Support automated publication for trusted SHAs

[sebbacon]

This would be invoked via a pipeline action.

version: "3.0"

expectations:
  population_size: 1000

actions:
  generate_study_population:
    run: cohortextractor:latest generate_cohort --study-definition study_definition
    outputs:
      highly_sensitive:
        cohort: output/input.csv

  run_model:
    run: stata-mp:latest analysis/model.do
    needs: [generate_study_population]
    outputs:
      moderately_sensitive:
        model: models/cox-model.txt
        figure: figures/survival-plot.png

  publish:
    run: publish
    needs: [run_model]
    args:
      files:
         - models/cox-modex.txt
         - figures/survival-plot.png
      auto_push: false

The script would then:

• Look for matching files in the local-only repo
• Assert they are all medium_security outputs
• git init a local repo, if necessary andgit add them automatically

auto_push would normally be false; this means users still have to log into the L4 server, review the files, make changes, commit, and publish them via osrelease.

When it is true, the command would check the current SHA is signed by a trusted key, and is marked as trusted in our job server database. If so, the push would be automatic.

[sebbacon]

GPG pub keys available from github e.g.

cd job-runner
curl https://github.com/evansd.gpg | gpg --import
git verify-commit de8ceb9847004e237fb1e8999c1603fd4f073629