From 44cf3624033a2c37d4bdb0815e3ffa97c6b37fa2 Mon Sep 17 00:00:00 2001 From: Justus-at-Tazama Date: Mon, 6 Apr 2026 14:58:25 +0200 Subject: [PATCH] fix: scorecard dev-push failure and gpg-verify logic bugs Port of tazama-lf/workflows#46. scorecard.yml (mirrors tazama-lf/workflows#44): - Remove 'dev' from push.branches trigger. ossf/scorecard-action@v2.4.3 enforces that it can only run on the default branch regardless of publish_results; triggering on dev fails with 'Only the default branch main is supported'. gpg-verify.yml (mirrors tazama-lf/workflows#45): - Add github-actions[bot] to actor exclusion -- automated PRs from the sync workflow use this identity and cannot have GPG-signed commits. - Fix inverted git log range: origin/${PR_BASE_REF}..origin/${PR_HEAD_REF} (was backwards: listed base-only commits, not PR commits). - Replace check-runs API call (circular self-reference) with the commit verification endpoint GET /repos/.../commits/:sha and check .commit.verification.verified (boolean). - Guard against empty commit range (exit 0 cleanly). --- .github/workflows/gpg-verify.yml | 34 ++++++++++++++++++++------------ .github/workflows/scorecard.yml | 5 +---- 2 files changed, 22 insertions(+), 17 deletions(-) diff --git a/.github/workflows/gpg-verify.yml b/.github/workflows/gpg-verify.yml index 56b6f3c..09ecd1d 100644 --- a/.github/workflows/gpg-verify.yml +++ b/.github/workflows/gpg-verify.yml @@ -10,7 +10,10 @@ on: [pull_request] # Trigger this workflow on pull request events jobs: gpg-verify: - if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' + if: | + github.actor != 'dependabot[bot]' && + github.actor != 'dependabot-preview[bot]' && + github.actor != 'github-actions[bot]' runs-on: ubuntu-latest # Use the latest Ubuntu runner for the job steps: - uses: actions/checkout@v4 # Checkout the repository code using the actions/checkout action @@ -26,18 +29,23 @@ jobs: - name: Check GPG verification status # Step to check each commit for GPG signature verification run: | - # Get the list of commits in the pull request - commits=$(git log --pretty=format:%H origin/${PR_HEAD_REF}..origin/${PR_BASE_REF}) - - # Check the GPG verification status of each commit + # Get the list of commits in the pull request (head commits not yet in base) + commits=$(git log --pretty=format:%H origin/${PR_BASE_REF}..origin/${PR_HEAD_REF}) + + if [[ -z "$commits" ]]; then + echo "No commits to verify." + exit 0 + fi + + # Check the GPG verification status of each commit via the GitHub commit API for commit in $commits; do - status=$(curl -s -H "Authorization: token $GITHUB_TOKEN" \ - https://api.github.com/repos/$GITHUB_REPOSITORY/commits/$commit/check-runs \ - | jq -r '.check_runs[] | select(.name == "GPG verify") | .conclusion') - - # If the GPG verification status is not successful, list the commit and exit with a non-zero status - if [[ "$status" != "success" ]]; then - echo "GPG signature verification failed for commit $commit." - exit 1 + verified=$(curl -s \ + -H "Authorization: token $GITHUB_TOKEN" \ + -H "Accept: application/vnd.github+json" \ + https://api.github.com/repos/$GITHUB_REPOSITORY/commits/$commit \ + | jq -r '.commit.verification.verified') + + # If the commit is not verified, list it and exit with a non-zero status + if [[ "$verified" != "true" ]]; then fi done diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 3a711fb..d83f30e 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -11,7 +11,6 @@ on: push: branches: - main - - dev # Scorecard workflow restrictions (enforced when publish_results=true): # - No workflow-level env vars or defaults @@ -40,9 +39,7 @@ jobs: with: results_file: results.sarif results_format: sarif - # Publish results (badge + REST API) only when running on the default - # branch or on a schedule/branch-protection event. Dev-branch runs - # still score the repo but do not overwrite the published badge. +# Publish results (badge + REST API) on main, schedule, and branch_protection_rule events. publish_results: ${{ github.ref == 'refs/heads/main' || github.event_name == 'schedule' || github.event_name == 'branch_protection_rule' }} - name: "Upload artifact"