From 7a52620161b5de376befdafee7af2fe9cc37b591 Mon Sep 17 00:00:00 2001 From: Caspar van Leeuwen Date: Tue, 13 Jan 2026 16:44:59 +0100 Subject: [PATCH 01/20] Add dummy EasyConfig --- .../test_software_layer_scripts_commit.yml | 87 +++++++++++++++++++ bot/commit_sha | 1 + .../eessi-2025.06-eb-5.1.2-001-system.yml | 1 + 3 files changed, 89 insertions(+) create mode 100644 .github/workflows/test_software_layer_scripts_commit.yml create mode 100644 bot/commit_sha diff --git a/.github/workflows/test_software_layer_scripts_commit.yml b/.github/workflows/test_software_layer_scripts_commit.yml new file mode 100644 index 0000000000..f957cdbb02 --- /dev/null +++ b/.github/workflows/test_software_layer_scripts_commit.yml @@ -0,0 +1,87 @@ +# documentation: https://help.github.com/en/articles/workflow-syntax-for-github-actions +# This workflow verifies that the software-layer-scripts commit used in bot/commit_sha is +# a merge-commit for a merge into the default branch of software-layer-scripts. +# This guarantees that everything that is associated with that commit was approved by a reviewer +# (and deployed, if needed) +name: Verify software-layer-scripts commit +on: + push: + branches: [ "main" ] + pull_request: + workflow_dispatch: +permissions: + contents: read # to fetch code (actions/checkout) +jobs: + check_software_layer_scripts_commit: + runs-on: ubuntu-24.04 + steps: + - name: Check out software-layer repository (shallow) + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 1 # We only need the current revision to read bot/commit_sha + - name: Checkout software-layer-scripts (full history) + uses: actions/checkout@v4 + with: + repository: EESSI/software-layer-scripts + path: upstream-scripts + fetch-depth: 0 # full history → required for ancestry checks + + - name: Read commit SHA + id: read_sha + run: | + SHA=$(cat bot/commit_sha | tr -d '[:space:]') + echo "sha=$SHA" >> $GITHUB_OUTPUT + echo "Found SHA: $SHA" + + - name: Verify SHA exists in software‑layer‑scripts + working-directory: upstream-scripts + run: | + SHA="${{ steps.read_sha.outputs.sha }}" + + if ! git cat-file -e "${SHA}^{commit}" 2>/dev/null; then + echo "Commit $SHA not found in software‑layer‑scripts." + exit 1 + fi + echo "Commit $SHA exists in software‑layer‑scripts." + + - name: Check that SHA is merged into the default branch + working-directory: upstream-scripts + run: | + SHA="${{ steps.read_sha.outputs.sha }}" + + # Make sure we have the latest refs for the default branch + git remote set-head origin -a + git fetch origin main --depth=0 + + # git merge‑base --is‑ancestor returns 0 if $SHA is an ancestor of origin/main + if git merge-base --is-ancestor "$SHA" origin/main; then + echo "Commit $SHA is merged into origin/main." + else + echo "Commit $SHA is NOT merged into origin/main." + exit 1 + fi + + - name: Verify commit is signed by GitHub’s web‑flow key + working-directory: upstream-scripts + env: + GIT_TRACE: 1 # extra debug output if something goes wrong + run: | + SHA="${{ steps.read_sha.outputs.sha }}" + + # Import the public key that GitHub uses for UI‑generated merges + echo "Importing GitHub web‑flow GPG key…" + curl -sSfL https://github.com/web-flow.gpg | gpg --dearmor > web-flow.gpg + gpg --import web-flow.gpg + # (optional) show the fingerprint for debugging + echo "Fingerprint of the web-flow GPG key:" + gpg --list-keys --fingerprint | grep -i "web-flow" -A1 + + # Verify the commit’s GPG signature + echo "Verifying the signature of commit $SHA…" + if git verify-commit "$SHA"; then + echo "Commit $SHA is signed and the signature validates with the web‑flow key." + echo "All verification steps succeeded." + else + echo "Commit $SHA is either unsigned or not signed by the web‑flow key." + exit 1 + fi diff --git a/bot/commit_sha b/bot/commit_sha new file mode 100644 index 0000000000..8712e74038 --- /dev/null +++ b/bot/commit_sha @@ -0,0 +1 @@ +f5c45bf7810eb83d2f13e7d94260772cbe5b484d diff --git a/easystacks/software.eessi.io/2025.06/eessi-2025.06-eb-5.1.2-001-system.yml b/easystacks/software.eessi.io/2025.06/eessi-2025.06-eb-5.1.2-001-system.yml index 7e2449f9c0..0cda8545d2 100644 --- a/easystacks/software.eessi.io/2025.06/eessi-2025.06-eb-5.1.2-001-system.yml +++ b/easystacks/software.eessi.io/2025.06/eessi-2025.06-eb-5.1.2-001-system.yml @@ -8,3 +8,4 @@ easyconfigs: options: # see https://github.com/easybuilders/easybuild-easyconfigs/pull/24974 from-commit: 775394fc355a53422ef7dfffdc72e88c2de8f703 + - cowsay-3.04.eb From 12c2bc7010ddd72cdf802ae510a960dd9794d60a Mon Sep 17 00:00:00 2001 From: Caspar van Leeuwen Date: Tue, 13 Jan 2026 17:20:13 +0100 Subject: [PATCH 02/20] Update bot/build.sh file to checkout commit_sha from software-layer-scripts --- bot/build.sh | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/bot/build.sh b/bot/build.sh index 2884db8de4..dc962d8a9d 100755 --- a/bot/build.sh +++ b/bot/build.sh @@ -3,7 +3,19 @@ # give up as soon as any error occurs set -e -git clone https://github.com/EESSI/software-layer-scripts +TOPDIR=$(dirname $(realpath $0)) + +# Clone a the commit from software-layer-script that corresponds to `bot/commit_sha` +commit_sha=$(cat ${TOPDIR}/commit_sha) + +# Get a shallow clone first +git clone --depth 1 --filter=blob:none --no-checkout https://github.com/EESSI/software-layer-scripts + +# Fetch the relevant commit & check it out +cd software-layer-scripts +git fetch --depth=1 origin ${commit_sha} +git checkout --detach ${commit_sha} +cd .. # symlink everything, except for: # - common files like LICENSE and README.md From dd37ed9a1e828dd83cb4eca4203382ff44526ab4 Mon Sep 17 00:00:00 2001 From: Caspar van Leeuwen Date: Tue, 13 Jan 2026 17:26:43 +0100 Subject: [PATCH 03/20] Fix indent --- .../test_software_layer_scripts_commit.yml | 116 +++++++++--------- 1 file changed, 58 insertions(+), 58 deletions(-) diff --git a/.github/workflows/test_software_layer_scripts_commit.yml b/.github/workflows/test_software_layer_scripts_commit.yml index f957cdbb02..13e1ea5a53 100644 --- a/.github/workflows/test_software_layer_scripts_commit.yml +++ b/.github/workflows/test_software_layer_scripts_commit.yml @@ -15,73 +15,73 @@ jobs: check_software_layer_scripts_commit: runs-on: ubuntu-24.04 steps: - - name: Check out software-layer repository (shallow) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - fetch-depth: 1 # We only need the current revision to read bot/commit_sha - - name: Checkout software-layer-scripts (full history) - uses: actions/checkout@v4 - with: - repository: EESSI/software-layer-scripts - path: upstream-scripts - fetch-depth: 0 # full history → required for ancestry checks + - name: Check out software-layer repository (shallow) + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 1 # We only need the current revision to read bot/commit_sha + - name: Checkout software-layer-scripts (full history) + uses: actions/checkout@v4 + with: + repository: EESSI/software-layer-scripts + path: upstream-scripts + fetch-depth: 0 # full history → required for ancestry checks - - name: Read commit SHA - id: read_sha - run: | - SHA=$(cat bot/commit_sha | tr -d '[:space:]') - echo "sha=$SHA" >> $GITHUB_OUTPUT - echo "Found SHA: $SHA" + - name: Read commit SHA + id: read_sha + run: | + SHA=$(cat bot/commit_sha | tr -d '[:space:]') + echo "sha=$SHA" >> $GITHUB_OUTPUT + echo "Found SHA: $SHA" - - name: Verify SHA exists in software‑layer‑scripts - working-directory: upstream-scripts - run: | - SHA="${{ steps.read_sha.outputs.sha }}" - - if ! git cat-file -e "${SHA}^{commit}" 2>/dev/null; then - echo "Commit $SHA not found in software‑layer‑scripts." - exit 1 - fi - echo "Commit $SHA exists in software‑layer‑scripts." + - name: Verify SHA exists in software‑layer‑scripts + working-directory: upstream-scripts + run: | + SHA="${{ steps.read_sha.outputs.sha }}" - - name: Check that SHA is merged into the default branch - working-directory: upstream-scripts - run: | - SHA="${{ steps.read_sha.outputs.sha }}" - - # Make sure we have the latest refs for the default branch - git remote set-head origin -a - git fetch origin main --depth=0 - - # git merge‑base --is‑ancestor returns 0 if $SHA is an ancestor of origin/main - if git merge-base --is-ancestor "$SHA" origin/main; then - echo "Commit $SHA is merged into origin/main." - else - echo "Commit $SHA is NOT merged into origin/main." - exit 1 - fi + if ! git cat-file -e "${SHA}^{commit}" 2>/dev/null; then + echo "Commit $SHA not found in software‑layer‑scripts." + exit 1 + fi + echo "Commit $SHA exists in software‑layer‑scripts." - - name: Verify commit is signed by GitHub’s web‑flow key + - name: Check that SHA is merged into the default branch working-directory: upstream-scripts - env: - GIT_TRACE: 1 # extra debug output if something goes wrong run: | SHA="${{ steps.read_sha.outputs.sha }}" - # Import the public key that GitHub uses for UI‑generated merges - echo "Importing GitHub web‑flow GPG key…" - curl -sSfL https://github.com/web-flow.gpg | gpg --dearmor > web-flow.gpg - gpg --import web-flow.gpg - # (optional) show the fingerprint for debugging - echo "Fingerprint of the web-flow GPG key:" - gpg --list-keys --fingerprint | grep -i "web-flow" -A1 + # Make sure we have the latest refs for the default branch + git remote set-head origin -a + git fetch origin main --depth=0 - # Verify the commit’s GPG signature - echo "Verifying the signature of commit $SHA…" - if git verify-commit "$SHA"; then - echo "Commit $SHA is signed and the signature validates with the web‑flow key." - echo "All verification steps succeeded." + # git merge‑base --is‑ancestor returns 0 if $SHA is an ancestor of origin/main + if git merge-base --is-ancestor "$SHA" origin/main; then + echo "Commit $SHA is merged into origin/main." else - echo "Commit $SHA is either unsigned or not signed by the web‑flow key." + echo "Commit $SHA is NOT merged into origin/main." exit 1 fi + + - name: Verify commit is signed by GitHub’s web‑flow key + working-directory: upstream-scripts + env: + GIT_TRACE: 1 # extra debug output if something goes wrong + run: | + SHA="${{ steps.read_sha.outputs.sha }}" + + # Import the public key that GitHub uses for UI‑generated merges + echo "Importing GitHub web‑flow GPG key…" + curl -sSfL https://github.com/web-flow.gpg | gpg --dearmor > web-flow.gpg + gpg --import web-flow.gpg + # (optional) show the fingerprint for debugging + echo "Fingerprint of the web-flow GPG key:" + gpg --list-keys --fingerprint | grep -i "web-flow" -A1 + + # Verify the commit’s GPG signature + echo "Verifying the signature of commit $SHA…" + if git verify-commit "$SHA"; then + echo "Commit $SHA is signed and the signature validates with the web‑flow key." + echo "All verification steps succeeded." + else + echo "Commit $SHA is either unsigned or not signed by the web‑flow key." + exit 1 + fi From 219bef94d327248fa2414a1ce2e944ec44dfde43 Mon Sep 17 00:00:00 2001 From: Caspar van Leeuwen Date: Tue, 13 Jan 2026 17:33:33 +0100 Subject: [PATCH 04/20] Fix indent again --- .../test_software_layer_scripts_commit.yml | 122 +++++++++--------- 1 file changed, 61 insertions(+), 61 deletions(-) diff --git a/.github/workflows/test_software_layer_scripts_commit.yml b/.github/workflows/test_software_layer_scripts_commit.yml index 13e1ea5a53..edffee9e71 100644 --- a/.github/workflows/test_software_layer_scripts_commit.yml +++ b/.github/workflows/test_software_layer_scripts_commit.yml @@ -15,73 +15,73 @@ jobs: check_software_layer_scripts_commit: runs-on: ubuntu-24.04 steps: - - name: Check out software-layer repository (shallow) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - fetch-depth: 1 # We only need the current revision to read bot/commit_sha - - name: Checkout software-layer-scripts (full history) - uses: actions/checkout@v4 - with: - repository: EESSI/software-layer-scripts - path: upstream-scripts - fetch-depth: 0 # full history → required for ancestry checks + - name: Check out software-layer repository (shallow) + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 1 # We only need the current revision to read bot/commit_sha + - name: Checkout software-layer-scripts (full history) + uses: actions/checkout@v4 + with: + repository: EESSI/software-layer-scripts + path: upstream-scripts + fetch-depth: 0 # full history → required for ancestry checks - - name: Read commit SHA - id: read_sha - run: | - SHA=$(cat bot/commit_sha | tr -d '[:space:]') - echo "sha=$SHA" >> $GITHUB_OUTPUT - echo "Found SHA: $SHA" + - name: Read commit SHA + id: read_sha + run: | + SHA=$(cat bot/commit_sha | tr -d '[:space:]') + echo "sha=$SHA" >> $GITHUB_OUTPUT + echo "Found SHA: $SHA" - - name: Verify SHA exists in software‑layer‑scripts - working-directory: upstream-scripts - run: | - SHA="${{ steps.read_sha.outputs.sha }}" + - name: Verify SHA exists in software‑layer‑scripts + working-directory: upstream-scripts + run: | + SHA="${{ steps.read_sha.outputs.sha }}" - if ! git cat-file -e "${SHA}^{commit}" 2>/dev/null; then - echo "Commit $SHA not found in software‑layer‑scripts." - exit 1 - fi - echo "Commit $SHA exists in software‑layer‑scripts." + if ! git cat-file -e "${SHA}^{commit}" 2>/dev/null; then + echo "Commit $SHA not found in software‑layer‑scripts." + exit 1 + fi + echo "Commit $SHA exists in software‑layer‑scripts." - - name: Check that SHA is merged into the default branch - working-directory: upstream-scripts - run: | - SHA="${{ steps.read_sha.outputs.sha }}" + - name: Check that SHA is merged into the default branch + working-directory: upstream-scripts + run: | + SHA="${{ steps.read_sha.outputs.sha }}" - # Make sure we have the latest refs for the default branch - git remote set-head origin -a - git fetch origin main --depth=0 + # Make sure we have the latest refs for the default branch + git remote set-head origin -a + git fetch origin main --depth=0 - # git merge‑base --is‑ancestor returns 0 if $SHA is an ancestor of origin/main - if git merge-base --is-ancestor "$SHA" origin/main; then - echo "Commit $SHA is merged into origin/main." - else - echo "Commit $SHA is NOT merged into origin/main." - exit 1 - fi + # git merge‑base --is‑ancestor returns 0 if $SHA is an ancestor of origin/main + if git merge-base --is-ancestor "$SHA" origin/main; then + echo "Commit $SHA is merged into origin/main." + else + echo "Commit $SHA is NOT merged into origin/main." + exit 1 + fi - - name: Verify commit is signed by GitHub’s web‑flow key - working-directory: upstream-scripts - env: - GIT_TRACE: 1 # extra debug output if something goes wrong - run: | - SHA="${{ steps.read_sha.outputs.sha }}" + - name: Verify commit is signed by GitHub’s web‑flow key + working-directory: upstream-scripts + env: + GIT_TRACE: 1 # extra debug output if something goes wrong + run: | + SHA="${{ steps.read_sha.outputs.sha }}" - # Import the public key that GitHub uses for UI‑generated merges - echo "Importing GitHub web‑flow GPG key…" - curl -sSfL https://github.com/web-flow.gpg | gpg --dearmor > web-flow.gpg - gpg --import web-flow.gpg - # (optional) show the fingerprint for debugging - echo "Fingerprint of the web-flow GPG key:" - gpg --list-keys --fingerprint | grep -i "web-flow" -A1 + # Import the public key that GitHub uses for UI‑generated merges + echo "Importing GitHub web‑flow GPG key…" + curl -sSfL https://github.com/web-flow.gpg | gpg --dearmor > web-flow.gpg + gpg --import web-flow.gpg + # (optional) show the fingerprint for debugging + echo "Fingerprint of the web-flow GPG key:" + gpg --list-keys --fingerprint | grep -i "web-flow" -A1 - # Verify the commit’s GPG signature - echo "Verifying the signature of commit $SHA…" - if git verify-commit "$SHA"; then - echo "Commit $SHA is signed and the signature validates with the web‑flow key." - echo "All verification steps succeeded." - else - echo "Commit $SHA is either unsigned or not signed by the web‑flow key." - exit 1 - fi + # Verify the commit’s GPG signature + echo "Verifying the signature of commit $SHA…" + if git verify-commit "$SHA"; then + echo "Commit $SHA is signed and the signature validates with the web‑flow key." + echo "All verification steps succeeded." + else + echo "Commit $SHA is either unsigned or not signed by the web‑flow key." + exit 1 + fi From 218e75fd3b8993257df6e0ffcc2deb584d9011d8 Mon Sep 17 00:00:00 2001 From: Caspar van Leeuwen Date: Tue, 13 Jan 2026 17:44:00 +0100 Subject: [PATCH 05/20] Get rid of two unnecessary, and wrong commands --- .github/workflows/test_software_layer_scripts_commit.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/test_software_layer_scripts_commit.yml b/.github/workflows/test_software_layer_scripts_commit.yml index edffee9e71..510d1aa098 100644 --- a/.github/workflows/test_software_layer_scripts_commit.yml +++ b/.github/workflows/test_software_layer_scripts_commit.yml @@ -49,10 +49,6 @@ jobs: run: | SHA="${{ steps.read_sha.outputs.sha }}" - # Make sure we have the latest refs for the default branch - git remote set-head origin -a - git fetch origin main --depth=0 - # git merge‑base --is‑ancestor returns 0 if $SHA is an ancestor of origin/main if git merge-base --is-ancestor "$SHA" origin/main; then echo "Commit $SHA is merged into origin/main." From b8355bb69615a25864cff9b3e1a286b945f10001 Mon Sep 17 00:00:00 2001 From: Caspar van Leeuwen Date: Tue, 13 Jan 2026 17:49:36 +0100 Subject: [PATCH 06/20] Check that changing the commit_sha to an _unmerged_ commit creates a failure --- bot/commit_sha | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bot/commit_sha b/bot/commit_sha index 8712e74038..764609c31f 100644 --- a/bot/commit_sha +++ b/bot/commit_sha @@ -1 +1 @@ -f5c45bf7810eb83d2f13e7d94260772cbe5b484d +c0a3ff09a3a38737af5a922fdf581aa7b2dd6c88 From f9d1b7d1fc718c846a4f61455f0e738b002cddba Mon Sep 17 00:00:00 2001 From: Caspar van Leeuwen Date: Tue, 13 Jan 2026 18:40:36 +0100 Subject: [PATCH 07/20] Checkout the required github --- .github/workflows/test_software_layer_scripts_commit.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/test_software_layer_scripts_commit.yml b/.github/workflows/test_software_layer_scripts_commit.yml index 510d1aa098..c47f2ef0a0 100644 --- a/.github/workflows/test_software_layer_scripts_commit.yml +++ b/.github/workflows/test_software_layer_scripts_commit.yml @@ -38,6 +38,10 @@ jobs: run: | SHA="${{ steps.read_sha.outputs.sha }}" + echo "Checking out commit ${SHA} from software-layer-scripts" + git fetch --depth=1 origin ${SHA} + git checkout --detach ${SHA} + if ! git cat-file -e "${SHA}^{commit}" 2>/dev/null; then echo "Commit $SHA not found in software‑layer‑scripts." exit 1 From 2cd6082e626c2ee6f4f4b3c51da0bc0e252b6e95 Mon Sep 17 00:00:00 2001 From: Caspar van Leeuwen Date: Tue, 13 Jan 2026 18:41:04 +0100 Subject: [PATCH 08/20] Add comment --- .github/workflows/test_software_layer_scripts_commit.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/test_software_layer_scripts_commit.yml b/.github/workflows/test_software_layer_scripts_commit.yml index c47f2ef0a0..b2130c95a5 100644 --- a/.github/workflows/test_software_layer_scripts_commit.yml +++ b/.github/workflows/test_software_layer_scripts_commit.yml @@ -42,6 +42,7 @@ jobs: git fetch --depth=1 origin ${SHA} git checkout --detach ${SHA} + # Validate that this object is _actually_ a commit if ! git cat-file -e "${SHA}^{commit}" 2>/dev/null; then echo "Commit $SHA not found in software‑layer‑scripts." exit 1 From 6d954c43e664f07d91488c77b1c381b81abde20a Mon Sep 17 00:00:00 2001 From: Caspar van Leeuwen Date: Wed, 14 Jan 2026 16:26:58 +0100 Subject: [PATCH 09/20] Replace commit_sha by an actual signed merge commit to prove that the CI then passes --- bot/commit_sha | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bot/commit_sha b/bot/commit_sha index 764609c31f..8712e74038 100644 --- a/bot/commit_sha +++ b/bot/commit_sha @@ -1 +1 @@ -c0a3ff09a3a38737af5a922fdf581aa7b2dd6c88 +f5c45bf7810eb83d2f13e7d94260772cbe5b484d From 36f7541a75cdbadcfafeed433f7ef6aadf0359bc Mon Sep 17 00:00:00 2001 From: Caspar van Leeuwen Date: Mon, 19 Jan 2026 15:09:44 +0100 Subject: [PATCH 10/20] Test that the bot/build.sh script is unchanged --- .../workflows/test_unchanged_bot_build.yml | 46 +++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 .github/workflows/test_unchanged_bot_build.yml diff --git a/.github/workflows/test_unchanged_bot_build.yml b/.github/workflows/test_unchanged_bot_build.yml new file mode 100644 index 0000000000..4594e3e8fe --- /dev/null +++ b/.github/workflows/test_unchanged_bot_build.yml @@ -0,0 +1,46 @@ +# documentation: https://help.github.com/en/articles/workflow-syntax-for-github-actions +# This workflow verifies that bot/build.sh was unchanged, as a change could mean a security risk +# (e.g. if a PR clones an fork of software-layer-scripts instead, anything could happen) +# If the bot/build.sh _actually_ needs updating, then the reference checksum for that file needs to +# be updated as well - and that stands out to a reviewer, making it harder to do without a reviewer +# noticiing. +name: Verify bot/build.sh was unchanged +on: + push: + branches: [ "main" ] + pull_request: + workflow_dispatch: +permissions: + contents: read # to fetch code (actions/checkout) +env: + # UPDATE THIS CHECKSUM IF AND ONLY IF WE ACTUALLY WANT TO CHANGE bot/build.sh + EXPECTED_CHECKSUM: "9d33368cac2e38e10147eeb0aafc321651ebaa5912387ecef97683570906773a" +jobs: + check_software_layer_scripts_commit: + runs-on: ubuntu-24.04 + steps: + - name: Check out software-layer repository (shallow) + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 1 # We only need the current revision to read bot/commit_sha + + - name: Compute bot/build.sh checksum and verify it + run: | + # Print clear error if file doesn't exist at all + if [[ ! -f bot/build.sh ]]; then + echo "ERROR: File bot/build.sh not found!" + exit 1 + fi + + # Compute checksum + COMPUTED_CHECKSUM=$(sha256sum bot/build.sh | awk '{print $1}') + echo "Computed checksum: $COMPUTED_CHECKSUM" + echo "Reference checksum: $EXPECTED_CHECKSUM" + + # Compare checksums + if [["$COMPUTED_CHECKSUM" != "$EXPECTED_CHECKSUM" ]]; then + echo "ERROR: Checksum mismatch! The file bot/build.sh has been modified." + exit 1 + else + echo "Checksum for bot/build.sh matches the reference value" + fi From f1fdcca4f48676bc7dff844811403d8ac5a4c090 Mon Sep 17 00:00:00 2001 From: Caspar van Leeuwen Date: Mon, 19 Jan 2026 15:12:19 +0100 Subject: [PATCH 11/20] Try to see if CI now fails, as intended --- bot/build.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/bot/build.sh b/bot/build.sh index dc962d8a9d..e315998806 100755 --- a/bot/build.sh +++ b/bot/build.sh @@ -31,3 +31,5 @@ done # call out to bot/build.sh script from software-layer-scripts software-layer-scripts/bot/build.sh + +# INSERT BOGUS COMMENT From c4b1f9aea1ff9b8aa3c1ef97d79280860b2867d5 Mon Sep 17 00:00:00 2001 From: Caspar van Leeuwen Date: Mon, 19 Jan 2026 15:15:36 +0100 Subject: [PATCH 12/20] Correct missing space in bash logic - see if the workflow now fails (it should) --- .github/workflows/test_unchanged_bot_build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test_unchanged_bot_build.yml b/.github/workflows/test_unchanged_bot_build.yml index 4594e3e8fe..5905b7ee8f 100644 --- a/.github/workflows/test_unchanged_bot_build.yml +++ b/.github/workflows/test_unchanged_bot_build.yml @@ -38,7 +38,7 @@ jobs: echo "Reference checksum: $EXPECTED_CHECKSUM" # Compare checksums - if [["$COMPUTED_CHECKSUM" != "$EXPECTED_CHECKSUM" ]]; then + if [[ "$COMPUTED_CHECKSUM" != "$EXPECTED_CHECKSUM" ]]; then echo "ERROR: Checksum mismatch! The file bot/build.sh has been modified." exit 1 else From 0494884e3a333db43941d97ec1f3ab95391d78eb Mon Sep 17 00:00:00 2001 From: Caspar van Leeuwen Date: Mon, 19 Jan 2026 15:17:18 +0100 Subject: [PATCH 13/20] Undo dummy change to see if CI passes again --- bot/build.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/bot/build.sh b/bot/build.sh index e315998806..dc962d8a9d 100755 --- a/bot/build.sh +++ b/bot/build.sh @@ -31,5 +31,3 @@ done # call out to bot/build.sh script from software-layer-scripts software-layer-scripts/bot/build.sh - -# INSERT BOGUS COMMENT From 1530fca86ed0b612f05dcb0c9f3ce02b9965c299 Mon Sep 17 00:00:00 2001 From: Caspar van Leeuwen Date: Mon, 19 Jan 2026 15:22:04 +0100 Subject: [PATCH 14/20] Rename the CI --- .github/workflows/test_unchanged_bot_build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test_unchanged_bot_build.yml b/.github/workflows/test_unchanged_bot_build.yml index 5905b7ee8f..171e65f042 100644 --- a/.github/workflows/test_unchanged_bot_build.yml +++ b/.github/workflows/test_unchanged_bot_build.yml @@ -16,7 +16,7 @@ env: # UPDATE THIS CHECKSUM IF AND ONLY IF WE ACTUALLY WANT TO CHANGE bot/build.sh EXPECTED_CHECKSUM: "9d33368cac2e38e10147eeb0aafc321651ebaa5912387ecef97683570906773a" jobs: - check_software_layer_scripts_commit: + check_bot_build_checksum: runs-on: ubuntu-24.04 steps: - name: Check out software-layer repository (shallow) From cc187336e70b892f80fe469b3e7c050f2757e497 Mon Sep 17 00:00:00 2001 From: Caspar van Leeuwen Date: Mon, 19 Jan 2026 15:30:05 +0100 Subject: [PATCH 15/20] Merge into a single workflow file --- ...it.yml => test_software_layer_scripts.yml} | 0 .../workflows/test_unchanged_bot_build.yml | 46 ------------------- 2 files changed, 46 deletions(-) rename .github/workflows/{test_software_layer_scripts_commit.yml => test_software_layer_scripts.yml} (100%) delete mode 100644 .github/workflows/test_unchanged_bot_build.yml diff --git a/.github/workflows/test_software_layer_scripts_commit.yml b/.github/workflows/test_software_layer_scripts.yml similarity index 100% rename from .github/workflows/test_software_layer_scripts_commit.yml rename to .github/workflows/test_software_layer_scripts.yml diff --git a/.github/workflows/test_unchanged_bot_build.yml b/.github/workflows/test_unchanged_bot_build.yml deleted file mode 100644 index 171e65f042..0000000000 --- a/.github/workflows/test_unchanged_bot_build.yml +++ /dev/null @@ -1,46 +0,0 @@ -# documentation: https://help.github.com/en/articles/workflow-syntax-for-github-actions -# This workflow verifies that bot/build.sh was unchanged, as a change could mean a security risk -# (e.g. if a PR clones an fork of software-layer-scripts instead, anything could happen) -# If the bot/build.sh _actually_ needs updating, then the reference checksum for that file needs to -# be updated as well - and that stands out to a reviewer, making it harder to do without a reviewer -# noticiing. -name: Verify bot/build.sh was unchanged -on: - push: - branches: [ "main" ] - pull_request: - workflow_dispatch: -permissions: - contents: read # to fetch code (actions/checkout) -env: - # UPDATE THIS CHECKSUM IF AND ONLY IF WE ACTUALLY WANT TO CHANGE bot/build.sh - EXPECTED_CHECKSUM: "9d33368cac2e38e10147eeb0aafc321651ebaa5912387ecef97683570906773a" -jobs: - check_bot_build_checksum: - runs-on: ubuntu-24.04 - steps: - - name: Check out software-layer repository (shallow) - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - fetch-depth: 1 # We only need the current revision to read bot/commit_sha - - - name: Compute bot/build.sh checksum and verify it - run: | - # Print clear error if file doesn't exist at all - if [[ ! -f bot/build.sh ]]; then - echo "ERROR: File bot/build.sh not found!" - exit 1 - fi - - # Compute checksum - COMPUTED_CHECKSUM=$(sha256sum bot/build.sh | awk '{print $1}') - echo "Computed checksum: $COMPUTED_CHECKSUM" - echo "Reference checksum: $EXPECTED_CHECKSUM" - - # Compare checksums - if [[ "$COMPUTED_CHECKSUM" != "$EXPECTED_CHECKSUM" ]]; then - echo "ERROR: Checksum mismatch! The file bot/build.sh has been modified." - exit 1 - else - echo "Checksum for bot/build.sh matches the reference value" - fi From 77167ac9121dc04281d0fda77d96ae437d31d11a Mon Sep 17 00:00:00 2001 From: Caspar van Leeuwen Date: Mon, 19 Jan 2026 15:44:09 +0100 Subject: [PATCH 16/20] See if the bot/build.sh checksum test runs this way... --- .../workflows/test_software_layer_scripts.yml | 167 +++++++++++------- 1 file changed, 103 insertions(+), 64 deletions(-) diff --git a/.github/workflows/test_software_layer_scripts.yml b/.github/workflows/test_software_layer_scripts.yml index b2130c95a5..829f250f7e 100644 --- a/.github/workflows/test_software_layer_scripts.yml +++ b/.github/workflows/test_software_layer_scripts.yml @@ -1,9 +1,16 @@ # documentation: https://help.github.com/en/articles/workflow-syntax-for-github-actions -# This workflow verifies that the software-layer-scripts commit used in bot/commit_sha is -# a merge-commit for a merge into the default branch of software-layer-scripts. -# This guarantees that everything that is associated with that commit was approved by a reviewer -# (and deployed, if needed) -name: Verify software-layer-scripts commit +# +# This workflow verifies that the correct version of software-layer-scripts is used. +# +# First, check_bot_build_checksums checks if the bot/build.sh code that clones software-layer-scripts is untouched, +# as this normally shouldn't change (a change could mean a contributor is trying to inject something +# malicious). Having this CI means that a change in bot/build.sh should at least be accompanied by +# a change in this CI, making it stand out to reviewers and increasing the likelihood of this being caught. +# +# Second, check-software_layer_scripts_commit checks if the commit used in bot/commit_sha is a merge-commit for a +# merge into the default branch of software-layer-scripts. This guarantees that everything that is associated with +# that commit was approved by a reviewer (and deployed, if needed) +name: Verify software-layer-scripts on: push: branches: [ "main" ] @@ -12,77 +19,109 @@ on: permissions: contents: read # to fetch code (actions/checkout) jobs: - check_software_layer_scripts_commit: + check_bot_build_checksum: runs-on: ubuntu-24.04 steps: - name: Check out software-layer repository (shallow) uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 1 # We only need the current revision to read bot/commit_sha - - name: Checkout software-layer-scripts (full history) - uses: actions/checkout@v4 - with: - repository: EESSI/software-layer-scripts - path: upstream-scripts - fetch-depth: 0 # full history → required for ancestry checks - - - name: Read commit SHA - id: read_sha - run: | - SHA=$(cat bot/commit_sha | tr -d '[:space:]') - echo "sha=$SHA" >> $GITHUB_OUTPUT - echo "Found SHA: $SHA" - - - name: Verify SHA exists in software‑layer‑scripts - working-directory: upstream-scripts - run: | - SHA="${{ steps.read_sha.outputs.sha }}" - - echo "Checking out commit ${SHA} from software-layer-scripts" - git fetch --depth=1 origin ${SHA} - git checkout --detach ${SHA} - - # Validate that this object is _actually_ a commit - if ! git cat-file -e "${SHA}^{commit}" 2>/dev/null; then - echo "Commit $SHA not found in software‑layer‑scripts." - exit 1 - fi - echo "Commit $SHA exists in software‑layer‑scripts." - - name: Check that SHA is merged into the default branch - working-directory: upstream-scripts + - name: Compute bot/build.sh checksum and verify it run: | - SHA="${{ steps.read_sha.outputs.sha }}" - - # git merge‑base --is‑ancestor returns 0 if $SHA is an ancestor of origin/main - if git merge-base --is-ancestor "$SHA" origin/main; then - echo "Commit $SHA is merged into origin/main." - else - echo "Commit $SHA is NOT merged into origin/main." + # Print clear error if file doesn't exist at all + if [[ ! -f bot/build.sh ]]; then + echo "ERROR: File bot/build.sh not found!" exit 1 fi - - name: Verify commit is signed by GitHub’s web‑flow key - working-directory: upstream-scripts - env: - GIT_TRACE: 1 # extra debug output if something goes wrong - run: | - SHA="${{ steps.read_sha.outputs.sha }}" + # Reference checksum + # UPDATE THIS CHECKSUM IF AND ONLY IF WE ACTUALLY WANT TO CHANGE bot/build.sh + EXPECTED_CHECKSUM="9d33368cac2e38e10147eeb0aafc321651ebaa5912387ecef97683570906773a" - # Import the public key that GitHub uses for UI‑generated merges - echo "Importing GitHub web‑flow GPG key…" - curl -sSfL https://github.com/web-flow.gpg | gpg --dearmor > web-flow.gpg - gpg --import web-flow.gpg - # (optional) show the fingerprint for debugging - echo "Fingerprint of the web-flow GPG key:" - gpg --list-keys --fingerprint | grep -i "web-flow" -A1 + # Compute checksum + COMPUTED_CHECKSUM=$(sha256sum bot/build.sh | awk '{print $1}') + echo "Computed checksum: $COMPUTED_CHECKSUM" + echo "Reference checksum: $EXPECTED_CHECKSUM" - # Verify the commit’s GPG signature - echo "Verifying the signature of commit $SHA…" - if git verify-commit "$SHA"; then - echo "Commit $SHA is signed and the signature validates with the web‑flow key." - echo "All verification steps succeeded." - else - echo "Commit $SHA is either unsigned or not signed by the web‑flow key." + # Compare checksums + if [[ "$COMPUTED_CHECKSUM" != "$EXPECTED_CHECKSUM" ]]; then + echo "ERROR: Checksum mismatch! The file bot/build.sh has been modified." exit 1 + else + echo "Checksum for bot/build.sh matches the reference value" fi +# check_software_layer_scripts_commit: +# runs-on: ubuntu-24.04 +# steps: +# - name: Check out software-layer repository (shallow) +# uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 +# with: +# fetch-depth: 1 # We only need the current revision to read bot/commit_sha +# - name: Checkout software-layer-scripts (full history) +# uses: actions/checkout@v4 +# with: +# repository: EESSI/software-layer-scripts +# path: upstream-scripts +# fetch-depth: 0 # full history → required for ancestry checks +# +# - name: Read commit SHA +# id: read_sha +# run: | +# SHA=$(cat bot/commit_sha | tr -d '[:space:]') +# echo "sha=$SHA" >> $GITHUB_OUTPUT +# echo "Found SHA: $SHA" +# +# - name: Verify SHA exists in software‑layer‑scripts +# working-directory: upstream-scripts +# run: | +# SHA="${{ steps.read_sha.outputs.sha }}" +# +# echo "Checking out commit ${SHA} from software-layer-scripts" +# git fetch --depth=1 origin ${SHA} +# git checkout --detach ${SHA} +# +# # Validate that this object is _actually_ a commit +# if ! git cat-file -e "${SHA}^{commit}" 2>/dev/null; then +# echo "Commit $SHA not found in software‑layer‑scripts." +# exit 1 +# fi +# echo "Commit $SHA exists in software‑layer‑scripts." +# +# - name: Check that SHA is merged into the default branch +# working-directory: upstream-scripts +# run: | +# SHA="${{ steps.read_sha.outputs.sha }}" +# +# # git merge‑base --is‑ancestor returns 0 if $SHA is an ancestor of origin/main +# if git merge-base --is-ancestor "$SHA" origin/main; then +# echo "Commit $SHA is merged into origin/main." +# else +# echo "Commit $SHA is NOT merged into origin/main." +# exit 1 +# fi +# +# - name: Verify commit is signed by GitHub’s web‑flow key +# working-directory: upstream-scripts +# env: +# GIT_TRACE: 1 # extra debug output if something goes wrong +# run: | +# SHA="${{ steps.read_sha.outputs.sha }}" +# +# # Import the public key that GitHub uses for UI‑generated merges +# echo "Importing GitHub web‑flow GPG key…" +# curl -sSfL https://github.com/web-flow.gpg | gpg --dearmor > web-flow.gpg +# gpg --import web-flow.gpg +# # (optional) show the fingerprint for debugging +# echo "Fingerprint of the web-flow GPG key:" +# gpg --list-keys --fingerprint | grep -i "web-flow" -A1 +# +# # Verify the commit’s GPG signature +# echo "Verifying the signature of commit $SHA…" +# if git verify-commit "$SHA"; then +# echo "Commit $SHA is signed and the signature validates with the web‑flow key." +# echo "All verification steps succeeded." +# else +# echo "Commit $SHA is either unsigned or not signed by the web‑flow key." +# exit 1 +# fi From bce9bbc441c22aaf3eefaf4996df8285d649cb0b Mon Sep 17 00:00:00 2001 From: Caspar van Leeuwen Date: Mon, 19 Jan 2026 15:45:02 +0100 Subject: [PATCH 17/20] See if the bot/build.sh checksum test still runs after uncommenting --- .../workflows/test_software_layer_scripts.yml | 148 +++++++++--------- 1 file changed, 74 insertions(+), 74 deletions(-) diff --git a/.github/workflows/test_software_layer_scripts.yml b/.github/workflows/test_software_layer_scripts.yml index 829f250f7e..6d62a892fe 100644 --- a/.github/workflows/test_software_layer_scripts.yml +++ b/.github/workflows/test_software_layer_scripts.yml @@ -51,77 +51,77 @@ jobs: else echo "Checksum for bot/build.sh matches the reference value" fi -# check_software_layer_scripts_commit: -# runs-on: ubuntu-24.04 -# steps: -# - name: Check out software-layer repository (shallow) -# uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 -# with: -# fetch-depth: 1 # We only need the current revision to read bot/commit_sha -# - name: Checkout software-layer-scripts (full history) -# uses: actions/checkout@v4 -# with: -# repository: EESSI/software-layer-scripts -# path: upstream-scripts -# fetch-depth: 0 # full history → required for ancestry checks -# -# - name: Read commit SHA -# id: read_sha -# run: | -# SHA=$(cat bot/commit_sha | tr -d '[:space:]') -# echo "sha=$SHA" >> $GITHUB_OUTPUT -# echo "Found SHA: $SHA" -# -# - name: Verify SHA exists in software‑layer‑scripts -# working-directory: upstream-scripts -# run: | -# SHA="${{ steps.read_sha.outputs.sha }}" -# -# echo "Checking out commit ${SHA} from software-layer-scripts" -# git fetch --depth=1 origin ${SHA} -# git checkout --detach ${SHA} -# -# # Validate that this object is _actually_ a commit -# if ! git cat-file -e "${SHA}^{commit}" 2>/dev/null; then -# echo "Commit $SHA not found in software‑layer‑scripts." -# exit 1 -# fi -# echo "Commit $SHA exists in software‑layer‑scripts." -# -# - name: Check that SHA is merged into the default branch -# working-directory: upstream-scripts -# run: | -# SHA="${{ steps.read_sha.outputs.sha }}" -# -# # git merge‑base --is‑ancestor returns 0 if $SHA is an ancestor of origin/main -# if git merge-base --is-ancestor "$SHA" origin/main; then -# echo "Commit $SHA is merged into origin/main." -# else -# echo "Commit $SHA is NOT merged into origin/main." -# exit 1 -# fi -# -# - name: Verify commit is signed by GitHub’s web‑flow key -# working-directory: upstream-scripts -# env: -# GIT_TRACE: 1 # extra debug output if something goes wrong -# run: | -# SHA="${{ steps.read_sha.outputs.sha }}" -# -# # Import the public key that GitHub uses for UI‑generated merges -# echo "Importing GitHub web‑flow GPG key…" -# curl -sSfL https://github.com/web-flow.gpg | gpg --dearmor > web-flow.gpg -# gpg --import web-flow.gpg -# # (optional) show the fingerprint for debugging -# echo "Fingerprint of the web-flow GPG key:" -# gpg --list-keys --fingerprint | grep -i "web-flow" -A1 -# -# # Verify the commit’s GPG signature -# echo "Verifying the signature of commit $SHA…" -# if git verify-commit "$SHA"; then -# echo "Commit $SHA is signed and the signature validates with the web‑flow key." -# echo "All verification steps succeeded." -# else -# echo "Commit $SHA is either unsigned or not signed by the web‑flow key." -# exit 1 -# fi + check_software_layer_scripts_commit: + runs-on: ubuntu-24.04 + steps: + - name: Check out software-layer repository (shallow) + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 1 # We only need the current revision to read bot/commit_sha + - name: Checkout software-layer-scripts (full history) + uses: actions/checkout@v4 + with: + repository: EESSI/software-layer-scripts + path: upstream-scripts + fetch-depth: 0 # full history → required for ancestry checks + + - name: Read commit SHA + id: read_sha + run: | + SHA=$(cat bot/commit_sha | tr -d '[:space:]') + echo "sha=$SHA" >> $GITHUB_OUTPUT + echo "Found SHA: $SHA" + + - name: Verify SHA exists in software‑layer‑scripts + working-directory: upstream-scripts + run: | + SHA="${{ steps.read_sha.outputs.sha }}" + + echo "Checking out commit ${SHA} from software-layer-scripts" + git fetch --depth=1 origin ${SHA} + git checkout --detach ${SHA} + + # Validate that this object is _actually_ a commit + if ! git cat-file -e "${SHA}^{commit}" 2>/dev/null; then + echo "Commit $SHA not found in software‑layer‑scripts." + exit 1 + fi + echo "Commit $SHA exists in software‑layer‑scripts." + + - name: Check that SHA is merged into the default branch + working-directory: upstream-scripts + run: | + SHA="${{ steps.read_sha.outputs.sha }}" + + # git merge‑base --is‑ancestor returns 0 if $SHA is an ancestor of origin/main + if git merge-base --is-ancestor "$SHA" origin/main; then + echo "Commit $SHA is merged into origin/main." + else + echo "Commit $SHA is NOT merged into origin/main." + exit 1 + fi + + - name: Verify commit is signed by GitHub’s web‑flow key + working-directory: upstream-scripts + env: + GIT_TRACE: 1 # extra debug output if something goes wrong + run: | + SHA="${{ steps.read_sha.outputs.sha }}" + + # Import the public key that GitHub uses for UI‑generated merges + echo "Importing GitHub web‑flow GPG key…" + curl -sSfL https://github.com/web-flow.gpg | gpg --dearmor > web-flow.gpg + gpg --import web-flow.gpg + # (optional) show the fingerprint for debugging + echo "Fingerprint of the web-flow GPG key:" + gpg --list-keys --fingerprint | grep -i "web-flow" -A1 + + # Verify the commit’s GPG signature + echo "Verifying the signature of commit $SHA…" + if git verify-commit "$SHA"; then + echo "Commit $SHA is signed and the signature validates with the web‑flow key." + echo "All verification steps succeeded." + else + echo "Commit $SHA is either unsigned or not signed by the web‑flow key." + exit 1 + fi From bee1d296ce80f8ba3a8ae3e94cc304cac09f2879 Mon Sep 17 00:00:00 2001 From: Caspar van Leeuwen Date: Mon, 19 Jan 2026 15:49:08 +0100 Subject: [PATCH 18/20] Change sha checksum to see if this causes CI to fail (as expected) --- bot/commit_sha | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bot/commit_sha b/bot/commit_sha index 8712e74038..764609c31f 100644 --- a/bot/commit_sha +++ b/bot/commit_sha @@ -1 +1 @@ -f5c45bf7810eb83d2f13e7d94260772cbe5b484d +c0a3ff09a3a38737af5a922fdf581aa7b2dd6c88 From 2c752d213596987ff56cb2e49834bf63e935c758 Mon Sep 17 00:00:00 2001 From: Caspar van Leeuwen Date: Mon, 19 Jan 2026 15:52:25 +0100 Subject: [PATCH 19/20] Change SHA to an actual merge commit and change bot/build.sh to see if this causes the associated CI job to fail --- bot/build.sh | 2 ++ bot/commit_sha | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/bot/build.sh b/bot/build.sh index dc962d8a9d..1c49c31726 100755 --- a/bot/build.sh +++ b/bot/build.sh @@ -31,3 +31,5 @@ done # call out to bot/build.sh script from software-layer-scripts software-layer-scripts/bot/build.sh + +# BOGUS COMMENT TO TEST CI diff --git a/bot/commit_sha b/bot/commit_sha index 764609c31f..8712e74038 100644 --- a/bot/commit_sha +++ b/bot/commit_sha @@ -1 +1 @@ -c0a3ff09a3a38737af5a922fdf581aa7b2dd6c88 +f5c45bf7810eb83d2f13e7d94260772cbe5b484d From 6d2714e3230fd31e08e13eb8b601d96734029d9b Mon Sep 17 00:00:00 2001 From: Caspar van Leeuwen Date: Mon, 19 Jan 2026 15:54:25 +0100 Subject: [PATCH 20/20] Change bot/build.sh back to the intended content so that all CI should pass again --- bot/build.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/bot/build.sh b/bot/build.sh index 1c49c31726..dc962d8a9d 100755 --- a/bot/build.sh +++ b/bot/build.sh @@ -31,5 +31,3 @@ done # call out to bot/build.sh script from software-layer-scripts software-layer-scripts/bot/build.sh - -# BOGUS COMMENT TO TEST CI