Bump codecov/codecov-action from 5.5.3 to 6.0.0 #163
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SPDX-FileCopyrightText: 2026 The midgard contributors. | |
| # SPDX-License-Identifier: MPL-2.0 | |
| name: Compliance Checks | |
| on: | |
| push: | |
| branches: | |
| - master | |
| pull_request: | |
| branches: | |
| - master | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| jobs: | |
| REUSE: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 1 | |
| - name: REUSE Compliance Check | |
| uses: fsfe/reuse-action@676e2d560c9a403aa252096d99fcab3e1132b0f5 #v6.0.0 | |
| CheckSignedOffCommit: | |
| if: > | |
| github.event_name == 'push' && | |
| !contains(github.actor, '[bot]') && | |
| !contains(github.event.pusher.name, '[bot]') && | |
| github.event.pusher.name != 'web-flow' | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| - name: Determine pushed commits | |
| id: range | |
| env: | |
| # Use GitHub-provided SHAs to build the range for this push | |
| BEFORE: ${{ github.event.before }} | |
| AFTER: ${{ github.sha }} | |
| run: | | |
| set -euo pipefail | |
| if [ "$BEFORE" = "0000000000000000000000000000000000000000" ] | |
| then | |
| # New branch or force push without previous SHA | |
| git rev-list --no-merges "$AFTER" > shas.txt | |
| else | |
| git rev-list --no-merges "$BEFORE".."$AFTER" > shas.txt | |
| fi | |
| - name: Check for Signed-off-by | |
| env: | |
| GH_ACTOR: ${{ github.actor }} | |
| GH_NAME: ${{ github.event.pusher.name }} | |
| run: | | |
| set -euo pipefail | |
| missing="" | |
| while read -r sha | |
| do | |
| [ -n "$sha" ] || continue | |
| # Skip commits from bots | |
| committer_name=`git log --format=%cn -n 1 "$sha"` | |
| committer_email=`git log --format=%ce -n 1 "$sha"` | |
| if echo "$committer_name" | grep -Fq '[bot]' \ | |
| || [ "$committer_name" = "web-flow" ] \ | |
| || echo "$committer_email" | grep -Eqi 'noreply@github\.com$|@users\.noreply\.github\.com$' | |
| then | |
| echo "Skipping commit $sha from $committer_name <$committer_email>" | |
| continue | |
| fi | |
| msg=`git log --format=%B -n 1 "$sha"` | |
| if ! printf '%s' "$msg" | grep -Eqi '^[[:space:]]*Signed[- ]off[- ]by:' | |
| then | |
| echo "Commit $sha missing Signed-off-by" | |
| missing="true" | |
| echo "Committer name: $committer_name" | |
| echo "Committer email: $committer_email" | |
| echo "github.actor: $GH_ACTOR" | |
| echo "github.event.pusher.name: $GH_NAME" | |
| fi | |
| done < shas.txt | |
| if [ "$missing" = "true" ] | |
| then | |
| echo "DCO check failed on push" | |
| exit 1 | |
| fi | |
| echo "All pushed commits are signed" | |
| CheckSignedOffPullRequest: | |
| if: github.event_name == 'pull_request' && !contains(github.event.pull_request.labels.*.name, 'bypass-dco') | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| - name: Get PR commits | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| set -euo pipefail | |
| gh --version | |
| jq --version | |
| # Fetch all commits of the PR with pagination and extract SHAs | |
| gh api -H "Accept: application/vnd.github+json" --paginate \ | |
| repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/commits \ | |
| | jq -r '.[].sha' > shas.txt | |
| - name: Check for Signed-off-by | |
| env: | |
| GH_ACTOR: ${{ github.actor }} | |
| GH_NAME: ${{ github.event.pull_request.user.login}} | |
| run: | | |
| set -euo pipefail | |
| missing="" | |
| while read -r sha | |
| do | |
| [ -n "$sha" ] || continue | |
| # Skip commits from bots | |
| committer_name=`git log --format=%cn -n 1 "$sha"` | |
| committer_email=`git log --format=%ce -n 1 "$sha"` | |
| if echo "$committer_name" | grep -Fq '[bot]' \ | |
| || [ "$committer_name" = "web-flow" ] \ | |
| || echo "$committer_email" | grep -Eqi 'noreply@github\.com$|@users\.noreply\.github\.com$' | |
| then | |
| echo "Skipping commit $sha from $committer_name <$committer_email>" | |
| continue | |
| fi | |
| msg=`git log --format=%B -n 1 "$sha"` | |
| if ! printf '%s' "$msg" | grep -Eqi '^[[:space:]]*Signed[- ]off[- ]by:' | |
| then | |
| echo "Commit $sha missing Signed-off-by" | |
| missing="true" | |
| echo "Committer name: $committer_name" | |
| echo "Committer email: $committer_email" | |
| echo "github.actor: $GH_ACTOR" | |
| echo "github.event.pull_request.user.login: $GH_NAME" | |
| fi | |
| done < shas.txt | |
| if [ "$missing" = "true" ] | |
| then | |
| echo "DCO check failed"; exit 1 | |
| fi | |
| echo "All commits are signed" |