From 5a69e80cacffbf8870124e61e593c8d3b40ff398 Mon Sep 17 00:00:00 2001 From: Michaela Laurencin <35157522+mlaurencin@users.noreply.github.com> Date: Tue, 31 Mar 2026 04:30:47 -0400 Subject: [PATCH] ci: add functionality for programmatic add/remove needs-signed-commits label (#50316) (#50587) * remove comment based label removal * ci: add functionality for programmatic add/remove needs-signed-commits label * add new line to pull-request-opened-synchronized --- .github/workflows/build.yml | 27 ++++++++++++++ .../pull-request-opened-synchronized.yml | 35 +++++++++++++++++++ 2 files changed, 62 insertions(+) create mode 100644 .github/workflows/pull-request-opened-synchronized.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f4081658cc..03e1443277 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -431,3 +431,30 @@ jobs: - name: GitHub Actions Jobs Done run: | echo "All GitHub Actions Jobs are done" + + check-signed-commits: + name: Check signed commits in green PR + needs: gha-done + if: ${{ contains(github.event.pull_request.labels.*.name, 'needs-signed-commits')}} + runs-on: ubuntu-slim + permissions: + contents: read + pull-requests: write + steps: + - name: Check signed commits in PR + uses: 1Password/check-signed-commits-action@ed2885f3ed2577a4f5d3c3fe895432a557d23d52 # v1 + with: + comment: | + ⚠️ This PR contains unsigned commits. This repository enforces [commit signatures](https://docs.github.com/en/authentication/managing-commit-signature-verification) + for all incoming PRs. To get your PR merged, please sign those commits + (`git rebase --exec 'git commit -S --amend --no-edit -n' @{upstream}`) and force push them to this branch + (`git push --force-with-lease`) + + For more information on signing commits, see GitHub's documentation on [Telling Git about your signing key](https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key). + + - name: Remove needs-signed-commits label + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PR_URL: ${{ github.event.pull_request.html_url }} + run: | + gh pr edit $PR_URL --remove-label needs-signed-commits diff --git a/.github/workflows/pull-request-opened-synchronized.yml b/.github/workflows/pull-request-opened-synchronized.yml new file mode 100644 index 0000000000..d139817162 --- /dev/null +++ b/.github/workflows/pull-request-opened-synchronized.yml @@ -0,0 +1,35 @@ +name: Pull Request Opened/Synchronized + +on: + pull_request_target: + types: [opened, synchronize] + +permissions: {} + +jobs: + check-signed-commits: + name: Check signed commits in PR + if: ${{ !contains(github.event.pull_request.labels.*.name, 'needs-signed-commits')}} + runs-on: ubuntu-slim + permissions: + contents: read + pull-requests: write + steps: + - name: Check signed commits in PR + uses: 1Password/check-signed-commits-action@ed2885f3ed2577a4f5d3c3fe895432a557d23d52 # v1 + with: + comment: | + ⚠️ This PR contains unsigned commits. This repository enforces [commit signatures](https://docs.github.com/en/authentication/managing-commit-signature-verification) + for all incoming PRs. To get your PR merged, please sign those commits + (`git rebase --exec 'git commit -S --amend --no-edit -n' @{upstream}`) and force push them to this branch + (`git push --force-with-lease`) + + For more information on signing commits, see GitHub's documentation on [Telling Git about your signing key](https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key). + + - name: Add needs-signed-commits label + if: ${{ failure() }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PR_URL: ${{ github.event.pull_request.html_url }} + run: | + gh pr edit $PR_URL --add-label needs-signed-commits