Skip to content

Commit

Permalink
Merge branch 'main' into patch-1
Browse files Browse the repository at this point in the history
  • Loading branch information
florisvdg authored Sep 22, 2023
2 parents ab4922c + 0878d0e commit f26789b
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 16 deletions.
26 changes: 20 additions & 6 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,20 +6,34 @@ A GitHub Action that checks the commits of the current PR and fails if it contai

```yml
name: Check signed commits in PR
on: pull_request
on: pull_request_target

jobs:
build:
name: Check signed commits in PR
check-signed-commits:
name: Check signed commits in PR
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- name: Check out code
uses: actions/checkout@v4

- name: Check signed commits in PR
uses: 1Password/check-signed-commits-action@v1
```
## `pull_request_target` vs. `pull_request`

Workflows containing this action can be configured to run both on [`pull_request`](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request) events as on [`pull_request_target`](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target) events.

The reason to prefer `pull_request_target` over `pull_request` is to allow the action to post comments on external PRs created from forks. The GitHub token that comes with the regular `pull_request` event does not support commenting on PRs in the upstream repo.

When using `pull_request_target`, make sure to set the right permissions in the workflow:

```yml
permissions:
contents: read
pull-requests: write
```

## Change PR Comment

The comment that will be placed in the PR upon detecting unsigned commits can be changed using the `comment` field:
Expand Down
15 changes: 5 additions & 10 deletions action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -58,21 +58,16 @@ runs:
GITHUB_TOKEN: ${{ inputs.token }}
COMMENT_TEXT: ${{ inputs.comment }}
COMMENTS_URL: ${{ github.event.pull_request.comments_url }}
COMMITS_URL: ${{ github.event.pull_request.commits_url }}
run: |
# Escape double quotes and newlines
COMMENT_TEXT="$(echo "$COMMENT_TEXT" | sed 's/"/\\"/g' | awk '{printf "%s\\n", $0}')"
GITHUB_PR=$(echo $GITHUB_REF | sed -n 's/refs\/pull\/\([0-9]*\)\/merge/\1/p')
if [[ -z "$GITHUB_PR" ]]; then
echo "No PR found to scan for commits."
exit 0
fi
unsigned_commits="$(curl -s -H "Authorization: token $GITHUB_TOKEN" "${GITHUB_API_URL:-https://api.github.com}/repos/$GITHUB_REPOSITORY/pulls/$GITHUB_PR/commits" | jq '.[] | select(.commit.verification.verified == false) | .commit.message')"
unsigned_commits="$(curl -s -H "Authorization: token $GITHUB_TOKEN" "$COMMITS_URL" | jq '.[] | select(.commit.verification.verified == false) | .commit.message')"
if [[ -n "$unsigned_commits" ]]; then
echo "Found unsigned commits:"
echo "$unsigned_commits"
# Escape double quotes and newlines in comment
COMMENT_TEXT="$(echo "$COMMENT_TEXT" | sed 's/"/\\"/g' | awk '{printf "%s\\n", $0}')"
curl -X POST $COMMENTS_URL \
-H "Content-Type: application/json" \
-H "Authorization: token $GITHUB_TOKEN" \
Expand Down

0 comments on commit f26789b

Please sign in to comment.