wip: test tag verification

Enforce commit being associated to a tag.
The tag must be committed by a member of the release team.
In addition, the tag needs to be verified. Finally, triggering
actor must also be a member of the release team.

.github/workflows/make_release.yml

@@ -30,8 +30,15 @@ env:
   NPM_TAG: ""
 
 jobs:
+  verify_tag:
+    uses: ./.github/workflows/verify_tagged_commit.yml
+    secrets:
+      RELEASE_TEAM: ${{ secrets.RELEASE_TEAM }}
+      READ_ORG_TOKEN: ${{ secrets.READ_ORG_TOKEN }}
+
   package:
     runs-on: ubuntu-latest
+    needs: verify_tag
     outputs:
       hash: ${{ steps.hash.outputs.hash }}
     steps:

.github/workflows/make_release_concrete_csprng.yml

@@ -12,8 +12,15 @@ env:
   ACTION_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
 
 jobs:
+  verify_tag:
+    uses: ./.github/workflows/verify_tagged_commit.yml
+    secrets:
+      RELEASE_TEAM: ${{ secrets.RELEASE_TEAM }}
+      READ_ORG_TOKEN: ${{ secrets.READ_ORG_TOKEN }}
+
   publish_release:
     name: Publish concrete-csprng Release
+    needs: verify_tag
     runs-on: ubuntu-latest
     steps:
       - name: Checkout

.github/workflows/make_release_cuda.yml

@@ -21,8 +21,15 @@ env:
   SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
 
 jobs:
+  verify_tag:
+    uses: ./.github/workflows/verify_tagged_commit.yml
+    secrets:
+      RELEASE_TEAM: ${{ secrets.RELEASE_TEAM }}
+      READ_ORG_TOKEN: ${{ secrets.READ_ORG_TOKEN }}
+
   setup-instance:
     name: Setup instance (publish-cuda-release)
+    needs: verify_tag
     runs-on: ubuntu-latest
     outputs:
       runner-name: ${{ steps.start-instance.outputs.label }}

.github/workflows/make_release_tfhe_versionable.yml

@@ -12,8 +12,15 @@ env:
   ACTION_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
 
 jobs:
+  verify_tag:
+    uses: ./.github/workflows/verify_tagged_commit.yml
+    secrets:
+      RELEASE_TEAM: ${{ secrets.RELEASE_TEAM }}
+      READ_ORG_TOKEN: ${{ secrets.READ_ORG_TOKEN }}
+
   publish_release:
     name: Publish tfhe-versionable Release
+    needs: verify_tag
     runs-on: ubuntu-latest
     steps:
       - name: Checkout

.github/workflows/make_release_zk_pok.yml

@@ -13,8 +13,15 @@ env:
   ACTION_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
 
 jobs:
+  verify_tag:
+    uses: ./.github/workflows/verify_tagged_commit.yml
+    secrets:
+      RELEASE_TEAM: ${{ secrets.RELEASE_TEAM }}
+      READ_ORG_TOKEN: ${{ secrets.READ_ORG_TOKEN }}
+
   publish_release:
     name: Publish tfhe-zk-pok Release
+    needs: verify_tag
     runs-on: ubuntu-latest
     steps:
       - name: Checkout

.github/workflows/verify_tagged_commit.yml

@@ -0,0 +1,75 @@
+# Verify a tagged commit
+name: Verify tagged commit
+
+on:
+  workflow_call:
+    secrets:
+      RELEASE_TEAM:
+        required: true
+      READ_ORG_TOKEN:
+        required: true
+
+jobs:
+  checks:
+    runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/tags/')
+    steps:
+      - name: Checkout tfhe-rs
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
+        with:
+          persist-credentials: 'false'
+          fetch-depth: 0
+
+      - name: Get tag SHA
+        run: |
+          git show-ref -s ${{ github.ref_name }}
+          echo "TAG_SHA=$(git show-ref -s ${{ github.ref_name }})" >> "${GITHUB_ENV}"
+
+      - name: Get commit details
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          echo "SHAAAAA: ${{ github.sha }}"
+          echo "TAG SHA: ${{ env.TAG_SHA }}"
+          {
+            echo "COMMITTER_LOGIN=$(gh api repos/${{ github.repository }}/commits/${{ github.sha }} --jq '.committer.login')";
+            echo "VERIFICATION_STATUS=$(gh api repos/${{ github.repository }}/git/tags/${{ env.TAG_SHA }} --jq '.verification.verified')";
+          } >> "${GITHUB_ENV}"
+
+      # Check author of the tag membership
+      - name: Author verification
+        id: author_check
+        uses: morfien101/actions-authorized-user@4a3cfbf0bcb3cafe4a71710a278920c5d94bb38b
+        with:
+          username: ${{ env.COMMITTER_LOGIN }}
+          org: ${{ github.repository_owner }}
+          team: ${{ secrets.RELEASE_TEAM }}
+          github_token: ${{ secrets.READ_ORG_TOKEN }}
+
+      # Check triggering actor membership
+      - name: Actor verification
+        id: actor_check
+        uses: morfien101/actions-authorized-user@4a3cfbf0bcb3cafe4a71710a278920c5d94bb38b
+        with:
+          #username: ${{ github.actor }}
+          username: ${{ github.triggering_actor }}
+          org: ${{ github.repository_owner }}
+          team: ${{ secrets.RELEASE_TEAM }}
+          github_token: ${{ secrets.READ_ORG_TOKEN }}
+
+      - name: Commit verification
+        run: |
+          if [ "${{ steps.author_check.outputs.authorized }}" == "false" ]; then
+            echo "Author '${{ env.COMMITTER_LOGIN }}' is not part of authorized team"
+            exit 1
+          fi
+          
+          if [ "${{ steps.actor_check.outputs.authorized }}" == "false" ]; then
+            echo "Actor '${{ github.actor }}' is not authorized to perform release"
+            exit 1
+          fi
+
+          if [ "${{ env.VERIFICATION_STATUS }}" == "false" ]; then
+            echo "Commit is not verified"
+            exit 1
+          fi