Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 36 additions & 0 deletions .github/workflows/commit-verification.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
# SPDX-FileCopyrightText: Chirag Rao <crao@redhat.com>
#
# SPDX-License-Identifier: CC0-1.0

name: "Commit Verification"
on:
pull_request:
branches:
- "main"
workflow_call:
permissions:
contents: "read"
Comment thread
Jakob-Naucke marked this conversation as resolved.

jobs:
verify-commits:
name: "Verify commit signatures and authorship"
runs-on: " ubuntu-slim"
steps:
- name: "Verify all PR commits are signed and authored by PR owner"
env:
GH_TOKEN: ${{ github.token }}
PR_AUTHOR: ${{ github.event.pull_request.user.login }}
run: |
set -euo pipefail
errors=$(gh api "repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/commits" \
-q '
.[] | .sha[:12] as $s |
(if .commit.verification.verified != true
then "::error::Commit \($s) is not signed and/or not verified (\(.commit.verification.reason))"
else empty end)
')
Comment thread
sourcery-ai[bot] marked this conversation as resolved.
if [ -n "${errors}" ]; then
echo "${errors}"
exit 1
fi
echo "All commits are signed and verified."
3 changes: 3 additions & 0 deletions .github/workflows/go.yml

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I gather you want the verification check to run before other tests, but is there a more unified way to order tests? (e.g. can we design this in a way that we won't forget the same gate when we add another test, or that we don't again need to edit 4 files if we want another test that goes before unit tests)

Then again, as long as GHA remains free for public repos, there isn't even a real incentive to do this itfp

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, might not be needed because we aren't the ones paying for the GHA minutes anyways, but generally a good idea to try to preserve compute if we can as a community courtesy.

As these workflows are seperate files, GH doesn't yet have a way for like a global pre-check. There seems to be a way with Branch Protection Rules, although I can't comment on that

@Jakob-Naucke Jakob-Naucke Jul 2, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm kind of against this, not just because it makes the files fatter, but also because I saw now it runs per flow, so you get

  • Commit Verification / Verify commit signatures and authorship
  • Go / Build (pull_request)
  • Go / verify-commits / Verify commit signatures and authorship (pull_request)
  • Lint / Lints, pinned toolchain (pull_request)
  • Lint / verify-commits / Verify commit signatures and authorship (pull_request)

etc.

e: so the "less compute time" argument is negated a bit anyhow

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, it does run for each flow, although its relatively lightweight than running the jobs without gating, I think removing it is fine for now.

I am also open to closing this issue as the repo owner can configure both options(verify signatures and prevent merging until pipeline succeeds) from the Branch Protection Rules, although it will run on merge, not on a PR.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@alicefr What do you think?

Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,10 @@ concurrency:
cancel-in-progress: true

jobs:
verify-commits:
uses: ./.github/workflows/commit-verification.yml
build:
needs: verify-commits
name: "Build"
runs-on: "ubuntu-24.04"
steps:
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/integration-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,10 @@ env:
REGISTRY: localhost:5000/trusted-execution-clusters

jobs:
verify-commits:
uses: ./.github/workflows/commit-verification.yml
integration-tests:
needs: verify-commits
name: "KubeVirt integration tests"
if: >-
github.event.pull_request.author_association == 'MEMBER' ||
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/lint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,10 @@ env:
ACTIONS_LINTS_TOOLCHAIN: 1.88.0

jobs:
verify-commits:
uses: ./.github/workflows/commit-verification.yml
linting:
needs: verify-commits
name: "Lints, pinned toolchain"
runs-on: "ubuntu-24.04"
container: "ghcr.io/trusted-execution-clusters/buildroot:fedora"
Expand Down
6 changes: 6 additions & 0 deletions .github/workflows/rust.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,10 @@ env:
CARGO_TERM_COLOR: always

jobs:
verify-commits:
uses: ./.github/workflows/commit-verification.yml
tests-stable:
needs: verify-commits
name: "Tests, stable toolchain"
runs-on: "ubuntu-24.04"
container: "ghcr.io/trusted-execution-clusters/buildroot:fedora"
Expand All @@ -48,6 +51,7 @@ jobs:
- name: "cargo test"
run: cargo test --bins --lib
tests-release-stable:
needs: verify-commits
name: "Tests (release), stable toolchain"
runs-on: "ubuntu-24.04"
container: "ghcr.io/trusted-execution-clusters/buildroot:fedora"
Expand All @@ -72,6 +76,7 @@ jobs:
- name: "cargo test (release)"
run: cargo test --bins --lib --release
tests-release-msrv:
needs: verify-commits
name: "Tests (release), minimum supported toolchain"
runs-on: "ubuntu-24.04"
container: "ghcr.io/trusted-execution-clusters/buildroot:fedora"
Expand Down Expand Up @@ -102,6 +107,7 @@ jobs:
- name: "cargo test (release)"
run: cargo test --bins --lib --release
tests-other-channels:
needs: verify-commits
name: "Tests, unstable toolchain"
runs-on: "ubuntu-24.04"
container: "ghcr.io/trusted-execution-clusters/buildroot:fedora"
Expand Down
Loading