ci: sync workflows from central-workflows #3
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# SPDX-License-Identifier: Apache-2.0 | |
# This GitHub Actions workflow checks that all commits in a pull request (PR) have a "Signed-off-by" line to ensure Developer Certificate of Origin (DCO) compliance. | |
# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. | |
name: DCO | |
# Trigger the workflow on pull request events | |
on: [pull_request] | |
jobs: | |
dco: | |
if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' | |
# Define the runner environment | |
runs-on: ubuntu-latest | |
steps: | |
# Step to check out the repository | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 # Fetch all history for all branches to ensure complete commit history is available | |
- name: Set up environment variables | |
run: | | |
echo "BASE_BRANCH=${{ github.event.pull_request.base.ref }}" >> $GITHUB_ENV | |
echo "HEAD_BRANCH=${{ github.event.pull_request.head.ref }}" >> $GITHUB_ENV | |
# Step to check each commit in the pull request for a Signed-off-by line | |
- name: Check for DCO Sign-off | |
run: | | |
# Get the base branch and head branch of the pull request | |
base_branch=$BASE_BRANCH | |
head_branch=$HEAD_BRANCH | |
# Get the list of commit hashes between the head branch and base branch | |
commits=$(git log --pretty=format:%H origin/${head_branch}..origin/${base_branch}) | |
non_compliant_commits="" | |
# Loop through each commit and check for the Signed-off-by line | |
for commit in $commits; do | |
# Check if the commit message contains the Signed-off-by line | |
if ! git show --quiet --format=%B $commit | grep -q "^Signed-off-by: "; then | |
# If not, add the commit hash to the list of non-compliant commits | |
non_compliant_commits="$non_compliant_commits $commit" | |
fi | |
done | |
# If there are any non-compliant commits, output their hashes and fail the job | |
if [ -n "$non_compliant_commits" ]; then | |
echo "The following commits do not have a Signed-off-by line:" | |
for commit in $non_compliant_commits; do | |
echo "- $commit" | |
done | |
exit 1 | |
fi | |
shell: bash |