verify-locked-down-signatures.yml

---
name: Verify lockfile signatures
on:
  pull_request:
    paths:
      - .github/workflows/verify-locked-down-signatures.yml
      - Cargo.lock
      - gui/package-lock.json
      - wireguard/libwg/go.sum
      - ci/keys/**
      - ci/verify-locked-down-signatures.sh
      - ios/MullvadVPN.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved
      - android/gradle/verification-metadata.xml
      - android/gradle/wrapper/gradle-wrapper.properties
      - building/build-and-publish-container-image.sh
      - building/mullvad-app-container-signing.asc
      - building/linux-container-image.txt
      - building/android-container-image.txt
      - building/sigstore/**
jobs:
  verify-signatures:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Verify signatures
        run: |-
          base_ref=${{ github.event.pull_request.base.sha }}
          head_ref=${{ github.event.pull_request.head.sha }}
          git fetch --no-recurse-submodules --shallow-exclude=main origin main $base_ref $head_ref
          git fetch --deepen=1
          ci/verify-locked-down-signatures.sh --import-gpg-keys --whitelist origin/main