mirror of
https://github.com/electron/electron.git
synced 2026-04-10 03:01:51 -04:00
7245c6a3f0
The needs-signed-commits label was previously added by the lightweight synchronize workflow but only removed by a job in build.yml gated on `gha-done`, which requires every macOS/Linux/Windows build to finish green. That made label removal both slow (waits on the full pipeline) and fragile (any unrelated build failure leaves the label pinned even after commits are properly signed). Drop the `if` guard on the synchronize job so it re-evaluates signing on every push, and add a removal step that runs on success when the label is present. Force-pushing signed commits now clears the label as soon as the check completes, with no dependency on the build pipeline.
47 lines
2.0 KiB
YAML
47 lines
2.0 KiB
YAML
name: Pull Request Opened/Synchronized
|
|
|
|
on:
|
|
pull_request_target:
|
|
types: [opened, synchronize]
|
|
|
|
# SECURITY: This workflow uses pull_request_target and has access to secrets.
|
|
# Do NOT checkout or run code from the PR head. All code execution must use
|
|
# the base branch only. Adding a ref to PR head would expose secrets to
|
|
# untrusted code.
|
|
permissions: {}
|
|
|
|
jobs:
|
|
check-signed-commits:
|
|
name: Check signed commits in PR
|
|
runs-on: ubuntu-slim
|
|
permissions:
|
|
contents: read
|
|
pull-requests: write
|
|
steps:
|
|
- name: Check signed commits in PR
|
|
uses: 1Password/check-signed-commits-action@ed2885f3ed2577a4f5d3c3fe895432a557d23d52 # v1
|
|
with:
|
|
comment: |
|
|
⚠️ This PR contains unsigned commits. This repository enforces [commit signatures](https://docs.github.com/en/authentication/managing-commit-signature-verification)
|
|
for all incoming PRs. To get your PR merged, please sign those commits
|
|
(`git rebase --exec 'git commit -S --amend --no-edit -n' @{upstream}`) and force push them to this branch
|
|
(`git push --force-with-lease`)
|
|
|
|
For more information on signing commits, see GitHub's documentation on [Telling Git about your signing key](https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key).
|
|
|
|
- name: Add needs-signed-commits label
|
|
if: ${{ failure() }}
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
PR_URL: ${{ github.event.pull_request.html_url }}
|
|
run: |
|
|
gh pr edit $PR_URL --add-label needs-signed-commits
|
|
|
|
- name: Remove needs-signed-commits label
|
|
if: ${{ success() && contains(github.event.pull_request.labels.*.name, 'needs-signed-commits') }}
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
PR_URL: ${{ github.event.pull_request.html_url }}
|
|
run: |
|
|
gh pr edit $PR_URL --remove-label needs-signed-commits
|