LaconicNetwork/cosmos-sdk
9
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity
main
cosmos-sdk/.github/workflows/enforce_signed.yml
dependabot[bot] a5e49b5b16
build(deps): Bump actions/github-script from 7 to 8 (#25436) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Alex | Cosmos Labs <alex@cosmoslabs.io>
2025-10-10 13:07:38 +00:00

73 lines
2.7 KiB
YAML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

name: Enforce Signed Commits on PRs
on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
permissions:
contents: read # needed to read commits
pull-requests: write # needed to close the PR
issues: write # needed to post a comment
jobs:
check-signed-commits:
# Skip drafts to avoid noise while a PR is still being prepared
if: github.event.pull_request.draft == false
runs-on: ubuntu-latest
steps:
- name: Verify all PR commits are signed
uses: actions/github-script@v8
with:
script: |
const { owner, repo } = context.repo;
const prNumber = context.payload.pull_request.number;
// Get all commits in the PR (handles pagination)
const commits = await github.paginate(
github.rest.pulls.listCommits,
{ owner, repo, pull_number: prNumber, per_page: 100 }
);
// Any commit without a verified signature?
const unsigned = commits.filter(c => !(c.commit?.verification?.verified));
if (unsigned.length === 0) {
core.info("All commits are verified-signed. ✅");
return;
}
// Build a helpful message & list the offending commits
const list = unsigned
.map(c => `- ${c.sha.substring(0,7)} — ${c.commit.message.split('\n')[0]}`)
.join('\n');
const msg = [
"🔒 **PR closed: unsigned commits detected**",
"",
`This pull request contains **${unsigned.length}** commit(s) without a *verified* signature.`,
"",
"**How to fix:**",
"1. Set up commit signing (GPG or SSH).",
"2. Amend/rebase so **every** commit in this PR is verified-signed.",
"3. Push the updated branch and open a new PR, or ask a maintainer to reopen once fixed.",
"",
"Docs: https://docs.github.com/authentication/managing-commit-signature-verification",
"",
"**Unsigned commits:**",
list
].join("\n");
// Post the explanation as a PR comment (PRs are Issues in the API)
await github.rest.issues.createComment({
owner, repo, issue_number: prNumber, body: msg
});
// Close the PR
await github.rest.pulls.update({
owner, repo, pull_number: prNumber, state: "closed"
});
// Mark the job as failed so its obvious in checks
core.setFailed(`Closed PR: found ${unsigned.length} unsigned commit(s).`);
Reference in New Issue View Git Blame Copy Permalink