From 2a957d590df68d0759705614954e66cbffd2be2a Mon Sep 17 00:00:00 2001
From: Alex Nelson <alexander.nelson@nist.gov>
Date: Thu, 6 Apr 2023 16:03:57 -0400
Subject: [PATCH] Add supply-chain review target

This patch adds the ability to run a single command to handle checking
all direct-dependencies within `pre-commit` and Git submodules.

While some other CASE repositories run this command nightly, this patch
leaves that as a future decision due to current testing procedures
within the CASE and UCO ontology repositories.

Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
---
 .gitmodules |  4 ++++
 Makefile    | 27 ++++++++++++++++++++++++++-
 2 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/.gitmodules b/.gitmodules
index 19483787..6922aea9 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -1,12 +1,16 @@
 [submodule "dependencies/CASE-develop"]
 	path = dependencies/CASE-develop
 	url = https://github.com/casework/CASE.git
+	branch = develop
 [submodule "dependencies/CASE-develop-2.0.0"]
 	path = dependencies/CASE-develop-2.0.0
 	url = https://github.com/casework/CASE.git
+	branch = develop-2.0.0
 [submodule "dependencies/CASE-unstable"]
 	path = dependencies/CASE-unstable
 	url = https://github.com/casework/CASE-Archive.git
+	branch = unstable
 [submodule "dependencies/CASE-unstable-2.0.0"]
 	path = dependencies/CASE-unstable-2.0.0
 	url = https://github.com/casework/CASE-Archive.git
+	branch = unstable-2.0.0
diff --git a/Makefile b/Makefile
index f9f4f97c..3af7cc0a 100644
--- a/Makefile
+++ b/Makefile
@@ -34,7 +34,10 @@ all: \
   all-ontology \
   check-examples \
   check-migration-0.2.0 \
-  check-ontology
+  check-ontology \
+  check-supply-chain \
+  check-supply-chain-pre-commit \
+  check-supply-chain-submodules
 
 .dependencies.done.log: \
   .venv.done.log
@@ -138,6 +141,28 @@ check-ontology: \
 	  --directory ontology \
 	  check
 
+# This target's dependencies potentially modify the working directory's Git state, so it is intentionally not a dependency of check.
+check-supply-chain: \
+  check-supply-chain-pre-commit \
+  check-supply-chain-submodules
+
+check-supply-chain-pre-commit: \
+  .venv-pre-commit/var/.pre-commit-built.log
+	source .venv-pre-commit/bin/activate \
+	  && pre-commit autoupdate
+	git diff \
+	  --exit-code \
+	  .pre-commit-config.yaml
+
+check-supply-chain-submodules: \
+  .git_submodule_init.done.log
+	git submodule update \
+	  --remote
+	git diff \
+	  --exit-code \
+	  --ignore-submodules=dirty \
+	  dependencies
+
 clean:
 	@$(MAKE) \
 	  --directory examples \