-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore(*): add actions to authenticate and fast-forward PR
- Loading branch information
1 parent
439f602
commit eb04432
Showing
3 changed files
with
99 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
name: Authenticate Commits | ||
on: | ||
pull_request: | ||
types: [opened, reopened, synchronize] | ||
jobs: | ||
validate: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout repository | ||
uses: actions/checkout@v3 | ||
with: | ||
fetch-depth: 0 | ||
|
||
- name: Import allowed SSH keys | ||
env: | ||
ALLOWED_SIGNERS: ${{ secrets.MIDDLEWARE_ALLOWED_SIGNERS }} | ||
run: | | ||
mkdir -p ~/.ssh | ||
echo $ALLOWED_SIGNERS > ~/.ssh/allowed_signers | ||
git config --global gpg.ssh.allowedSignersFile "~/.ssh/allowed_signers" | ||
- name: Validate commit signatures | ||
env: | ||
HEAD_SHA: ${{ github.event.pull_request.head.sha }} | ||
BASE_SHA: ${{ github.event.pull_request.base.sha }} | ||
run: | | ||
# Function to verify a commit | ||
verify_commit() { | ||
local commit=$1 | ||
local status=$(git show --pretty="format:%G?" $commit | head -n 1) | ||
if [ "$status" != "G" ]; then | ||
local committer=$(git log -1 --pretty=format:'%cn (%ce)' $commit) | ||
echo "Commit $commit from $committer has an invalid signature or is not signed by an allowed key." | ||
exit 1 | ||
fi | ||
} | ||
# Get all commits in the PR | ||
commits=$(git rev-list $BASE_SHA..$HEAD_SHA) | ||
# Iterate over all commits in the PR and verify each one | ||
for COMMIT in $commits; do | ||
verify_commit $COMMIT | ||
done | ||
echo "All commits are signed with allowed keys." |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
name: fast-forward | ||
on: | ||
issue_comment: | ||
types: [created, edited] | ||
jobs: | ||
fast-forward: | ||
# Only run if the comment contains the /fast-forward command. | ||
if: ${{ contains(github.event.comment.body, '/fast-forward') | ||
&& github.event.issue.pull_request }} | ||
runs-on: ubuntu-latest | ||
|
||
permissions: | ||
contents: write | ||
pull-requests: write | ||
issues: write | ||
|
||
steps: | ||
- name: Fast forwarding | ||
uses: sequoia-pgp/fast-forward@v1 | ||
with: | ||
merge: true | ||
# To reduce the workflow's verbosity, use 'on-error' | ||
# to only post a comment when an error occurs, or 'never' to | ||
# never post a comment. (In all cases the information is | ||
# still available in the step's summary.) | ||
comment: on-error | ||
GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }} ## This allows to trigger push action from within this workflow. Read more - https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters