-
-
Notifications
You must be signed in to change notification settings - Fork 561
326 lines (273 loc) · 12.9 KB
/
all.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
name: All
permissions:
contents: read
on:
merge_group:
pull_request:
push:
branches:
- develop
workflow_dispatch:
inputs:
commit_sha:
description: Git commit sha, on which, to run this workflow
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }}
cancel-in-progress: true
defaults:
run:
shell: bash
jobs:
lint_commits:
name: All - lint_commits
runs-on: ubuntu-20.04
# We assume that commit 2fd0d36fe6ae0c2d527368683ec3a6352617b381 will be in the history
# of all commits based on ockam develop branch
# https://github.com/build-trust/ockam/commit/2fd0d36fe6ae0c2d527368683ec3a6352617b381
env:
FIRST_COMMIT: 2fd0d36fe6ae0c2d527368683ec3a6352617b381
CONTRIBUTORS_CSV_PATH: .github/CONTRIBUTORS.csv
steps:
- name: Checkout
if: github.event_name != 'pull_request'
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
with:
fetch-depth: 0 # checkout full tree
- name: Checkout (Pull Request)
if: github.event_name == 'pull_request'
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
with:
fetch-depth: 0 # checkout full tree
ref: ${{ github.event.pull_request.head.sha }}
- name: Get commit information from Github (Pull Request)
if: github.event_name == 'pull_request'
run: gh api repos/build-trust/ockam/pulls/${{ github.event.number }}/commits > commits.json
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Set FIRST_COMMIT To Begin Linting (Pull Request)
if: github.event_name == 'pull_request'
run: |
pull_request_commits_length=$(cat commits.json | jq '. | length')
echo "Number of commits in pull requests are $pull_request_commits_length"
echo "FIRST_COMMIT=HEAD~${pull_request_commits_length}" >> $GITHUB_ENV
- name: Check FIRST_COMMIT is ancestor of HEAD
run: |
git merge-base --is-ancestor $FIRST_COMMIT HEAD || \
(echo "
This workflow checks that all commits follow the Ockam Commit Message Convention
https://github.com/build-trust/.github/blob/main/CONTRIBUTING.md#commit-messages
We check all commits from HEAD backwards till the commit with commit hash: ${FIRST_COMMIT}.
ERROR:
For this to work the commit with commit hash: ${FIRST_COMMIT} should be an ancestor of HEAD
but it seems this is not the case with the current HEAD.
Try rebasing to the develop branch of ockam.
https://github.com/build-trust/ockam/tree/develop
" && exit 1)
- name: Check no merge commits
run: |
merge_commit_count=$(git rev-list --no-walk --count --merges $FIRST_COMMIT..HEAD)
if [ "$merge_commit_count" != "0" ]; then
echo "
Our develop branch follows a linear history and cannot have merge commits.
Please rebase to develop.
" && exit 1
fi
- name: Install Commitlint
run: npm install --location=global @commitlint/[email protected] # TODO: move to ockam-builder docker image.
- name: Lint Commit Messages
run: |
npx commitlint \
--config tools/commitlint/commitlint.config.js \
--from $FIRST_COMMIT \
--to HEAD \
--help-url https://github.com/build-trust/.github/blob/main/CONTRIBUTING.md#commit-messages || \
(echo '
The commit with the above commit message does not follow the Ockam Commit Message Convention
https://github.com/build-trust/.github/blob/main/CONTRIBUTING.md#commit-messages
Our commits should have the following structure.
<type>(<scope>): <subject>
<BLANK LINE>
<body>
<BLANK LINE>
<footer>
Common errors to avoid:
1. The commit header <type>(<scope>): <subject> must be in lower case.
2. Allowed type values are: build, chore, ci, docs, feat, fix, refactor, style, test.
3. Allowed scope values are: c, elixir, typescript, rust.
4. Use the chore type as a last resort, prefer a more meaningful type.
5. Only feat, fix, refactor type commits are included in our changelog.
The linting rules are defined in:
https://github.com/build-trust/ockam/blob/develop/tools/commitlint/commitlint.config.js
More about the Ockam Commit Message Convention
https://github.com/build-trust/.github/blob/main/CONTRIBUTING.md#commit-messages
' && exit 1)
- name: Check If PR Author Made Changes Only To CONTRIBUTORS.csv
run: |
paths_updated=$(git diff --name-only origin/develop..HEAD)
if echo "$paths_updated" | grep $CONTRIBUTORS_CSV_PATH; then
# user has made changes to the CONTRIBUTORS.md file, we need to ensure that PR
# is only accepting the CLA
no_paths_updated=$(echo $paths_updated | wc -l)
if [[ $no_paths_updated -gt 1 ]]; then
echo "
We require that all contributors have accepted our Contributor License Agreement (CLA).
Please read the CLA and create a new pull request to accept the CLA by adding your Github details in a row at the end of the CONTRIBUTORS.csv file.
This new pull request must only change the CONTRIBUTORS.csv file.
CONTRIBUTORS.csv file is located at: $CONTRIBUTORS_CSV_PATH.
If you have any issues, please feel free to ask questions on this discussion thread https://github.com/build-trust/ockam/discussions/6112
" && exit 1
fi
fi
- name: Get Contributors List
run: |
mv $CONTRIBUTORS_CSV_PATH CONTRIBUTORS.csv
- name: Split Contributors List
shell: python
run: |
import csv
import re
import sys
contributors_github_usernames = []
contributors_emails = []
email_pattern = re.compile("<([^>]+)>")
with open('CONTRIBUTORS.csv', 'r') as f:
reader = csv.reader(f)
# skip the first row of headers
next(reader)
for line in reader:
contributors_github_usernames = contributors_github_usernames + line[1].split()
contributors_emails = contributors_emails + email_pattern.findall(line[3])
with open('CONTRIBUTORS_GITHUB_USERNAMES.txt', 'w') as f:
print('\n'.join(contributors_github_usernames), file=f)
with open('CONTRIBUTORS_EMAILS.txt', 'w') as f:
print('\n'.join(contributors_emails), file=f)
- name: Check Pull Request Sender has accepted Ockam CLA.
if: github.event_name == 'pull_request'
env:
PR_SENDER: ${{ github.event.pull_request.user.login }}
run: |
if grep -q -iF "$PR_SENDER" 'CONTRIBUTORS_GITHUB_USERNAMES.txt'; then
echo "[✓] Pull Request Sender $PR_SENDER has accepted the CLA."
else
echo "
$PR_SENDER, welcome to the Ockam community and thank you for sending this pull request ❤️.
Before we can merge, please accept our Contributor License Agreement (CLA).
1. Read the CLA at: https://github.com/build-trust/.github/blob/main/CLA.md
2. To accept the CLA, please create a different pull request indicating
that you accept the CLA by adding your Git/Github details in a row at the end of the
[CONTRIBUTORS.csv](https://github.com/build-trust/ockam/blob/develop/.github/CONTRIBUTORS.csv)
file.
We look forward to merging your first contribution!
"
exit 1
fi
- name: Check all commit authors co-authors and committers have accepted Ockam CLA.
run: |
set -x
commits=$(git rev-list --reverse $FIRST_COMMIT..HEAD)
commits=($FIRST_COMMIT ${commits[@]})
err=false
for commit in "${commits[@]}"
do
echo -e "\n---\nCommit: $commit"
author=$(git show -s --format='%ae' $commit)
echo "Author: $author"
co_authors=$(git show -s --format='%(trailers:key=Co-authored-by)' | grep -o -E '<[^>]+>' | sed 's/<//;s/>//' | tr '\n' ' ') || echo ''
if [ -n "$co_authors" ]; then
co_authors=($co_authors)
echo "Co-Authors: $co_authors"
fi
committer=$(git show -s --format='%ce' $commit)
echo "Committer: $committer"
if grep -q -iF "$author" 'CONTRIBUTORS_EMAILS.txt'; then
echo "[✓] $commit author $author has accepted the CLA."
else
echo -e "$commit commit author $author has not accepted the CLA."
err=true
fi
if [ -n "$co_authors" ]; then
for co_author in "${co_authors[@]}"
do
if grep -q -iF "$co_author" 'CONTRIBUTORS_EMAILS.txt'; then
echo "[✓] $commit co-author $co_author has accepted the CLA."
else
echo -e "$commit commit co-author $co_author has not accepted the CLA."
err=true
fi
done
fi
if grep -q -iF "$committer" 'CONTRIBUTORS_EMAILS.txt'; then
echo "[✓] $commit committer $committer has accepted the CLA."
else
echo -r "\nERROR:\n$commit committer $committer has not accepted the CLA"
err=true
fi
if [ "$err" = true ]; then
echo "
Before we can merge, please accept our Contributor License Agreement (CLA).
1. Read the CLA at: https://github.com/build-trust/.github/blob/main/CLA.md
2. To accept the CLA, please create a different pull request indicating
that you accept the CLA by adding your Git/Github details in a row at the end of the
[CONTRIBUTORS.csv](https://github.com/build-trust/ockam/blob/develop/.github/CONTRIBUTORS.csv)
file.
We look forward to merging your contribution!
"
exit 1
fi
done
- name: Get Developers List
run: |
gh api \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/orgs/build-trust/members | jq -r '.[].login' > DEVELOPERS.csv
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Check all commits in are Verified by Github (Pull Request)
if: github.event_name == 'pull_request'
env:
PR_SENDER: ${{ github.event.pull_request.user.login }}
run: |
unverified=$(cat commits.json | jq --raw-output '.[] | [.sha, .commit.verification.verified] | @csv' | grep false || echo '')
if [ -z "$unverified" ]; then
echo '[✓] All commits in this pull request are Verified by Github.'
elif grep -q -i ^"$PR_SENDER"$ 'DEVELOPERS.csv'; then
echo "::warning:: [!] Some commits are unverified, ignoring them since pull request sender is a developer."
echo "$unverified"
else
echo '
We require that all commits in a pull request are signed and Verified by Github
Please read about signing commits at:
https://docs.github.com/en/authentication/managing-commit-signature-verification
ERROR: The following commits are not Verified by Github.
'
echo "$unverified"
exit 1
fi
lint_editorconfig:
name: All - lint_editorconfig
runs-on: ubuntu-20.04
container: # gitlab.com/greut/eclint
image: greut/eclint:v0.3.3@sha256:95e9a3dcbd236bae6569625cd403175cbde3705303774e7baca418b6442b8d77
steps:
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
with:
ref: ${{ github.event.inputs.commit_sha }}
- shell: sh
run: eclint -color=always
# Semgrep is a static analysis tool to lint code for patterns we want to forbid
# https://github.com/returntocorp/semgrep
lint_semgrep:
name: All - lint_semgrep
runs-on: ubuntu-20.04
container:
image: returntocorp/semgrep
steps:
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
with:
ref: ${{ github.event.inputs.commit_sha }}
- name: Run Semgrep
# .semgrepignore is not processed outside of working directory. See https://github.com/returntocorp/semgrep/issues/5669
run: |
mv tools/semgrep/.semgrepignore . & \
semgrep --verbose --config="r2c" --config="tools/semgrep/rules/example.yaml"