-
Notifications
You must be signed in to change notification settings - Fork 1
/
action.yml
127 lines (116 loc) · 4.46 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
# This file's format:
#
# https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions
name: 'Authenticates a Merge Request'
description: >
Authenticates a merge request by checking that the commits are
authorized by the repository's signing policy.
author: 'Sequoia PGP'
inputs:
github_token:
description: 'GITHUB_TOKEN'
default: '${{ github.token }}'
comment:
description: >
Whether to post a comment.
If set to true or always, this posts a comment to the pull
request indicating whether the commits could be authenticated.
If set to on-error (the default), a comment is only posted if
the commits could not be authenticated.
If false or never, no comment is posted. The comment is
still available via the comment output variable, and in the
step's summary.
default: on-error
outputs:
comment:
description: >
The comment.
A comment explaining whether commits could be authenticated.
The comment is a JSON document with a single field, `body`.
value: ${{ steps.authenticate-commits-post.outputs.comment }}
runs:
using: "composite"
steps:
- uses: actions/checkout@v3
with:
# Fetch from the pull request's repository, not the target
# repository, which may not include the commits from the pull
# request.
repository: ${{ github.event.pull_request.head.repo.full_name }}
# But checkout the target, not the pull request.
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 0
- run: |
# As of now (2023-09), GitHub executes `docker run` with the
# following mount options:
#
# -v "/home/runner/work/_temp/_github_home":"/github/home"
# -v "/home/runner/work/_temp/_github_workflow":"/github/workflow"
# -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands"
# -v "/home/runner/work/authenticate-commits/authenticate-commits":"/github/workspace"
#
# https://github.com/actions/runner/blob/f6e9809/src/Runner.Worker/Handlers/ContainerActionHandler.cs#L194-L197
#
# That is, only a few things are mounted in the docker
# container, and that does not include the action's repository
# (which is checked out at ${{ github.action_path }}, aka,
# /home/runner/work/_actions).
#
# Copy the action repository to the "github home" directory.
# Unfortunately, the "github home" directory is not documented
# and not explicitly named by an environment variable or
# github expression. So, we do the best we can.
set -ex
mkdir -p "$RUNNER_TEMP/_github_home/"
if ! cp -av "${{ github.action_path }}" "$RUNNER_TEMP/_github_home/action"
then
echo Error copying action repository to github_home.
echo ::group::env
env | sort
echo ::endgroup::
echo ::group::RUNNER_TEMP
find "$RUNNER_TEMP"
echo ::endgroup::
exit 1
fi
shell: bash
- uses: docker://registry.gitlab.com/sequoia-pgp/sequoia-git:latest
env:
GITHUB_TOKEN: ${{ inputs.github_token }}
BASE_SHA: ${{ github.event.pull_request.base.sha }}
HEAD_SHA: ${{ github.event.pull_request.head.sha }}
with:
entrypoint: '/bin/bash'
args: |
-c "# Be extra careful with quoting!!!
# Fix the workspace's permissions.
chown -R $(whoami) .
# Execute the script.
S=/github/home/action/src/authenticate-commits.sh
if ! test -e $S
then
# The file doesn't exist or is not executable.
echo $S does not exist or is not executable.
echo ::group::env
env | sort
echo ::endgroup
echo ::group::/github/home
find /github/home
echo ::endgroup
exit 1
else
bash $S
fi
"
# The sq-git image doesn't include curl or jq. So we do the
# processing separately.
- id: authenticate-commits-post
run: ${{ github.action_path }}/src/authenticate-commits-post.sh
env:
GITHUB_TOKEN: ${{ inputs.github_token }}
BASE_SHA: ${{ github.event.pull_request.base.sha }}
HEAD_SHA: ${{ github.event.pull_request.head.sha }}
shell: bash
branding:
icon: 'arrow-up-right'
color: 'green'