Skip to content

Commit 0591eef

Browse files
AlphaOne1AlphaOne1
committed
Standardize YAML formatting across configuration files.
Signed-off-by: Alexander Adam <alphaone23@gmail.com>
1 parent 1b4e35b commit 0591eef

4 files changed

Lines changed: 199 additions & 197 deletions

File tree

.github/workflows/codeql.yml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,9 +16,11 @@ name: "CodeQL"
1616

1717
on:
1818
push:
19-
branches: [ "master" ]
19+
branches:
20+
- master
2021
pull_request:
21-
branches: [ "master" ]
22+
branches:
23+
- master
2224
schedule:
2325
- cron: '28 4 * * 2'
2426

.github/workflows/compliance.yml

Lines changed: 85 additions & 85 deletions
Original file line numberDiff line numberDiff line change
@@ -6,10 +6,10 @@ name: Compliance Checks
66
on:
77
push:
88
branches:
9-
- master
9+
- master
1010
pull_request:
1111
branches:
12-
- master
12+
- master
1313

1414
concurrency:
1515
group: ${{ github.workflow }}-${{ github.ref }}
@@ -37,82 +37,82 @@ jobs:
3737

3838
CheckSignedOffCommit:
3939
if: >
40-
github.event_name == 'push' &&
41-
!contains(github.actor, '[bot]') &&
42-
!contains(github.event.pusher.name, '[bot]') &&
43-
github.event.pusher.name != 'web-flow'
40+
github.event_name == 'push' &&
41+
!contains(github.actor, '[bot]') &&
42+
!contains(github.event.pusher.name, '[bot]') &&
43+
github.event.pusher.name != 'web-flow'
4444
runs-on: ubuntu-latest
4545
permissions:
4646
contents: read
4747
steps:
48-
- name: Harden Runner
49-
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
50-
with:
51-
egress-policy: audit
52-
53-
- name: Checkout
54-
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
55-
with:
56-
fetch-depth: 0
57-
58-
- name: Determine pushed commits
59-
id: range
60-
run: |
61-
set -euo pipefail
62-
63-
# Use GitHub-provided SHAs to build the range for this push
64-
BEFORE="${{ github.event.before }}"
65-
AFTER="${{ github.sha }}"
66-
67-
if [ "$BEFORE" = "0000000000000000000000000000000000000000" ]
68-
then
69-
# New branch or force push without previous SHA
70-
git rev-list --no-merges "$AFTER" > shas.txt
71-
else
72-
git rev-list --no-merges "$BEFORE".."$AFTER" > shas.txt
73-
fi
74-
75-
- name: Check for Signed-off-by
76-
run: |
77-
set -euo pipefail
78-
missing=""
79-
80-
while read -r sha
81-
do
82-
[ -n "$sha" ] || continue
83-
84-
# Skip commits from bots
85-
committer_name=`git log --format=%cn -n 1 "$sha"`
86-
committer_email=`git log --format=%ce -n 1 "$sha"`
87-
if echo "$committer_name" | grep -Fq '[bot]' \
88-
|| [ "$committer_name" = "web-flow" ] \
89-
|| echo "$committer_email" | grep -Eqi 'noreply@github\.com$|@users\.noreply\.github\.com$'
90-
then
91-
echo "Skipping commit $sha from $committer_name <$committer_email>"
92-
continue
93-
fi
94-
95-
msg=`git log --format=%B -n 1 "$sha"`
96-
97-
if ! printf '%s' "$msg" | grep -Eqi '^[[:space:]]*Signed[- ]off[- ]by:'
98-
then
99-
echo "Commit $sha missing Signed-off-by"
100-
missing="true"
101-
102-
echo "Committer name: $committer_name"
103-
echo "Committer email: $committer_email"
104-
echo "github.actor: ${{ github.actor }}"
105-
echo "github.event.pusher.name: ${{ github.event.pusher.name }}"
106-
fi
107-
done < shas.txt
108-
109-
if [ "$missing" = "true" ]
110-
then
111-
echo "DCO check failed on push"
112-
exit 1
113-
fi
114-
115-
echo "All pushed commits are signed"
48+
- name: Harden Runner
49+
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
50+
with:
51+
egress-policy: audit
52+
53+
- name: Checkout
54+
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
55+
with:
56+
fetch-depth: 0
57+
58+
- name: Determine pushed commits
59+
id: range
60+
run: |
61+
set -euo pipefail
62+
63+
# Use GitHub-provided SHAs to build the range for this push
64+
BEFORE="${{ github.event.before }}"
65+
AFTER="${{ github.sha }}"
66+
67+
if [ "$BEFORE" = "0000000000000000000000000000000000000000" ]
68+
then
69+
# New branch or force push without previous SHA
70+
git rev-list --no-merges "$AFTER" > shas.txt
71+
else
72+
git rev-list --no-merges "$BEFORE".."$AFTER" > shas.txt
73+
fi
74+
75+
- name: Check for Signed-off-by
76+
run: |
77+
set -euo pipefail
78+
missing=""
79+
80+
while read -r sha
81+
do
82+
[ -n "$sha" ] || continue
83+
84+
# Skip commits from bots
85+
committer_name=`git log --format=%cn -n 1 "$sha"`
86+
committer_email=`git log --format=%ce -n 1 "$sha"`
87+
if echo "$committer_name" | grep -Fq '[bot]' \
88+
|| [ "$committer_name" = "web-flow" ] \
89+
|| echo "$committer_email" | grep -Eqi 'noreply@github\.com$|@users\.noreply\.github\.com$'
90+
then
91+
echo "Skipping commit $sha from $committer_name <$committer_email>"
92+
continue
93+
fi
94+
95+
msg=`git log --format=%B -n 1 "$sha"`
96+
97+
if ! printf '%s' "$msg" | grep -Eqi '^[[:space:]]*Signed[- ]off[- ]by:'
98+
then
99+
echo "Commit $sha missing Signed-off-by"
100+
missing="true"
101+
102+
echo "Committer name: $committer_name"
103+
echo "Committer email: $committer_email"
104+
echo "github.actor: ${{ github.actor }}"
105+
echo "github.event.pusher.name: ${{ github.event.pusher.name }}"
106+
fi
107+
done < shas.txt
108+
109+
if [ "$missing" = "true" ]
110+
then
111+
echo "DCO check failed on push"
112+
exit 1
113+
fi
114+
115+
echo "All pushed commits are signed"
116116
117117
CheckSignedOffPullRequest:
118118
if: github.event_name == 'pull_request' && !contains(github.event.pull_request.labels.*.name, 'bypass-dco')
@@ -124,25 +124,25 @@ jobs:
124124
- name: Harden Runner
125125
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
126126
with:
127-
egress-policy: audit
127+
egress-policy: audit
128128

129129
- name: Checkout
130130
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
131131
with:
132-
fetch-depth: 0
132+
fetch-depth: 0
133133

134134
- name: Get PR commits
135135
env:
136-
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
136+
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
137137
run: |
138-
set -euo pipefail
139-
gh --version
140-
jq --version
141-
142-
# Fetch all commits of the PR with pagination and extract SHAs
143-
gh api -H "Accept: application/vnd.github+json" --paginate \
144-
repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/commits \
145-
| jq -r '.[].sha' > shas.txt
138+
set -euo pipefail
139+
gh --version
140+
jq --version
141+
142+
# Fetch all commits of the PR with pagination and extract SHAs
143+
gh api -H "Accept: application/vnd.github+json" --paginate \
144+
repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/commits \
145+
| jq -r '.[].sha' > shas.txt
146146
147147
- name: Check for Signed-off-by
148148
run: |

.github/workflows/release.yml

Lines changed: 71 additions & 71 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ name: Release
66
on:
77
release:
88
types:
9-
- published
9+
- published
1010

1111
permissions: read-all
1212

@@ -20,36 +20,36 @@ jobs:
2020
contents: write
2121
runs-on: ubuntu-latest
2222
steps:
23-
- name: Harden Runner
24-
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
25-
with:
26-
egress-policy: audit
27-
28-
- name: Checkout
29-
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
30-
with:
31-
fetch-depth: 0
32-
ref: ${{ github.event.release.tag_name }}
33-
34-
- name: Generate source archive
35-
shell: bash
36-
run: |
37-
set -euo pipefail
38-
39-
TAG=`echo "${{ github.event.release.tag_name }}" | sed 's/\//-/g'`
40-
git archive \
41-
--format=tar.gz \
42-
--prefix="geany-src-${TAG}/" \
43-
--output="geany-src-${TAG}.tar.gz" \
44-
"${{ github.event.release.tag_name }}"
45-
46-
- name: Upload Release (via GitHub CLI)
47-
env:
48-
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
49-
shell: bash
50-
run: |
51-
set -euo pipefail
52-
gh release upload "${{ github.event.release.tag_name }}" geany-src-*.tar.gz --clobber
23+
- name: Harden Runner
24+
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
25+
with:
26+
egress-policy: audit
27+
28+
- name: Checkout
29+
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
30+
with:
31+
fetch-depth: 0
32+
ref: ${{ github.event.release.tag_name }}
33+
34+
- name: Generate source archive
35+
shell: bash
36+
run: |
37+
set -euo pipefail
38+
39+
TAG=`echo "${{ github.event.release.tag_name }}" | sed 's/\//-/g'`
40+
git archive \
41+
--format=tar.gz \
42+
--prefix="geany-src-${TAG}/" \
43+
--output="geany-src-${TAG}.tar.gz" \
44+
"${{ github.event.release.tag_name }}"
45+
46+
- name: Upload Release (via GitHub CLI)
47+
env:
48+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
49+
shell: bash
50+
run: |
51+
set -euo pipefail
52+
gh release upload "${{ github.event.release.tag_name }}" geany-src-*.tar.gz --clobber
5353
5454
ChecksumReleaseAssets:
5555
needs: Build
@@ -58,46 +58,46 @@ jobs:
5858
outputs:
5959
hashBase64File: ${{ steps.hashes.outputs.handle }}
6060
steps:
61-
- name: Harden Runner
62-
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
63-
with:
64-
egress-policy: audit
65-
66-
- name: Checkout
67-
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
68-
with:
69-
fetch-depth: 1
70-
71-
- name: Download all release assets via GitHub CLI
72-
env:
73-
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
74-
run: |
75-
set -euo pipefail
76-
77-
mkdir -p release-assets
78-
cd release-assets
79-
# gets all assets of the release
80-
gh release download "${{ github.event.release.tag_name }}" --clobber
81-
echo "Downloaded assets:"
82-
ls -lah
83-
84-
- name: Generate Checksums
85-
working-directory: release-assets
86-
run: |
87-
set -euo pipefail
88-
89-
# Robustly hash all regular files in this directory, then base64 and write via tee.
90-
LC_ALL=C find . -maxdepth 1 -type f -printf '%P\0' \
91-
| sort -z \
92-
| xargs -0 sha256sum -- \
93-
| base64 -w0 \
94-
> check.sha256
95-
96-
- name: Upload Checksums
97-
id: hashes
98-
uses: slsa-framework/slsa-github-generator/actions/generator/generic/create-base64-subjects-from-file@f7dd8c54c2067bafc12ca7a55595d5ee9b75204a # 2.1.0
99-
with:
100-
path: release-assets/check.sha256
61+
- name: Harden Runner
62+
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
63+
with:
64+
egress-policy: audit
65+
66+
- name: Checkout
67+
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
68+
with:
69+
fetch-depth: 1
70+
71+
- name: Download all release assets via GitHub CLI
72+
env:
73+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
74+
run: |
75+
set -euo pipefail
76+
77+
mkdir -p release-assets
78+
cd release-assets
79+
# gets all assets of the release
80+
gh release download "${{ github.event.release.tag_name }}" --clobber
81+
echo "Downloaded assets:"
82+
ls -lah
83+
84+
- name: Generate Checksums
85+
working-directory: release-assets
86+
run: |
87+
set -euo pipefail
88+
89+
# Robustly hash all regular files in this directory, then base64 and write via tee.
90+
LC_ALL=C find . -maxdepth 1 -type f -printf '%P\0' \
91+
| sort -z \
92+
| xargs -0 sha256sum -- \
93+
| base64 -w0 \
94+
> check.sha256
95+
96+
- name: Upload Checksums
97+
id: hashes
98+
uses: slsa-framework/slsa-github-generator/actions/generator/generic/create-base64-subjects-from-file@f7dd8c54c2067bafc12ca7a55595d5ee9b75204a # 2.1.0
99+
with:
100+
path: release-assets/check.sha256
101101

102102
AssetProvenance:
103103
permissions:

0 commit comments

Comments
 (0)