../ve1/bin/chart-pr-review --directory=../pr --verify-user=${{ github.event.pull_request.user.login }} --api-url=${{ github.event.pull_request._links.self.href }}
@@ -241,8 +252,9 @@ jobs:
           OWNERS_ERROR_MESSAGE: ${{ steps.check_pr_content.outputs.owners-error-message }}
           COMMUNITY_MANUAL_REVIEW: ${{ steps.check_report.outputs.community_manual_review_required }}
           OC_INSTALL_RESULT: ${{ steps.install-oc.conclusion }}
+          VERIFIER_ERROR_MESSAGE: ${{ steps.check-verifier-result.outputs.verifier_error_message }}
         run: |
-          ve1/bin/pr-comment ${{ steps.check_pr_content.outcome }} ${{ steps.check_report.conclusion }} ${{ github.repository }}
+          ve1/bin/pr-comment ${{ steps.check_pr_content.outcome }} ${{ steps.run-verifier.outcome }} ${{ steps.check_report.conclusion }}
 
       - name: Comment on PR
         if: ${{ always() && steps.check_build_required.outputs.run-build == 'true' }}
@@ -261,7 +273,7 @@ jobs:
             });
 
       - name: Add 'authorized-request' label to PR
-        if: ${{ always() && steps.check_pr_content.outcome == 'success' && steps.check_build_required.outputs.run-build == 'true' }}
+        if: ${{ always() && steps.check_pr_content.outcome == 'success' && steps.run-verifier.outcome != 'failure' && steps.check_build_required.outputs.run-build == 'true' }}
         uses: actions/github-script@v3
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
@@ -337,7 +349,9 @@ jobs:
         continue-on-error: true
         with:
           tag_name: ${{ steps.release-charts.outputs.tag }}
-          files: pr-branch/report.yaml
+          files: |
+              ${{ steps.release-charts.outputs.report_file }}
+              ${{ steps.release-charts.outputs.public_key_file }}
           fail_on_unmatched_files: true
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -349,9 +363,11 @@ jobs:
         run: |
           if [ $GITHUB_REPOSITORY == "openshift-helm-charts/charts" ]; then
               WRITE_KEY=${{ secrets.SEGMENT_WRITE_KEY }}
+              ID_PREFIX="helm-metric-pr"
               echo "Use segment production write key"
           else
               WRITE_KEY=${{ secrets.SEGMENT_TEST_WRITE_KEY }}
+              ID_PREFIX="helm-test-metric-pr"
               echo "Use segment test write key"
           fi
 
@@ -362,7 +378,9 @@ jobs:
                               --message-file="${{ steps.pr_comment.outputs.message-file }}" \
                               --pr-number="${{ github.event.number }}" \
                               --pr-action="${{ github.event.action }}" \
-                              --repository="${GITHUB_REPOSITORY}"
+                              --repository="${GITHUB_REPOSITORY}" \
+                              --prefix="${ID_PREFIX}" \
+                              --pr_dir="./pr-branch"
           else
               echo "Do not collect metrics, required segment write key is not set"
           fi
diff --git a/.github/workflows/owners.yml b/.github/workflows/owners.yml
@@ -0,0 +1,86 @@
+name: Metrics for owners file
+
+on:
+  push:
+    branches: [ main ]
+
+jobs:
+  owners-metrics:
+    name: Send Owner Metrics
+    runs-on: ubuntu-20.04
+    env:
+      SEGMENT_WRITE_KEY: ${{ secrets.SEGMENT_WRITE_KEY }}
+      SEGMENT_TEST_WRITE_KEY: ${{ secrets.SEGMENT_TEST_WRITE_KEY }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Exit if push is not from redhat-mercury-bot
+        id: check_push_by_bot
+        run: |
+          echo "${{ github.event.pusher.name}}"
+          if [ "${{ github.event.pusher.name}}" != "redhat-mercury-bot" ]; then
+            echo "The push is not from redhat mercury bot - do not continue."
+            exit 0
+          fi
+
+      - name: Set up Python 3.x Part 1
+        uses: actions/setup-python@v2
+        with:
+          python-version: "3.9"
+
+      - name: Set up Python 3.x Part 2
+        run: |
+          # set up python
+          python3 -m venv ve1
+          cd scripts && ../ve1/bin/pip3 install -r requirements.txt && cd ..
+          cd scripts && ../ve1/bin/python3 setup.py install && cd ..
+
+      - uses: jitterbit/get-changed-files@v1
+        id: filesChangedOrModified
+        with:
+          format: space-delimited
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Printing changes made
+        run: |
+          echo "Added:"
+          echo "${{ steps.filesChangedOrModified.outputs.added }}"
+          echo "Modified:"
+          echo "${{ steps.filesChangedOrModified.outputs.modified }}"
+
+      - name: Quit if owners files pushed are not
+        run: |
+          SUB="/OWNERS"
+          if [ "${{ steps.filesChangedOrModified.outputs.added[0] }}" == *"$SUB"* ] || [ "${{ steps.filesChangedOrModified.outputs.modified[0] }}" == *"$SUB"* ] ; then
+          echo "OWNERS files have been modified or added"
+          else
+          echo "OWNERS files not pushed"
+          exit 0
+          fi
+
+      - name: Add owner metrics
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          if [ $GITHUB_REPOSITORY == "openshift-helm-charts/charts" ]; then
+              WRITE_KEY=${{ secrets.SEGMENT_WRITE_KEY }}
+              ID_PREFIX="helm-metric-pr"
+              echo "Use segment production write key"
+          else
+              WRITE_KEY=${{ secrets.SEGMENT_TEST_WRITE_KEY }}
+              ID_PREFIX="helm-test-metric-pr"
+              echo "Use segment test write key"
+          fi
+
+          if [ "${WRITE_KEY}" != "" ]; then
+              echo "add owner metric"
+              ve1/bin/pushowners --write-key="${WRITE_KEY}" \
+                                --metric-type="push_request" \
+                                --repository="${GITHUB_REPOSITORY}" \
+                                --added="${{ steps.filesChangedOrModified.outputs.added }}" \
+                                --modified="${{ steps.filesChangedOrModified.outputs.modified }}" \
+                                --prefix="${ID_PREFIX}"
+          else
+              echo "Do not collect metrics, required segment write key is not set"
+          fi
diff --git a/docs/README.md b/docs/README.md
@@ -42,6 +42,7 @@ submit a chart and the report together.
       * [Error with the chart URL when submitting report](#error-with-the-chart-url-when-submitting-report)
       * [Chart name and version mismatch errors](#chart-name-and-version-mismatch-errors)
       * [Report failures](#report-failures)
+      * [Signed chart failures](#signed-chart-failures)
    * [Frequently Asked Questions](#frequently-asked-questions)
       * [Can I test the pull request in my fork before submitting?](#can-i-test-the-pull-request-in-my-fork-before-submitting)
       * [Can I use any command-line interface to create pull request?](#can-i-use-any-command-line-interface-to-create-pull-request)
@@ -55,17 +56,20 @@ submit a chart and the report together.
 
 In a nutshell, these are the actions that are performed when you submit a chart.
 The pull request is checked for non-chart-related changes and fails the job if
-found.  A check performs the chart is added to a correct directory path.  If a
-report is provided, confirm all mandatory checks are present and have passed.
+found.  A check confirms the chart is added to a correct directory path.  If a
+report is provided, confirm the report has not been modified after generation, all mandatory checks are present and have passed.
 If a chart is provided, check the digest in the report to match the digest
 calculated for the submitted chart.  If a report is not provided, run the
 chart-verifier and confirm all mandatory checks pass.
 
+Additionally, for signed charts, if a pgp public key is included in the OWNERS file a check will be made to ensure the key can be used to verify the chart. 
+
 You can submit chart related changes in three methods:
 
 1. Submit a chart without Chart Verification Report
 
    - Chart as a tarball
+     - For signed chart also include the providence file.
    - Chart in a directory
 
 2. Submit a Chart Verification Report without the Chart
@@ -94,6 +98,7 @@ chart:
   name: awesome
   shortDescription: A Helm chart for Awesomeness
 publicPgpKey: null
+providerDelivery: False
 users:
   - githubUsername: <username-one>
   - githubUsername: <username-two>
@@ -132,13 +137,25 @@ Notice that in this case your organization will also be redhat.
 ### Submitting a Chart without Chart Verification Report
 
 The chart could be a tarball created using the `helm package` command or a
-directory with the chart source.  If it is a tarball, it can be placed directly
-under the `0.1.0` directory.
+directory with the chart source.  If it is a tarball, it is placed directly
+under the `0.1.0` directory, further if the chart is signed, the providence file is added to the same directory.
 
 ```
 charts/partners/acme/awesome/0.1.0/awesome-0.1.0.tgz
+charts/partners/acme/awesome/0.1.0/awesome-0.1.0.tgz.prov
+```
+
+For a signed chart the OWNERS file can include a base64 encoded public key for the chart. If this is present the key will be decoded and specified when the chart-verifier is used to create a report for the chart. If the public key does not match the chart the verifier report will include a check failure and, the PR will end with an error. If the public key does match the chart, and there are no other failures, a release will be created which will include the tarball, the providence file, the public key file, and the generated report.
+
+```
+awesome-0.1.0.tgz
+awesome-0.1.0.tgz.prov
+awesome-0.1.0.tgz.key
+report.yaml
 ```
 
+If the OWNERS file does not include the public key the chart verifier check is skipped and will not affect the pull request outcome. Further the public key file will not be included in the release.
+
 If the chart is a directory with the chart source, create an `src` directory to
 place the chart source.
 
@@ -174,6 +191,8 @@ The file structure looks like this:
 [Generate the report][chart-verifier] and save it under `0.1.0` with a given
 file name as `report.yaml`.
 
+#### Signed Report
+
 When you follow the [partner connect documentation][partners], you could see
 details about adding a PGP public key.  Adding PGP public key is optional.  But
 if you have added that, you should see your public key in the _OWNERS_ file
@@ -191,6 +210,16 @@ gpg --sign --armor --detach-sign --output report.yaml.asc report.yaml
 There will be `[WARNING]` message in the console if the signature verification
 fails.
 
+#### Report for a Signed chart
+
+For a signed chart, if a pgp public key was provided to the chart verifier when generating the report, a digest of the key is included in the report. If a base64 encoded pgp public key is then included in the OWNERS file a check is made to confirm the digest of the decoded key in the OWNERS file matches the key digest in the report, and if the match fails the PR will fail. However, if the key digests match, and there are no other errors when processing the PR, a release is generated containing the public key and the report:
+
+```
+awesome-0.1.0.tgz.key
+report.yaml
+```
+Note: A release is not generated if provider control delivery is enabled.
+
 ### Submitting a Chart Verification Report with the Chart
 
 You can also submit a chart and the report together.  As mentioned in the
@@ -199,10 +228,15 @@ or tarball under the version numbered directory.  Similarly, as mentioned in the
 "Submitting a Chart Verification Report without the Chart" section, place
 `report.yaml` also under the save under the version numbered directory.
 
+#### Signed Report
 As mentioned in the previous section, optionally, you can sign the report.
 There will be `[WARNING]` message in the console if the signature verification
 fails.
 
+#### Signed Chart
+For a signed chart the submission must include a tarball and a providence file in addition to the report file. In this case, for checking purpose the PR is treated similarly to a [report only submission](#report-for-a-signed-chart). 
+
+
 ## Post Submission Manual Review
 
 After submitting the pull request, it will take a few minutes to run all the
@@ -437,6 +471,29 @@ Error message: ..
 To fix the above failure, you need to modify the chart as per the failure
 messages.
 
+## Signed chart failures
+
+Signed chart failures can occur when a base64 encoded pgp public key is included in the OWNERS file.
+
+If the pull request includes a chart verifier report you may see a failure for example:
+
+```PGP key in OWNERS file does not match with key digest in report.```
+
+This can be caused by:
+- the PGP key in the OWNERS file is not base64 encoded.
+- the PGP key in the OWNERS file does not match to the PGP public key specified to the chart verifier when the report was generated.
+
+If the pull request includes a chart tarball and providence file, but no chart verifier report, you may see a failure for example:
+```
+[ERROR] Chart verifier report includes failures:
+
+Number of checks passed: 12
+Number of checks failed: 1
+Error message(s):
+Chart is signed : Signature verification failed : openpgp: signature made by unknown entity
+```
+This is because the key generated from the PGP key in the OWNERS file does not correspond to the secret key used to sign the chart. 
+
 ## Frequently Asked Questions
 
 ### Can I test the pull request in my fork before submitting?

diff --git a/scripts/requirements.txt b/scripts/requirements.txt
@@ -9,7 +9,7 @@ GitPython==3.1.18
 glob2==0.7
 idna==2.10
 iniconfig==1.1.1
-Mako==1.1.4
+mako==1.2.3
 MarkupSafe==2.0.1
 packaging==21.0
 parse==1.19.0

diff --git a/scripts/setup.cfg b/scripts/setup.cfg
@@ -48,4 +48,5 @@ console_scripts =
     check-user = owners.checkuser:main
     metrics = metrics.metrics:main
     get-verify-params = report.get_verify_params:main
+    pushowners=metrics.pushowners:main