Accept and sign CLA #9782
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: All | |
permissions: | |
contents: read | |
on: | |
merge_group: | |
pull_request: | |
push: | |
branches: | |
- develop | |
workflow_dispatch: | |
inputs: | |
commit_sha: | |
description: Git commit sha, on which, to run this workflow | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }} | |
cancel-in-progress: true | |
defaults: | |
run: | |
shell: bash | |
jobs: | |
lint_commits: | |
name: All - lint_commits | |
runs-on: ubuntu-20.04 | |
# We assume that commit 2fd0d36fe6ae0c2d527368683ec3a6352617b381 will be in the history | |
# of all commits based on ockam develop branch | |
# https://github.com/build-trust/ockam/commit/2fd0d36fe6ae0c2d527368683ec3a6352617b381 | |
env: | |
FIRST_COMMIT: 2fd0d36fe6ae0c2d527368683ec3a6352617b381 | |
CONTRIBUTORS_CSV_PATH: .github/CONTRIBUTORS.csv | |
steps: | |
- name: Checkout | |
if: github.event_name != 'pull_request' | |
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 | |
with: | |
fetch-depth: 0 # checkout full tree | |
- name: Checkout (Pull Request) | |
if: github.event_name == 'pull_request' | |
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 | |
with: | |
fetch-depth: 0 # checkout full tree | |
ref: ${{ github.event.pull_request.head.sha }} | |
- name: Get commit information from Github (Pull Request) | |
if: github.event_name == 'pull_request' | |
run: gh api repos/build-trust/ockam/pulls/${{ github.event.number }}/commits > commits.json | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Set FIRST_COMMIT To Begin Linting (Pull Request) | |
if: github.event_name == 'pull_request' | |
run: | | |
pull_request_commits_length=$(cat commits.json | jq '. | length') | |
echo "Number of commits in pull requests are $pull_request_commits_length" | |
echo "FIRST_COMMIT=HEAD~${pull_request_commits_length}" >> $GITHUB_ENV | |
- name: Check FIRST_COMMIT is ancestor of HEAD | |
run: | | |
git merge-base --is-ancestor $FIRST_COMMIT HEAD || \ | |
(echo " | |
This workflow checks that all commits follow the Ockam Commit Message Convention | |
https://github.com/build-trust/.github/blob/main/CONTRIBUTING.md#commit-messages | |
We check all commits from HEAD backwards till the commit with commit hash: ${FIRST_COMMIT}. | |
ERROR: | |
For this to work the commit with commit hash: ${FIRST_COMMIT} should be an ancestor of HEAD | |
but it seems this is not the case with the current HEAD. | |
Try rebasing to the develop branch of ockam. | |
https://github.com/build-trust/ockam/tree/develop | |
" && exit 1) | |
- name: Check no merge commits | |
run: | | |
merge_commit_count=$(git rev-list --no-walk --count --merges $FIRST_COMMIT..HEAD) | |
if [ "$merge_commit_count" != "0" ]; then | |
echo " | |
Our develop branch follows a linear history and cannot have merge commits. | |
Please rebase to develop. | |
" && exit 1 | |
fi | |
- name: Install Commitlint | |
run: npm install --location=global @commitlint/[email protected] # TODO: move to ockam-builder docker image. | |
- name: Lint Commit Messages | |
run: | | |
npx commitlint \ | |
--config tools/commitlint/commitlint.config.js \ | |
--from $FIRST_COMMIT \ | |
--to HEAD \ | |
--help-url https://github.com/build-trust/.github/blob/main/CONTRIBUTING.md#commit-messages || \ | |
(echo ' | |
The commit with the above commit message does not follow the Ockam Commit Message Convention | |
https://github.com/build-trust/.github/blob/main/CONTRIBUTING.md#commit-messages | |
Our commits should have the following structure. | |
<type>(<scope>): <subject> | |
<BLANK LINE> | |
<body> | |
<BLANK LINE> | |
<footer> | |
Common errors to avoid: | |
1. The commit header <type>(<scope>): <subject> must be in lower case. | |
2. Allowed type values are: build, chore, ci, docs, feat, fix, refactor, style, test. | |
3. Allowed scope values are: c, elixir, typescript, rust. | |
4. Use the chore type as a last resort, prefer a more meaningful type. | |
5. Only feat, fix, refactor type commits are included in our changelog. | |
The linting rules are defined in: | |
https://github.com/build-trust/ockam/blob/develop/tools/commitlint/commitlint.config.js | |
More about the Ockam Commit Message Convention | |
https://github.com/build-trust/.github/blob/main/CONTRIBUTING.md#commit-messages | |
' && exit 1) | |
- name: Check If PR Author Made Changes Only To CONTRIBUTORS.csv | |
run: | | |
paths_updated=$(git diff --name-only origin/develop..HEAD) | |
if echo "$paths_updated" | grep $CONTRIBUTORS_CSV_PATH; then | |
# user has made changes to the CONTRIBUTORS.md file, we need to ensure that PR | |
# is only accepting the CLA | |
no_paths_updated=$(echo $paths_updated | wc -l) | |
if [[ $no_paths_updated -gt 1 ]]; then | |
echo " | |
We require that all contributors have accepted our Contributor License Agreement (CLA). | |
Please read the CLA and create a new pull request to accept the CLA by adding your Github details in a row at the end of the CONTRIBUTORS.csv file. | |
This new pull request must only change the CONTRIBUTORS.csv file. | |
CONTRIBUTORS.csv file is located at: $CONTRIBUTORS_CSV_PATH. | |
If you have any issues, please feel free to ask questions on this discussion thread https://github.com/build-trust/ockam/discussions/6112 | |
" && exit 1 | |
fi | |
fi | |
- name: Get Contributors List | |
run: | | |
mv $CONTRIBUTORS_CSV_PATH CONTRIBUTORS.csv | |
- name: Split Contributors List | |
shell: python | |
run: | | |
import csv | |
import re | |
import sys | |
contributors_github_usernames = [] | |
contributors_emails = [] | |
email_pattern = re.compile("<([^>]+)>") | |
with open('CONTRIBUTORS.csv', 'r') as f: | |
reader = csv.reader(f) | |
# skip the first row of headers | |
next(reader) | |
for line in reader: | |
contributors_github_usernames = contributors_github_usernames + line[1].split() | |
contributors_emails = contributors_emails + email_pattern.findall(line[3]) | |
with open('CONTRIBUTORS_GITHUB_USERNAMES.txt', 'w') as f: | |
print('\n'.join(contributors_github_usernames), file=f) | |
with open('CONTRIBUTORS_EMAILS.txt', 'w') as f: | |
print('\n'.join(contributors_emails), file=f) | |
- name: Check Pull Request Sender has accepted Ockam CLA. | |
if: github.event_name == 'pull_request' | |
env: | |
PR_SENDER: ${{ github.event.pull_request.user.login }} | |
run: | | |
if grep -q -iF "$PR_SENDER" 'CONTRIBUTORS_GITHUB_USERNAMES.txt'; then | |
echo "[✓] Pull Request Sender $PR_SENDER has accepted the CLA." | |
else | |
echo " | |
$PR_SENDER, welcome to the Ockam community and thank you for sending this pull request ❤️. | |
Before we can merge, please accept our Contributor License Agreement (CLA). | |
1. Read the CLA at: https://github.com/build-trust/.github/blob/main/CLA.md | |
2. To accept the CLA, please create a different pull request indicating | |
that you accept the CLA by adding your Git/Github details in a row at the end of the | |
[CONTRIBUTORS.csv](https://github.com/build-trust/ockam/blob/develop/.github/CONTRIBUTORS.csv) | |
file. | |
We look forward to merging your first contribution! | |
" | |
exit 1 | |
fi | |
- name: Check all commit authors co-authors and committers have accepted Ockam CLA. | |
run: | | |
set -x | |
commits=$(git rev-list --reverse $FIRST_COMMIT..HEAD) | |
commits=($FIRST_COMMIT ${commits[@]}) | |
err=false | |
for commit in "${commits[@]}" | |
do | |
echo -e "\n---\nCommit: $commit" | |
author=$(git show -s --format='%ae' $commit) | |
echo "Author: $author" | |
co_authors=$(git show -s --format='%(trailers:key=Co-authored-by)' | grep -o -E '<[^>]+>' | sed 's/<//;s/>//' | tr '\n' ' ') || echo '' | |
if [ -n "$co_authors" ]; then | |
co_authors=($co_authors) | |
echo "Co-Authors: $co_authors" | |
fi | |
committer=$(git show -s --format='%ce' $commit) | |
echo "Committer: $committer" | |
if grep -q -iF "$author" 'CONTRIBUTORS_EMAILS.txt'; then | |
echo "[✓] $commit author $author has accepted the CLA." | |
else | |
echo -e "$commit commit author $author has not accepted the CLA." | |
err=true | |
fi | |
if [ -n "$co_authors" ]; then | |
for co_author in "${co_authors[@]}" | |
do | |
if grep -q -iF "$co_author" 'CONTRIBUTORS_EMAILS.txt'; then | |
echo "[✓] $commit co-author $co_author has accepted the CLA." | |
else | |
echo -e "$commit commit co-author $co_author has not accepted the CLA." | |
err=true | |
fi | |
done | |
fi | |
if grep -q -iF "$committer" 'CONTRIBUTORS_EMAILS.txt'; then | |
echo "[✓] $commit committer $committer has accepted the CLA." | |
else | |
echo -r "\nERROR:\n$commit committer $committer has not accepted the CLA" | |
err=true | |
fi | |
if [ "$err" = true ]; then | |
echo " | |
Before we can merge, please accept our Contributor License Agreement (CLA). | |
1. Read the CLA at: https://github.com/build-trust/.github/blob/main/CLA.md | |
2. To accept the CLA, please create a different pull request indicating | |
that you accept the CLA by adding your Git/Github details in a row at the end of the | |
[CONTRIBUTORS.csv](https://github.com/build-trust/ockam/blob/develop/.github/CONTRIBUTORS.csv) | |
file. | |
We look forward to merging your contribution! | |
" | |
exit 1 | |
fi | |
done | |
- name: Get Developers List | |
run: | | |
gh api \ | |
-H "Accept: application/vnd.github+json" \ | |
-H "X-GitHub-Api-Version: 2022-11-28" \ | |
/orgs/build-trust/members | jq -r '.[].login' > DEVELOPERS.csv | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Check all commits in are Verified by Github (Pull Request) | |
if: github.event_name == 'pull_request' | |
env: | |
PR_SENDER: ${{ github.event.pull_request.user.login }} | |
run: | | |
unverified=$(cat commits.json | jq --raw-output '.[] | [.sha, .commit.verification.verified] | @csv' | grep false || echo '') | |
if [ -z "$unverified" ]; then | |
echo '[✓] All commits in this pull request are Verified by Github.' | |
elif grep -q -i ^"$PR_SENDER"$ 'DEVELOPERS.csv'; then | |
echo "::warning:: [!] Some commits are unverified, ignoring them since pull request sender is a developer." | |
echo "$unverified" | |
else | |
echo ' | |
We require that all commits in a pull request are signed and Verified by Github | |
Please read about signing commits at: | |
https://docs.github.com/en/authentication/managing-commit-signature-verification | |
ERROR: The following commits are not Verified by Github. | |
' | |
echo "$unverified" | |
exit 1 | |
fi | |
lint_editorconfig: | |
name: All - lint_editorconfig | |
runs-on: ubuntu-20.04 | |
container: # gitlab.com/greut/eclint | |
image: greut/eclint:v0.3.3@sha256:95e9a3dcbd236bae6569625cd403175cbde3705303774e7baca418b6442b8d77 | |
steps: | |
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 | |
with: | |
ref: ${{ github.event.inputs.commit_sha }} | |
- shell: sh | |
run: eclint -color=always | |
# Semgrep is a static analysis tool to lint code for patterns we want to forbid | |
# https://github.com/returntocorp/semgrep | |
lint_semgrep: | |
name: All - lint_semgrep | |
runs-on: ubuntu-20.04 | |
container: | |
image: returntocorp/semgrep | |
steps: | |
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 | |
with: | |
ref: ${{ github.event.inputs.commit_sha }} | |
- name: Run Semgrep | |
# .semgrepignore is not processed outside of working directory. See https://github.com/returntocorp/semgrep/issues/5669 | |
run: | | |
mv tools/semgrep/.semgrepignore . & \ | |
semgrep --verbose --config="r2c" --config="tools/semgrep/rules/example.yaml" |