fix(workflow): fix DCO check

[derekbit]

Which issue(s) this PR fixes:

Issue longhorn/longhorn#10193

What this PR does / why we need it:

Use head commit's author name and email as committer's information.

Special notes for your reviewer:

Additional documentation or context

[coderabbitai]

Walkthrough

The pull request modifies the GitHub Actions workflow file for creating a pull request in the Longhorn repository. Two new steps are introduced to dynamically retrieve the head commit's author name and email. The "Create Pull Request" step is updated to use these dynamically obtained commit author details instead of hardcoded values, ensuring more accurate representation of the commit's authorship information.

Changes

File	Change Summary
.github/workflows/create-crd-update-pr-in-longhorn-repo.yml	Added two new steps: "Get Head Commit Name" and "Get Head Commit Email" to dynamically retrieve commit author details. Modified "Create Pull Request" step to use these dynamic values for author and committer fields.

Assessment against linked issues

Objective	Addressed	Explanation
Automate CRDs and manifests patching PR creation [#10193]	❌	The PR does not address the automation of patching CRDs and manifests as specified in the issue.

Possibly related PRs

• fix(workflow): fix branch name #3504: Modifies the same workflow file, changing the "Create Pull Request" step.
• fix(workflow): fix create-crd-update-pr-in-longhorn-repo.yml #3509: Updates the workflow file with changes to job structure and committer details.

Suggested reviewers

• innobead

---

📜 Recent review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 947cd35 and 0427098.

📒 Files selected for processing (1)

• .github/workflows/create-crd-update-pr-in-longhorn-repo.yml (2 hunks)

🧰 Additional context used

🪛 actionlint (1.7.4)

.github/workflows/create-crd-update-pr-in-longhorn-repo.yml

42-42: workflow command "set-output" was deprecated. use echo "{name}={value}" >> $GITHUB_OUTPUT instead: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions

(deprecated-commands)

---

46-46: workflow command "set-output" was deprecated. use echo "{name}={value}" >> $GITHUB_OUTPUT instead: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions

(deprecated-commands)

⏰ Context from checks skipped due to timeout of 90000ms (2)

• GitHub Check: Build binaries
• GitHub Check: Summary

🔇 Additional comments (2)

.github/workflows/create-crd-update-pr-in-longhorn-repo.yml (2)

40-47: Update implementation to use current GitHub Actions syntax and handle edge cases.

The implementation needs improvements in the following areas:

1. The set-output command is deprecated
2. The git log commands need proper error handling
3. Repository context needs to be considered

This was previously flagged in an earlier review. Please refer to the existing comment for the detailed fix.

🧰 Tools

🪛 actionlint (1.7.4)

42-42: workflow command "set-output" was deprecated. use echo "{name}={value}" >> $GITHUB_OUTPUT instead: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions

(deprecated-commands)

---

46-46: workflow command "set-output" was deprecated. use echo "{name}={value}" >> $GITHUB_OUTPUT instead: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions

(deprecated-commands)

---

57-58: LGTM! Consider adding email validation.

The change to use the commit author's details for both author and committer fields is a good approach to fix the DCO check. However, consider validating the email format to ensure it's well-formed.

Here's a script to validate the email format:

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fd68c49 and 947cd35.

📒 Files selected for processing (1)

• .github/workflows/create-crd-update-pr-in-longhorn-repo.yml (2 hunks)

🧰 Additional context used

🪛 actionlint (1.7.4)

.github/workflows/create-crd-update-pr-in-longhorn-repo.yml

42-42: workflow command "set-output" was deprecated. use echo "{name}={value}" >> $GITHUB_OUTPUT instead: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions

(deprecated-commands)

---

46-46: workflow command "set-output" was deprecated. use echo "{name}={value}" >> $GITHUB_OUTPUT instead: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions

(deprecated-commands)

⏰ Context from checks skipped due to timeout of 90000ms (2)

• GitHub Check: Build binaries
• GitHub Check: Summary

🔇 Additional comments (2)

.github/workflows/create-crd-update-pr-in-longhorn-repo.yml (2)

57-58: LGTM! The changes correctly implement the DCO requirements.

The implementation properly uses the commit author's details for both author and committer fields, which aligns with the PR objective to fix the DCO check. The combination with sign-commits: true and signoff: true ensures proper commit signing.

---

Line range hint 3-7: Verify the security implications of using pull_request_target.

The workflow uses pull_request_target which runs with repository secrets. While this is necessary for creating PRs with tokens, please ensure that:

1. The workflow doesn't execute any code from the PR
2. The CRDs and manifests are fetched from the master branch of longhorn-manager, not the PR branch

✅ Verification successful

The workflow's security implementation for pull_request_target is correct

The workflow follows security best practices:

• Only runs after PR is merged to master
• Fetches CRDs directly from the master branch of longhorn-manager
• Executes only trusted scripts from the base branch
• Uses PR content only for metadata (PR number, title)
• Properly scopes repository secrets for creating update PRs

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify that the workflow only uses trusted sources

# Check if the workflow fetches content from trusted sources
rg -l 'curl.*\$\{.*\}' .github/workflows/
rg -l 'wget.*\$\{.*\}' .github/workflows/

# Check if the workflow executes any potentially untrusted code
rg -l 'eval.*\$\{.*\}' .github/workflows/
rg -l 'source.*\$\{.*\}' .github/workflows/

Length of output: 177

---

Script:

#!/bin/bash
# Get the complete workflow content
cat .github/workflows/create-crd-update-pr-in-longhorn-repo.yml

# Search for actions/checkout usage in the workflow
rg "uses: actions/checkout@" .github/workflows/create-crd-update-pr-in-longhorn-repo.yml -A 5

# Search for any references to PR context or SHA
rg "github\.(event|sha|ref)" .github/workflows/create-crd-update-pr-in-longhorn-repo.yml

Length of output: 3570

🧰 Tools

🪛 actionlint (1.7.4)

42-42: workflow command "set-output" was deprecated. use echo "{name}={value}" >> $GITHUB_OUTPUT instead: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions

(deprecated-commands)

---

46-46: workflow command "set-output" was deprecated. use echo "{name}={value}" >> $GITHUB_OUTPUT instead: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions

(deprecated-commands)

[innobead]

Do we know why the bot account with sign is not valid for DCO check?

[derekbit]

I have no idea for now. Although I set the committer and author to Longhorn bot, the longhorn/longhorn PR will be created by the author of the longhorn/longhorn-manager PR rather than the Longhorn bot when triggering the workflow by pull_request_target. However, using the author of the longhorn/longhorn-manager PR might make sense.