bookstack-mcp/.github/workflows/dco.yml at main · paradoxbound/bookstack-mcp · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
name: DCO Check

on:
  pull_request:
    branches: [main]

permissions:
  contents: read
  pull-requests: read

jobs:
  dco:
    name: DCO sign-off
    runs-on: ubuntu-latest

    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

      - name: Check all commits for Signed-off-by
        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          script: |
            const commits = await github.rest.pulls.listCommits({
              owner: context.repo.owner,
              repo: context.repo.repo,
              pull_number: context.issue.number,
              per_page: 100,
            });

            const unsigned = commits.data.filter(({ commit }) =>
              !commit.message.includes('Signed-off-by:')
            );

            if (unsigned.length > 0) {
              const list = unsigned
                .map(({ sha, commit }) => `  - ${sha.slice(0, 7)}: ${commit.message.split('\n')[0]}`)
                .join('\n');
              core.setFailed(
                `${unsigned.length} commit(s) missing a DCO Signed-off-by line:\n${list}\n\n` +
                `Please add 'Signed-off-by: Your Name <your@email.com>' to each commit.\n` +
                `Use 'git commit -s' to sign off automatically, or 'git rebase --signoff HEAD~N' to fix existing commits.`
              );
            } else {
              console.log(`All ${commits.data.length} commit(s) have a valid DCO sign-off.`);
            }