chore(ci): add signed commits check to integration#496
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #496 +/- ##
==========================================
+ Coverage 80.93% 80.96% +0.02%
==========================================
Files 24 24
Lines 5482 5489 +7
Branches 247 247
==========================================
+ Hits 4437 4444 +7
Misses 968 968
Partials 77 77
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
notmandatory
added
the
github_actions
notmandatory
left a comment
notmandatory
left a comment
There was a problem hiding this comment.
ACK eba7f04
Will wait for team feedback before merging.
| fetch-depth: 0 | ||
| persist-credentials: false | ||
| - name: Verify all commits are GPG signed | ||
| run: ./ci/check-signed-commits.sh "${{ github.event.pull_request.base.sha }}" "${{ github.event.pull_request.head.sha }}" |
There was a problem hiding this comment.
i'd rather have the bash call here instead of a new file, if it's only being used here, such as:
"$(git log --pretty='format:%G?' -1 HEAD)" = "N" ] && \
echo "\nERROR: unsigned commit: BDK requires that commits be signed." || \
true
There was a problem hiding this comment.
@EliteCoder18 you can see how i did here: oleonardolima@9748220
There was a problem hiding this comment.
if you'd rather keep the simpler version of the file, it could be used in the justfile check command too.
There was a problem hiding this comment.
Thanks for the suggestion! the justfile already uses a similar one-liner for local development, but intentionally with || true so it acts as a warning rather than blocking contributors mid-flow.
For CI, I feel the goal is stricter enforcement across the entire PR range (base_sha..head_sha), not just the latest commit. An inline HEAD check could miss cases where only the most recent commit is signed while earlier commits are not.
That said, I like the idea of reusing the same logic in the justfile as well, and I'm happy to wire the script into the local check recipe if you think that would be beneficial.
|
Also would be best to do a manual test of this in your cloned repo to confirm it works as expected. |
EliteCoder18
force-pushed
the
feat/signed-commits
branch
from
deecdf5 to
83ca57f
Compare
For testing, I added an unsigned commit to this PR and reran the workflow. The signed-commit check failed as expected, confirming that the action correctly detects unsigned commits in the PR history. I'll revert the test commit after verification. 
|
3 participants
Description
Part of #410
A new check-signed-commits job is added to the integration workflow. It runs only on pull requests and calls
ci/check-signed-commits.sh, which iterates over every commit between the PR base and head, checks the signature status viagit log --format="%H %G?", and fails the job if any commit is unsigned (status = N). The check is implemented as a standalone bash script in ci/ consistent with the existing bash scripts, making it easy to run independently of CI.Notes to the reviewers
The signature check uses git's built-in %G? format specifier, which returns N specifically for commits with no signature at all distinct from E (signature present but key not in local keyring) or U(unknown key validity). This means the check correctly identifies unsigned commits without needing any GPG keys loaded in the CI environment.
The job only runs on pull_request events (guarded by if:
github.event_name == 'pull_request') so it doesn't affect push-triggered runs on protected branches.Changelog notice
ci: enforce GPG signed commits on pull requests
Before submitting