Check that dependencies don't include unmerged commits

This ensures that the project doesn't end up depending on commits that aren't present in the corresponding branch of the dependency. This is useful to prevent merging with pre-rebase commits from cross-project changes; it also ensures that malicious commits from forks can't end up references in the main projects. Signed-off-by: Stephen Kitt <[email protected]>
submariner-io · Oct 15, 2024 · 71724bd · 71724bd
1 parent 393ed87
commit 71724bd
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 3 deletions.
diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml
@@ -42,6 +42,15 @@ jobs:
       - name: Create the bundle and validate it
         run: make bundle
 
+  check-branch-dependencies:
+    name: Check branch dependencies
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
+      - name: Check that no dependencies include unmerged commits
+        run: make check-non-release-versions
+
   crds:
     name: CRDs up-to-date
     runs-on: ubuntu-latest

diff --git a/Makefile b/Makefile
@@ -253,6 +253,9 @@ $(OPERATOR_SDK):
 
 operator-sdk: $(OPERATOR_SDK)
 
+check-non-release-versions:
+	$(SCRIPTS_DIR)/check-non-release-versions.sh
+
 .PHONY: build ci clean bundle kustomization is-semantic-version olm scorecard system-test controller-gen kustomize operator-sdk
 
 else

diff --git a/go.mod b/go.mod
@@ -15,7 +15,7 @@ require (
 	github.com/prometheus/client_golang v1.20.2
 	github.com/submariner-io/admiral v0.19.0-m3
 	github.com/submariner-io/shipyard v0.19.0-m3
-	github.com/submariner-io/submariner v0.19.0-m3
+	github.com/submariner-io/submariner v0.19.0-m3.0.20241015171239-de0f8cc15a25
 	golang.org/x/net v0.30.0
 	golang.org/x/text v0.19.0
 	k8s.io/api v0.31.1

diff --git a/go.sum b/go.sum
@@ -399,8 +399,8 @@ github.com/submariner-io/admiral v0.19.0-m3 h1:LTkYxCvB8S1210P2FZtCb6dzjaPpIgBrR
 github.com/submariner-io/admiral v0.19.0-m3/go.mod h1:xRpP1rDOblEdPHr0qrC+plcTNfShYJAOH2fexqOmI1A=
 github.com/submariner-io/shipyard v0.19.0-m3 h1:NliwAktRPF4OsLj1TDgpaOJD/bmmZW/FH9+mJmWgxbk=
 github.com/submariner-io/shipyard v0.19.0-m3/go.mod h1:BY1ceSnPz1/hN5F9uljcSzy5n5qgAOENsIvZpJ+XPOU=
-github.com/submariner-io/submariner v0.19.0-m3 h1:UHfG15WNOFH05WF6keLtj4+y1nxL7HiDmQqG6uk+EEI=
-github.com/submariner-io/submariner v0.19.0-m3/go.mod h1:0Am9/udIvtZO8hM7YvRTbIsEWGD8YrCR2JHzNmTGyHg=
+github.com/submariner-io/submariner v0.19.0-m3.0.20241015171239-de0f8cc15a25 h1:GxlcmMmZwQvt2izEhUQ5Jxv14MfdFWEI0hPFKhM6YmQ=
+github.com/submariner-io/submariner v0.19.0-m3.0.20241015171239-de0f8cc15a25/go.mod h1:DahH+rmwHFmQfkxxlLIZ/MqD7ZMEuA0jclLac82i5X8=
 github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=