From 8816e8c53191c8a7227bf83b66b9d0bef6d3c97b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 13 Oct 2025 19:25:04 +0000 Subject: [PATCH 1/2] Bump actions/dependency-review-action from 4.8.0 to 4.8.1 Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 4.8.0 to 4.8.1. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](https://github.com/actions/dependency-review-action/compare/56339e523c0409420f6c2c9a2f4292bbb3c07dd3...40c09b7dc99638e5ddb0bfd91c1673effc064d8a) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-version: 4.8.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 97a31b6..f411468 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -27,4 +27,4 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: 'Dependency Review' - uses: actions/dependency-review-action@56339e523c0409420f6c2c9a2f4292bbb3c07dd3 # v4.8.0 + uses: actions/dependency-review-action@40c09b7dc99638e5ddb0bfd91c1673effc064d8a # v4.8.1 From 74020a11b9caabf4dbe1c398a5c04b9ff3cef420 Mon Sep 17 00:00:00 2001 From: Alexander Adam Date: Mon, 13 Oct 2025 22:02:21 +0200 Subject: [PATCH 2/2] Refined compliance checks. Signed-off-by: Alexander Adam --- .github/workflows/compliance.yml | 50 +++++++++++++++++++++----------- 1 file changed, 33 insertions(+), 17 deletions(-) diff --git a/.github/workflows/compliance.yml b/.github/workflows/compliance.yml index 7bdbe36..8b58d8d 100644 --- a/.github/workflows/compliance.yml +++ b/.github/workflows/compliance.yml @@ -59,11 +59,11 @@ jobs: id: range run: | set -euo pipefail - + # Use GitHub-provided SHAs to build the range for this push BEFORE="${{ github.event.before }}" AFTER="${{ github.sha }}" - + if [ "$BEFORE" = "0000000000000000000000000000000000000000" ] then # New branch or force push without previous SHA @@ -76,34 +76,42 @@ jobs: run: | set -euo pipefail missing="" - + while read -r sha do [ -n "$sha" ] || continue - + # Skip commits from bots committer_name=`git log --format=%cn -n 1 "$sha"` - if echo "$committer_name" | grep -Fq '[bot]' || [ "$committer_name" = "web-flow" ] + committer_email=`git log --format=%ce -n 1 "$sha"` + if echo "$committer_name" | grep -Fq '[bot]' \ + || [ "$committer_name" = "web-flow" ] \ + || echo "$committer_email" | grep -Eqi 'noreply@github\.com$|@users\.noreply\.github\.com$' then - echo "Skipping bot/web-flow commit $sha from $committer_name" + echo "Skipping commit $sha from $committer_name <$committer_email>" continue fi - + msg=`git log --format=%B -n 1 "$sha"` - + if ! printf '%s' "$msg" | grep -Eqi '^[[:space:]]*Signed[- ]off[- ]by:' then echo "Commit $sha missing Signed-off-by" missing="true" + + echo "Committer name: $committer_name" + echo "Committer email: $committer_email" + echo "github.actor: ${{ github.actor }}" + echo "github.event.pusher.name: ${{ github.event.pusher.name }}" fi done < shas.txt - + if [ "$missing" = "true" ] then echo "DCO check failed on push" exit 1 fi - + echo "All pushed commits are signed" CheckSignedOffPullRequest: @@ -130,7 +138,7 @@ jobs: set -euo pipefail gh --version jq --version - + # Fetch all commits of the PR with pagination and extract SHAs gh api -H "Accept: application/vnd.github+json" --paginate \ repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/commits \ @@ -144,21 +152,29 @@ jobs: while read -r sha do [ -n "$sha" ] || continue - + # Skip commits from bots committer_name=`git log --format=%cn -n 1 "$sha"` - if echo "$committer_name" | grep -Fq '[bot]' || [ "$committer_name" = "web-flow" ] + committer_email=`git log --format=%ce -n 1 "$sha"` + if echo "$committer_name" | grep -Fq '[bot]' \ + || [ "$committer_name" = "web-flow" ] \ + || echo "$committer_email" | grep -Eqi 'noreply@github\.com$|@users\.noreply\.github\.com$' then - echo "Skipping bot/web-flow commit $sha from $committer_name" + echo "Skipping commit $sha from $committer_name <$committer_email>" continue fi - + msg=`git log --format=%B -n 1 "$sha"` - + if ! printf '%s' "$msg" | grep -Eqi '^[[:space:]]*Signed[- ]off[- ]by:' then echo "Commit $sha missing Signed-off-by" missing="true" + + echo "Committer name: $committer_name" + echo "Committer email: $committer_email" + echo "github.actor: ${{ github.actor }}" + echo "github.event.pusher.name: ${{ github.event.pusher.name }}" fi done < shas.txt @@ -167,4 +183,4 @@ jobs: echo "DCO check failed"; exit 1 fi - echo "All commits are signed" \ No newline at end of file + echo "All commits are signed"