From c32e574b621ec34c23876101f6ec55c3fe5312b8 Mon Sep 17 00:00:00 2001
From: "Neal H. Walfield" <neal@pep.foundation>
Date: Thu, 26 Oct 2023 10:16:41 +0200
Subject: ci: Add a job to authenticate the commits

  - Add a job to authenticate the commits using sequoia-git.
---
 .gitlab-ci.yml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 2a05b371..87f99737 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -270,6 +270,26 @@ windows-msvc32-cng:
   variables:
     CFLAGS: "" # Silence some C warnings when compiling with MSVC
 
+authenticate-commits:
+  stage: test
+  interruptible: true
+  image: registry.gitlab.com/sequoia-pgp/sequoia-git:latest
+  before_script: []
+  script:
+    - sq-git policy describe
+    - /usr/sbin/gitlab.sh # Script baked-in to image
+  after_script: []
+  rules:
+    # Run whenever the non-default branch is updated.  Note, we only
+    # run for "push" events otherwise the job would also be triggered
+    # for merge requests, which would result in the job running twice.
+    #
+    # TODO: We currently only authenticate the changes on non-merged
+    # branches where we use the default branch as the trust root.  For
+    # the default branch, the project needs to set an explicit trust
+    # root.
+    - if: '$CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH'
+
 variables:
   DEBIAN_FRONTEND: noninteractive
   CARGO_HOME: $CI_PROJECT_DIR/../cargo
-- 
cgit v1.2.3