-
Notifications
You must be signed in to change notification settings - Fork 10
Added commit signature verification with verified commit #305
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
| # SPDX-FileCopyrightText: Chirag Rao <crao@redhat.com> | ||
| # | ||
| # SPDX-License-Identifier: CC0-1.0 | ||
|
|
||
| name: "Commit Verification" | ||
| on: | ||
| pull_request: | ||
| branches: | ||
| - "main" | ||
| workflow_call: | ||
| permissions: | ||
| contents: "read" | ||
|
|
||
| jobs: | ||
| verify-commits: | ||
| name: "Verify commit signatures and authorship" | ||
| runs-on: " ubuntu-slim" | ||
| steps: | ||
| - name: "Verify all PR commits are signed and authored by PR owner" | ||
| env: | ||
| GH_TOKEN: ${{ github.token }} | ||
| PR_AUTHOR: ${{ github.event.pull_request.user.login }} | ||
| run: | | ||
| set -euo pipefail | ||
| errors=$(gh api "repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/commits" \ | ||
| -q ' | ||
| .[] | .sha[:12] as $s | | ||
| (if .commit.verification.verified != true | ||
| then "::error::Commit \($s) is not signed and/or not verified (\(.commit.verification.reason))" | ||
| else empty end) | ||
| ') | ||
|
sourcery-ai[bot] marked this conversation as resolved.
|
||
| if [ -n "${errors}" ]; then | ||
| echo "${errors}" | ||
| exit 1 | ||
| fi | ||
| echo "All commits are signed and verified." | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I gather you want the verification check to run before other tests, but is there a more unified way to order tests? (e.g. can we design this in a way that we won't forget the same gate when we add another test, or that we don't again need to edit 4 files if we want another test that goes before unit tests) Then again, as long as GHA remains free for public repos, there isn't even a real incentive to do this itfp
Member
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yeah, might not be needed because we aren't the ones paying for the GHA minutes anyways, but generally a good idea to try to preserve compute if we can as a community courtesy. As these workflows are seperate files, GH doesn't yet have a way for like a global pre-check. There seems to be a way with Branch Protection Rules, although I can't comment on that
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'm kind of against this, not just because it makes the files fatter, but also because I saw now it runs per flow, so you get
etc. e: so the "less compute time" argument is negated a bit anyhow
Member
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yeah, it does run for each flow, although its relatively lightweight than running the jobs without gating, I think removing it is fine for now. I am also open to closing this issue as the repo owner can configure both options(verify signatures and prevent merging until pipeline succeeds) from the Branch Protection Rules, although it will run on merge, not on a PR.
Member
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @alicefr What do you think? |
Uh oh!
There was an error while loading. Please reload this page.