GitHub CI job to verify tags are on expected branches

aws · Feb 5, 2025 · 582d6e8 · 582d6e8
1 parent cc9c9f0
commit 582d6e8
Show file tree

Hide file tree

Showing 3 changed files with 118 additions and 0 deletions.
diff --git a/.github/workflows/misc-tests.yaml b/.github/workflows/misc-tests.yaml
@@ -121,3 +121,15 @@ jobs:
       - if: ${{ matrix.os != 'windows-latest' }}
         name: Run tests
         run: cmake --build "path has spaces/build-fips" --target run_tests
+  git-tag-check:
+    if: github.repository_owner == 'aws'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-tags: true
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+      - name: Check for git tag
+        run: python ./util/git-tag-check/git-tag-check.py
diff --git a/util/git-tag-check/git-tag-check.py b/util/git-tag-check/git-tag-check.py
@@ -0,0 +1,92 @@
+import os
+import subprocess
+import json
+import re
+from typing import List
+
+REMOTE_NAME = "origin"
+TAG_BRANCH_JSON = os.path.abspath(os.path.join(os.path.dirname(__file__), 'tag-branch.json'))
+REPO_PATH = os.path.abspath(os.path.join(__file__, '..', '..'))
+
+
+def get_git_tags(repo_path: str) -> List[str]:
+    try:
+        result = subprocess.run(
+            ['git', '-C', repo_path, 'tag', '--list'],
+            capture_output=True,
+            text=True,
+            check=True
+        )
+
+        tags = result.stdout.strip().split('\n')
+
+        # Remove empty strings from list
+        return [tag for tag in tags if tag]
+
+    except subprocess.CalledProcessError as e:
+        print(f"Error getting tags: {e}")
+        return []
+
+def is_same_commit(tag: str, branch: str) -> bool:
+    tag_result = subprocess.run(
+        ['git', '-C', REPO_PATH, 'rev-parse', tag],
+        capture_output=True,
+        text=True,
+        check=True
+    )
+    tag_sha = tag_result.stdout.strip()
+
+    branch_result = subprocess.run(
+        ['git', '-C', REPO_PATH, 'rev-parse', branch],
+        capture_output=True,
+        text=True,
+        check=True
+    )
+    branch_sha = branch_result.stdout.strip()
+
+    #print(f"Comparing {tag_sha} and {branch_sha}")
+    return tag_sha == branch_sha
+
+def is_tag_reachable(tag: str, branch: str):
+    # Sanity check - Verify the tag exists
+    subprocess.run(
+        ['git', '-C', REPO_PATH, 'rev-parse', '--verify', tag],
+        capture_output=True,
+        check=True
+    )
+
+    # Sanity check - Verify the branch exists
+    subprocess.run(
+        ['git', '-C', REPO_PATH, 'rev-parse', '--verify', branch],
+        capture_output=True,
+        check=True
+    )
+
+    result = subprocess.run(
+        ['git', '-C', REPO_PATH, 'merge-base', '--is-ancestor', tag, branch],
+        capture_output=True,
+        text=True
+    )
+
+    return result.returncode == 0 or is_same_commit(tag, branch)
+
+def main():
+    with open(TAG_BRANCH_JSON, 'r') as file:
+        branch_tag_patterns = json.load(file)
+
+    if len(branch_tag_patterns) == 0:
+        raise Exception("Empty JSON file?")
+
+    for item in branch_tag_patterns:
+        branch = item['branch']
+        tag_pattern = item['tag_pattern']
+        print(f"Processing branch: '{branch}', pattern: '{tag_pattern}'")
+        for tag in get_git_tags(REPO_PATH):
+            if re.match(tag_pattern, tag):
+                if is_tag_reachable(tag, '/'.join([REMOTE_NAME, branch])):
+                    print(f"Tag found: {tag} on branch: {branch}")
+                else:
+                    raise Exception(f"Tag NOT found: {tag} on branch: {branch}")
+
+if __name__ == '__main__':
+    main()
diff --git a/util/git-tag-check/tag-branch.json b/util/git-tag-check/tag-branch.json
@@ -0,0 +1,14 @@
+[
+  {
+    "tag_pattern": "AWS-LC-FIPS-2\\..*",
+    "branch": "fips-2022-11-02"
+  },
+  {
+    "tag_pattern": "AWS-LC-FIPS-3\\..*",
+    "branch": "fips-2024-09-27"
+  },
+  {
+    "tag_pattern": "v1\\..*",
+    "branch": "main"
+  }
+]