mirror of
https://github.com/VictoriaMetrics/VictoriaMetrics.git
synced 2026-06-05 01:52:47 +03:00
2b9973b970
Scope permissions to jobs and set `permissions: {}` at workflow level.
Note: I added and removed permissions in some workflows. The added
permissions make previously implicit defaults explicit.
Signed-off-by: Rudransh Shrivastava <rudransh@victoriametrics.com>
51 lines
1.7 KiB
YAML
51 lines
1.7 KiB
YAML
name: check-commit-signed
|
|
|
|
on:
|
|
pull_request:
|
|
|
|
permissions: {}
|
|
|
|
jobs:
|
|
check-commit-signed:
|
|
permissions:
|
|
contents: read
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
fetch-depth: 0 # we need full history for commit verification
|
|
|
|
- name: Check commit signatures
|
|
run: |
|
|
if [ "${{ github.event_name }}" != "pull_request" ]; then
|
|
echo "Not a PR event, skipping signature check"
|
|
exit 0
|
|
fi
|
|
|
|
RANGE="${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }}"
|
|
echo "Checking commits in PR range: $RANGE"
|
|
|
|
if [ -z "$(git rev-list $RANGE)" ]; then
|
|
echo "No new commits in this PR, skipping signature check"
|
|
exit 0
|
|
fi
|
|
|
|
# Check raw commit objects for a "gpgsig" header as a fast early signal for
|
|
# contributors. Both GPG and SSH signatures use this header.
|
|
# This avoids relying on %G? which returns N for SSH commits.
|
|
# This check is not a security enforcement — unsigned commits cannot be merged
|
|
# anyway due to the GitHub repository merge policy.
|
|
unsigned=""
|
|
for sha in $(git rev-list $RANGE); do
|
|
if ! git cat-file commit "$sha" | grep -q "^gpgsig"; then
|
|
unsigned="$unsigned $sha"
|
|
fi
|
|
done
|
|
if [ -n "$unsigned" ]; then
|
|
echo "Found unsigned commits:"
|
|
echo "$unsigned"
|
|
exit 1
|
|
fi
|
|
|
|
echo "All commits in PR are signed (GPG or SSH)" |