Skip to content

cla: accepted by Lumexralph #9783

cla: accepted by Lumexralph

cla: accepted by Lumexralph #9783

Workflow file for this run

name: All
permissions:
contents: read
on:
merge_group:
pull_request:
push:
branches:
- develop
workflow_dispatch:
inputs:
commit_sha:
description: Git commit sha, on which, to run this workflow
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }}
cancel-in-progress: true
defaults:
run:
shell: bash
jobs:
lint_commits:
name: All - lint_commits
runs-on: ubuntu-20.04
# We assume that commit 2fd0d36fe6ae0c2d527368683ec3a6352617b381 will be in the history
# of all commits based on ockam develop branch
# https://github.com/build-trust/ockam/commit/2fd0d36fe6ae0c2d527368683ec3a6352617b381
env:
FIRST_COMMIT: 2fd0d36fe6ae0c2d527368683ec3a6352617b381
CONTRIBUTORS_CSV_PATH: .github/CONTRIBUTORS.csv
steps:
- name: Checkout
if: github.event_name != 'pull_request'
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
with:
fetch-depth: 0 # checkout full tree
- name: Checkout (Pull Request)
if: github.event_name == 'pull_request'
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
with:
fetch-depth: 0 # checkout full tree
ref: ${{ github.event.pull_request.head.sha }}
- name: Get commit information from Github (Pull Request)
if: github.event_name == 'pull_request'
run: gh api repos/build-trust/ockam/pulls/${{ github.event.number }}/commits > commits.json
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Set FIRST_COMMIT To Begin Linting (Pull Request)
if: github.event_name == 'pull_request'
run: |
pull_request_commits_length=$(cat commits.json | jq '. | length')
echo "Number of commits in pull requests are $pull_request_commits_length"
echo "FIRST_COMMIT=HEAD~${pull_request_commits_length}" >> $GITHUB_ENV
- name: Check FIRST_COMMIT is ancestor of HEAD
run: |
git merge-base --is-ancestor $FIRST_COMMIT HEAD || \
(echo "
This workflow checks that all commits follow the Ockam Commit Message Convention
https://github.com/build-trust/.github/blob/main/CONTRIBUTING.md#commit-messages
We check all commits from HEAD backwards till the commit with commit hash: ${FIRST_COMMIT}.
ERROR:
For this to work the commit with commit hash: ${FIRST_COMMIT} should be an ancestor of HEAD
but it seems this is not the case with the current HEAD.
Try rebasing to the develop branch of ockam.
https://github.com/build-trust/ockam/tree/develop
" && exit 1)
- name: Check no merge commits
run: |
merge_commit_count=$(git rev-list --no-walk --count --merges $FIRST_COMMIT..HEAD)
if [ "$merge_commit_count" != "0" ]; then
echo "
Our develop branch follows a linear history and cannot have merge commits.
Please rebase to develop.
" && exit 1
fi
- name: Install Commitlint
run: npm install --location=global @commitlint/[email protected] # TODO: move to ockam-builder docker image.
- name: Lint Commit Messages
run: |
npx commitlint \
--config tools/commitlint/commitlint.config.js \
--from $FIRST_COMMIT \
--to HEAD \
--help-url https://github.com/build-trust/.github/blob/main/CONTRIBUTING.md#commit-messages || \
(echo '
The commit with the above commit message does not follow the Ockam Commit Message Convention
https://github.com/build-trust/.github/blob/main/CONTRIBUTING.md#commit-messages
Our commits should have the following structure.
<type>(<scope>): <subject>
<BLANK LINE>
<body>
<BLANK LINE>
<footer>
Common errors to avoid:
1. The commit header <type>(<scope>): <subject> must be in lower case.
2. Allowed type values are: build, chore, ci, docs, feat, fix, refactor, style, test.
3. Allowed scope values are: c, elixir, typescript, rust.
4. Use the chore type as a last resort, prefer a more meaningful type.
5. Only feat, fix, refactor type commits are included in our changelog.
The linting rules are defined in:
https://github.com/build-trust/ockam/blob/develop/tools/commitlint/commitlint.config.js
More about the Ockam Commit Message Convention
https://github.com/build-trust/.github/blob/main/CONTRIBUTING.md#commit-messages
' && exit 1)
- name: Check If PR Author Made Changes Only To CONTRIBUTORS.csv
run: |
paths_updated=$(git diff --name-only origin/develop..HEAD)
if echo "$paths_updated" | grep $CONTRIBUTORS_CSV_PATH; then
# user has made changes to the CONTRIBUTORS.md file, we need to ensure that PR
# is only accepting the CLA
no_paths_updated=$(echo $paths_updated | wc -l)
if [[ $no_paths_updated -gt 1 ]]; then
echo "
We require that all contributors have accepted our Contributor License Agreement (CLA).
Please read the CLA and create a new pull request to accept the CLA by adding your Github details in a row at the end of the CONTRIBUTORS.csv file.
This new pull request must only change the CONTRIBUTORS.csv file.
CONTRIBUTORS.csv file is located at: $CONTRIBUTORS_CSV_PATH.
If you have any issues, please feel free to ask questions on this discussion thread https://github.com/build-trust/ockam/discussions/6112
" && exit 1
fi
fi
- name: Get Contributors List
run: |
mv $CONTRIBUTORS_CSV_PATH CONTRIBUTORS.csv
- name: Split Contributors List
shell: python
run: |
import csv
import re
import sys
contributors_github_usernames = []
contributors_emails = []
email_pattern = re.compile("<([^>]+)>")
with open('CONTRIBUTORS.csv', 'r') as f:
reader = csv.reader(f)
# skip the first row of headers
next(reader)
for line in reader:
contributors_github_usernames = contributors_github_usernames + line[1].split()
contributors_emails = contributors_emails + email_pattern.findall(line[3])
with open('CONTRIBUTORS_GITHUB_USERNAMES.txt', 'w') as f:
print('\n'.join(contributors_github_usernames), file=f)
with open('CONTRIBUTORS_EMAILS.txt', 'w') as f:
print('\n'.join(contributors_emails), file=f)
- name: Check Pull Request Sender has accepted Ockam CLA.
if: github.event_name == 'pull_request'
env:
PR_SENDER: ${{ github.event.pull_request.user.login }}
run: |
if grep -q -iF "$PR_SENDER" 'CONTRIBUTORS_GITHUB_USERNAMES.txt'; then
echo "[✓] Pull Request Sender $PR_SENDER has accepted the CLA."
else
echo "
$PR_SENDER, welcome to the Ockam community and thank you for sending this pull request ❤️.
Before we can merge, please accept our Contributor License Agreement (CLA).
1. Read the CLA at: https://github.com/build-trust/.github/blob/main/CLA.md
2. To accept the CLA, please create a different pull request indicating
that you accept the CLA by adding your Git/Github details in a row at the end of the
[CONTRIBUTORS.csv](https://github.com/build-trust/ockam/blob/develop/.github/CONTRIBUTORS.csv)
file.
We look forward to merging your first contribution!
"
exit 1
fi
- name: Check all commit authors co-authors and committers have accepted Ockam CLA.
run: |
set -x
commits=$(git rev-list --reverse $FIRST_COMMIT..HEAD)
commits=($FIRST_COMMIT ${commits[@]})
err=false
for commit in "${commits[@]}"
do
echo -e "\n---\nCommit: $commit"
author=$(git show -s --format='%ae' $commit)
echo "Author: $author"
co_authors=$(git show -s --format='%(trailers:key=Co-authored-by)' | grep -o -E '<[^>]+>' | sed 's/<//;s/>//' | tr '\n' ' ') || echo ''
if [ -n "$co_authors" ]; then
co_authors=($co_authors)
echo "Co-Authors: $co_authors"
fi
committer=$(git show -s --format='%ce' $commit)
echo "Committer: $committer"
if grep -q -iF "$author" 'CONTRIBUTORS_EMAILS.txt'; then
echo "[✓] $commit author $author has accepted the CLA."
else
echo -e "$commit commit author $author has not accepted the CLA."
err=true
fi
if [ -n "$co_authors" ]; then
for co_author in "${co_authors[@]}"
do
if grep -q -iF "$co_author" 'CONTRIBUTORS_EMAILS.txt'; then
echo "[✓] $commit co-author $co_author has accepted the CLA."
else
echo -e "$commit commit co-author $co_author has not accepted the CLA."
err=true
fi
done
fi
if grep -q -iF "$committer" 'CONTRIBUTORS_EMAILS.txt'; then
echo "[✓] $commit committer $committer has accepted the CLA."
else
echo -r "\nERROR:\n$commit committer $committer has not accepted the CLA"
err=true
fi
if [ "$err" = true ]; then
echo "
Before we can merge, please accept our Contributor License Agreement (CLA).
1. Read the CLA at: https://github.com/build-trust/.github/blob/main/CLA.md
2. To accept the CLA, please create a different pull request indicating
that you accept the CLA by adding your Git/Github details in a row at the end of the
[CONTRIBUTORS.csv](https://github.com/build-trust/ockam/blob/develop/.github/CONTRIBUTORS.csv)
file.
We look forward to merging your contribution!
"
exit 1
fi
done
- name: Get Developers List
run: |
gh api \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/orgs/build-trust/members | jq -r '.[].login' > DEVELOPERS.csv
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Check all commits in are Verified by Github (Pull Request)
if: github.event_name == 'pull_request'
env:
PR_SENDER: ${{ github.event.pull_request.user.login }}
run: |
unverified=$(cat commits.json | jq --raw-output '.[] | [.sha, .commit.verification.verified] | @csv' | grep false || echo '')
if [ -z "$unverified" ]; then
echo '[✓] All commits in this pull request are Verified by Github.'
elif grep -q -i ^"$PR_SENDER"$ 'DEVELOPERS.csv'; then
echo "::warning:: [!] Some commits are unverified, ignoring them since pull request sender is a developer."
echo "$unverified"
else
echo '
We require that all commits in a pull request are signed and Verified by Github
Please read about signing commits at:
https://docs.github.com/en/authentication/managing-commit-signature-verification
ERROR: The following commits are not Verified by Github.
'
echo "$unverified"
exit 1
fi
lint_editorconfig:
name: All - lint_editorconfig
runs-on: ubuntu-20.04
container: # gitlab.com/greut/eclint
image: greut/eclint:v0.3.3@sha256:95e9a3dcbd236bae6569625cd403175cbde3705303774e7baca418b6442b8d77
steps:
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
with:
ref: ${{ github.event.inputs.commit_sha }}
- shell: sh
run: eclint -color=always
# Semgrep is a static analysis tool to lint code for patterns we want to forbid
# https://github.com/returntocorp/semgrep
lint_semgrep:
name: All - lint_semgrep
runs-on: ubuntu-20.04
container:
image: returntocorp/semgrep
steps:
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
with:
ref: ${{ github.event.inputs.commit_sha }}
- name: Run Semgrep
# .semgrepignore is not processed outside of working directory. See https://github.com/returntocorp/semgrep/issues/5669
run: |
mv tools/semgrep/.semgrepignore . & \
semgrep --verbose --config="r2c" --config="tools/semgrep/rules/example.yaml"