ci: Add a job to authenticate the commits

- Add a job to authenticate the commits using sequoia-git.
author: Neal H. Walfield <neal@pep.foundation> 2023-10-26 10:16:41 +0200
committer: Neal H. Walfield <neal@pep.foundation> 2023-10-26 11:36:11 +0200
commit: c32e574b621ec34c23876101f6ec55c3fe5312b8 (patch)
tree: 1fd8da79af8b5a6821968261a77621cdca59c460
parent: 18dd64b9548ad151fdfa0ec8f67927549a08f281 (diff)
1 files changed, 20 insertions, 0 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 2a05b371..87f99737 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -270,6 +270,26 @@ windows-msvc32-cng:
   variables:
     CFLAGS: "" # Silence some C warnings when compiling with MSVC
 
+authenticate-commits:
+  stage: test
+  interruptible: true
+  image: registry.gitlab.com/sequoia-pgp/sequoia-git:latest
+  before_script: []
+  script:
+    - sq-git policy describe
+    - /usr/sbin/gitlab.sh # Script baked-in to image
+  after_script: []
+  rules:
+    # Run whenever the non-default branch is updated.  Note, we only
+    # run for "push" events otherwise the job would also be triggered
+    # for merge requests, which would result in the job running twice.
+    #
+    # TODO: We currently only authenticate the changes on non-merged
+    # branches where we use the default branch as the trust root.  For
+    # the default branch, the project needs to set an explicit trust
+    # root.
+    - if: '$CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH'
+
 variables:
   DEBIAN_FRONTEND: noninteractive
   CARGO_HOME: $CI_PROJECT_DIR/../cargo
author	Neal H. Walfield <neal@pep.foundation>	2023-10-26 10:16:41 +0200
committer	Neal H. Walfield <neal@pep.foundation>	2023-10-26 11:36:11 +0200
commit	c32e574b621ec34c23876101f6ec55c3fe5312b8 (patch)
tree	1fd8da79af8b5a6821968261a77621cdca59c460
parent	18dd64b9548ad151fdfa0ec8f67927549a08f281 (diff)