diff --git a/.github/workflows/evict_caches.yml b/.github/workflows/evict_caches.yml index bf745d2..38a8c43 100644 --- a/.github/workflows/evict_caches.yml +++ b/.github/workflows/evict_caches.yml @@ -13,7 +13,7 @@ jobs: shell: bash steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 0 @@ -44,16 +44,7 @@ jobs: Dispatch-Trailer: {"type":"')) name: Check we don't have Dispatch-Trailer on a protected branch run: |- - echo "github.event.head_commit.message contains Dispatch-Trailer" - echo "github.event.head_commit.message value" - cat <", so grab the email with sed. + # For now, we require the sorted lists of author and signer emails to match. + # Note that this also fails if a commit isn't signed-off at all. # - # https://github.com/dcoapp/app/issues/201 - # - # Provide a sanity check as part of GitHub workflows that should enforce - # this, e.g. trybot workflows. - # - # We do so by comparing the commit author and "Signed-off-by" trailer for - # strict equality. Whilst this is more strict than Gerrit, it should - # generally be the case, and we can always relax this when presented with - # specific situations where it is is a problem. - - # commit author email address - commitauthor="$(git log -1 --pretty="%ae")" - - # signed-off-by trailer email address. There is no way to parse just the - # email address from the trailer in the same way as git log, so instead - # grab the relevant trailer and then take the last whitespace-delimited - # part as the "<>" contained email address. - # Getting the Signed-off-by trailer in this way causes blank - # lines for some reason. Use awk to remove them. - commitsigner="$(git log -1 --pretty='%(trailers:key=Signed-off-by,valueonly)' | sed -ne 's/.* <\(.*\)>/\1/p')" - - if [[ "$commitauthor" != "$commitsigner" ]]; then - echo "commit author email address does not match signed-off-by trailer" + # In Gerrit we already enable a form of this via https://gerrit-review.googlesource.com/Documentation/project-configuration.html#require-signed-off-by, + # but it does not support co-authors nor can it be used when testing GitHub PRs. + commit_authors="$( + { + git log -1 --pretty='%ae' + git log -1 --pretty='%(trailers:key=Co-authored-by,valueonly)' | sed -ne 's/.* <\(.*\)>/\1/p' + } | sort -u + )" + commit_signers="$( + { + git log -1 --pretty='%(trailers:key=Signed-off-by,valueonly)' | sed -ne 's/.* <\(.*\)>/\1/p' + } | sort -u + )" + if [[ "${commit_authors}" != "${commit_signers}" ]]; then + echo "Error: commit author email addresses do not match signed-off-by trailers" + echo + echo "Authors:" + echo "${commit_authors}" + echo + echo "Signers:" + echo "${commit_signers}" exit 1 fi - name: Generate @@ -157,5 +132,6 @@ jobs: run: go test ./... - name: Check run: go vet ./... - - name: Check that git is clean at the end of the job + - if: always() + name: Check that git is clean at the end of the job run: test -z "$(git status --porcelain)" || (git status; git diff; false) diff --git a/internal/ci/base/base.cue b/internal/ci/base/base.cue index e6db33b..39b9010 100644 --- a/internal/ci/base/base.cue +++ b/internal/ci/base/base.cue @@ -42,11 +42,11 @@ gerritHubRepositoryURL: *("https://\(gerritHubHostname)/a/" + githubRepositoryPa trybotRepositoryPath: *(githubRepositoryPath + "-" + trybot.key) | string trybotRepositoryURL: *("https://github.com/" + trybotRepositoryPath) | string -defaultBranch: *"master" | string -testDefaultBranch: *"ci/test" | _ +defaultBranch: *"master" | string +testDefaultBranch: *"ci/test" | _ protectedBranchPatterns: *[defaultBranch] | [...string] -releaseTagPrefix: *"v" | string -releaseTagPattern: *(releaseTagPrefix + "*") | string +releaseTagPrefix: *"v" | string +releaseTagPattern: *(releaseTagPrefix + "*") | string botGitHubUser: string botGitHubUserTokenSecretsKey: *(strings.ToUpper(botGitHubUser) + "_GITHUB_PAT") | string diff --git a/internal/ci/base/codereview.cue b/internal/ci/base/codereview.cue index 75bf11b..113aab8 100644 --- a/internal/ci/base/codereview.cue +++ b/internal/ci/base/codereview.cue @@ -21,7 +21,7 @@ import ( // the key: value toCodeReviewCfg: { #input: #codeReview - let parts = [ for k, v in #input {k + ": " + v}] + let parts = [for k, v in #input {k + ": " + v}] // Per https://pkg.go.dev/golang.org/x/review/git-codereview#hdr-Configuration strings.Join(parts, "\n") diff --git a/internal/ci/base/gerrithub.cue b/internal/ci/base/gerrithub.cue index 9b0ae9c..0105ee0 100644 --- a/internal/ci/base/gerrithub.cue +++ b/internal/ci/base/gerrithub.cue @@ -45,7 +45,7 @@ trybotDispatchWorkflow: bashWorkflow & { (trybot.key): { "runs-on": linuxMachine - let goodDummyData = [ if encjson.Marshal(#dummyDispatch) != _|_ {true}, false][0] + let goodDummyData = [if encjson.Marshal(#dummyDispatch) != _|_ {true}, false][0] // We set the "on" conditions above, but this would otherwise mean we // run for all dispatch events. diff --git a/internal/ci/base/github.cue b/internal/ci/base/github.cue index 0e8080e..5e0eee1 100644 --- a/internal/ci/base/github.cue +++ b/internal/ci/base/github.cue @@ -17,7 +17,7 @@ bashWorkflow: json.#Workflow & { installGo: json.#step & { name: "Install Go" - uses: "actions/setup-go@v4" + uses: "actions/setup-go@v5" with: { // We do our own caching in setupGoActionsCaches. cache: false @@ -28,7 +28,7 @@ installGo: json.#step & { checkoutCode: { #actionsCheckout: json.#step & { name: "Checkout code" - uses: "actions/checkout@v3" + uses: "actions/checkout@v4" // "pull_request" builds will by default use a merge commit, // testing the PR's HEAD merged on top of the master branch. @@ -91,15 +91,7 @@ checkoutCode: { name: "Check we don't have \(dispatchTrailer) on a protected branch" if: "\(isProtectedBranch) && \(containsDispatchTrailer)" run: """ - echo "\(_dispatchTrailerVariable) contains \(dispatchTrailer)" - echo "\(_dispatchTrailerVariable) value" - cat <", so grab the email with sed. + # For now, we require the sorted lists of author and signer emails to match. + # Note that this also fails if a commit isn't signed-off at all. # - # We do so by comparing the commit author and "Signed-off-by" trailer for - # strict equality. Whilst this is more strict than Gerrit, it should - # generally be the case, and we can always relax this when presented with - # specific situations where it is is a problem. - - # commit author email address - commitauthor="$(git log -1 --pretty="%ae")" - - # signed-off-by trailer email address. There is no way to parse just the - # email address from the trailer in the same way as git log, so instead - # grab the relevant trailer and then take the last whitespace-delimited - # part as the "<>" contained email address. - # Getting the Signed-off-by trailer in this way causes blank - # lines for some reason. Use awk to remove them. - commitsigner="$(git log -1 --pretty='%(trailers:key=Signed-off-by,valueonly)' | sed -ne 's/.* <\(.*\)>/\1/p')" - - if [[ "$commitauthor" != "$commitsigner" ]]; then - echo "commit author email address does not match signed-off-by trailer" + # In Gerrit we already enable a form of this via https://gerrit-review.googlesource.com/Documentation/project-configuration.html#require-signed-off-by, + # but it does not support co-authors nor can it be used when testing GitHub PRs. + commit_authors="$( + { + git log -1 --pretty='%ae' + git log -1 --pretty='%(trailers:key=Co-authored-by,valueonly)' | sed -ne 's/.* <\(.*\)>/\1/p' + } | sort -u + )" + commit_signers="$( + { + git log -1 --pretty='%(trailers:key=Signed-off-by,valueonly)' | sed -ne 's/.* <\(.*\)>/\1/p' + } | sort -u + )" + if [[ "${commit_authors}" != "${commit_signers}" ]]; then + echo "Error: commit author email addresses do not match signed-off-by trailers" + echo + echo "Authors:" + echo "${commit_authors}" + echo + echo "Signers:" + echo "${commit_signers}" exit 1 fi """# @@ -239,7 +215,7 @@ setupGoActionsCaches: { if !#readonly { cacheStep & { if: readWriteCacheExpr - uses: "actions/cache@v3" + uses: "actions/cache@v4" } }, @@ -252,7 +228,7 @@ setupGoActionsCaches: { if: "! \(readWriteCacheExpr)" } - uses: "actions/cache/restore@v3" + uses: "actions/cache/restore@v4" }, if #cleanTestCache { @@ -278,7 +254,7 @@ setupGoActionsCaches: { // but array literals are not yet supported in expressions. isProtectedBranch: { #trailers: [...string] - "((" + strings.Join([ for branch in protectedBranchPatterns { + "((" + strings.Join([for branch in protectedBranchPatterns { (_matchPattern & {variable: "github.ref", pattern: "refs/heads/\(branch)"}).expr }], " || ") + ") && (! \(containsDispatchTrailer)))" } @@ -296,6 +272,7 @@ isReleaseTag: { checkGitClean: json.#step & { name: "Check that git is clean at the end of the job" + if: "always()" run: "test -z \"$(git status --porcelain)\" || (git status; git diff; false)" } @@ -308,7 +285,7 @@ repositoryDispatch: json.#step & { name: string run: #""" - \#(_curlGitHubAPI) -f --request POST --data-binary \#(strconv.Quote(encjson.Marshal(#arg))) https://api.github.com/repos/\#(#githubRepositoryPath)/dispatches + \#(_curlGitHubAPI) --fail --request POST --data-binary \#(strconv.Quote(encjson.Marshal(#arg))) https://api.github.com/repos/\#(#githubRepositoryPath)/dispatches """# } @@ -354,7 +331,7 @@ containsDispatchTrailer: { // // Dispatch-Trailer: {"type:} // - let _typeCheck = [ if #type != _|_ {#type + "\""}, ""][0] + let _typeCheck = [if #type != _|_ {#type + "\""}, ""][0] """ (contains(\(_dispatchTrailerVariable), '\n\(dispatchTrailer): {"type":"\(_typeCheck)')) """