diff --git a/.github/workflows/compliance.yml b/.github/workflows/compliance.yml index 7bdbe36..8b58d8d 100644 --- a/.github/workflows/compliance.yml +++ b/.github/workflows/compliance.yml @@ -59,11 +59,11 @@ jobs: id: range run: | set -euo pipefail - + # Use GitHub-provided SHAs to build the range for this push BEFORE="${{ github.event.before }}" AFTER="${{ github.sha }}" - + if [ "$BEFORE" = "0000000000000000000000000000000000000000" ] then # New branch or force push without previous SHA @@ -76,34 +76,42 @@ jobs: run: | set -euo pipefail missing="" - + while read -r sha do [ -n "$sha" ] || continue - + # Skip commits from bots committer_name=`git log --format=%cn -n 1 "$sha"` - if echo "$committer_name" | grep -Fq '[bot]' || [ "$committer_name" = "web-flow" ] + committer_email=`git log --format=%ce -n 1 "$sha"` + if echo "$committer_name" | grep -Fq '[bot]' \ + || [ "$committer_name" = "web-flow" ] \ + || echo "$committer_email" | grep -Eqi 'noreply@github\.com$|@users\.noreply\.github\.com$' then - echo "Skipping bot/web-flow commit $sha from $committer_name" + echo "Skipping commit $sha from $committer_name <$committer_email>" continue fi - + msg=`git log --format=%B -n 1 "$sha"` - + if ! printf '%s' "$msg" | grep -Eqi '^[[:space:]]*Signed[- ]off[- ]by:' then echo "Commit $sha missing Signed-off-by" missing="true" + + echo "Committer name: $committer_name" + echo "Committer email: $committer_email" + echo "github.actor: ${{ github.actor }}" + echo "github.event.pusher.name: ${{ github.event.pusher.name }}" fi done < shas.txt - + if [ "$missing" = "true" ] then echo "DCO check failed on push" exit 1 fi - + echo "All pushed commits are signed" CheckSignedOffPullRequest: @@ -130,7 +138,7 @@ jobs: set -euo pipefail gh --version jq --version - + # Fetch all commits of the PR with pagination and extract SHAs gh api -H "Accept: application/vnd.github+json" --paginate \ repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/commits \ @@ -144,21 +152,29 @@ jobs: while read -r sha do [ -n "$sha" ] || continue - + # Skip commits from bots committer_name=`git log --format=%cn -n 1 "$sha"` - if echo "$committer_name" | grep -Fq '[bot]' || [ "$committer_name" = "web-flow" ] + committer_email=`git log --format=%ce -n 1 "$sha"` + if echo "$committer_name" | grep -Fq '[bot]' \ + || [ "$committer_name" = "web-flow" ] \ + || echo "$committer_email" | grep -Eqi 'noreply@github\.com$|@users\.noreply\.github\.com$' then - echo "Skipping bot/web-flow commit $sha from $committer_name" + echo "Skipping commit $sha from $committer_name <$committer_email>" continue fi - + msg=`git log --format=%B -n 1 "$sha"` - + if ! printf '%s' "$msg" | grep -Eqi '^[[:space:]]*Signed[- ]off[- ]by:' then echo "Commit $sha missing Signed-off-by" missing="true" + + echo "Committer name: $committer_name" + echo "Committer email: $committer_email" + echo "github.actor: ${{ github.actor }}" + echo "github.event.pusher.name: ${{ github.event.pusher.name }}" fi done < shas.txt @@ -167,4 +183,4 @@ jobs: echo "DCO check failed"; exit 1 fi - echo "All commits are signed" \ No newline at end of file + echo "All commits are signed" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 97a31b6..f411468 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -27,4 +27,4 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: 'Dependency Review' - uses: actions/dependency-review-action@56339e523c0409420f6c2c9a2f4292bbb3c07dd3 # v4.8.0 + uses: actions/dependency-review-action@40c09b7dc99638e5ddb0bfd91c1673effc064d8a # v4.8.1