mirror of
https://github.com/openclaw/openclaw.git
synced 2026-07-19 19:11:38 +00:00
ci: accept trusted unsigned release merge heads (#104838)
This commit is contained in:
committed by
GitHub
parent
a79554c281
commit
5b29c37137
@@ -320,7 +320,7 @@ jobs:
|
||||
trusted_reason="release-tag"
|
||||
break
|
||||
fi
|
||||
done < <(git -C .candidate for-each-ref --format='%(refname)' refs/tags/v)
|
||||
done < <(git -C .candidate for-each-ref --format='%(refname)' 'refs/tags/v*')
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
@@ -339,18 +339,27 @@ jobs:
|
||||
-f name="$repository_name" \
|
||||
-f oid="$candidate_sha"
|
||||
)"
|
||||
signer="$(
|
||||
signature_status="$(
|
||||
jq -er \
|
||||
--arg sha "$candidate_sha" \
|
||||
'.data.repository.object |
|
||||
select(.oid == $sha and .signature.isValid == true and .signature.state == "VALID") |
|
||||
.signature.signer.login' \
|
||||
select(.oid == $sha) |
|
||||
if .signature == null then "missing"
|
||||
elif .signature.isValid == true and .signature.state == "VALID" and
|
||||
(.signature.signer.login // "") != "" then "valid"
|
||||
else "invalid"
|
||||
end' \
|
||||
<<<"$signature_json"
|
||||
)"
|
||||
if [[ "$signature_status" == "invalid" ]]; then
|
||||
echo "Release candidate ${candidate_sha} has an invalid commit signature." >&2
|
||||
exit 1
|
||||
fi
|
||||
signer="$(jq -r '.data.repository.object.signature.signer.login // ""' <<<"$signature_json")"
|
||||
permission_actor="$signer"
|
||||
if [[ "$signer" == "web-flow" ]]; then
|
||||
if [[ "$signature_status" == "missing" || "$signer" == "web-flow" ]]; then
|
||||
if [[ "$trusted_reason" != "release-branch-head" || -z "$trusted_release_branch" ]]; then
|
||||
echo "GitHub web-flow candidates require an exact release branch head." >&2
|
||||
echo "Unsigned or GitHub web-flow candidates require an exact release branch head." >&2
|
||||
exit 1
|
||||
fi
|
||||
permission_actor="$(
|
||||
@@ -1002,7 +1011,7 @@ jobs:
|
||||
trusted_reason="release-tag"
|
||||
break
|
||||
fi
|
||||
done < <(git for-each-ref --format='%(refname)' refs/tags/v)
|
||||
done < <(git for-each-ref --format='%(refname)' 'refs/tags/v*')
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
@@ -1018,18 +1027,27 @@ jobs:
|
||||
-f name="$repository_name" \
|
||||
-f oid="$candidate_sha"
|
||||
)"
|
||||
signer="$(
|
||||
signature_status="$(
|
||||
jq -er \
|
||||
--arg sha "$candidate_sha" \
|
||||
'.data.repository.object |
|
||||
select(.oid == $sha and .signature.isValid == true and .signature.state == "VALID") |
|
||||
.signature.signer.login' \
|
||||
select(.oid == $sha) |
|
||||
if .signature == null then "missing"
|
||||
elif .signature.isValid == true and .signature.state == "VALID" and
|
||||
(.signature.signer.login // "") != "" then "valid"
|
||||
else "invalid"
|
||||
end' \
|
||||
<<<"$signature_json"
|
||||
)"
|
||||
if [[ "$signature_status" == "invalid" ]]; then
|
||||
echo "Release candidate ${candidate_sha} has an invalid commit signature." >&2
|
||||
exit 1
|
||||
fi
|
||||
signer="$(jq -r '.data.repository.object.signature.signer.login // ""' <<<"$signature_json")"
|
||||
permission_actor="$signer"
|
||||
if [[ "$signer" == "web-flow" ]]; then
|
||||
if [[ "$signature_status" == "missing" || "$signer" == "web-flow" ]]; then
|
||||
if [[ "$trusted_reason" != "release-branch-head" || -z "$trusted_release_branch" ]]; then
|
||||
echo "GitHub web-flow candidates require an exact release branch head." >&2
|
||||
echo "Unsigned or GitHub web-flow candidates require an exact release branch head." >&2
|
||||
exit 1
|
||||
fi
|
||||
permission_actor="$(
|
||||
|
||||
@@ -207,10 +207,18 @@ function runAdvisoryStatus(overrides: Record<string, string> = {}) {
|
||||
}
|
||||
|
||||
describe("release Telegram QA workflow", () => {
|
||||
it("attributes GitHub web-flow release merges to their exact maintainer merger", () => {
|
||||
it("attributes GitHub web-flow and unsigned release merges to their exact maintainer merger", () => {
|
||||
const source = readFileSync(WORKFLOW_PATH, "utf8");
|
||||
|
||||
expect(source.match(/associatedPullRequests\(first:10\)/gu)).toHaveLength(2);
|
||||
expect(source.match(/for-each-ref --format='%\(refname\)' 'refs\/tags\/v\*'/gu)).toHaveLength(
|
||||
2,
|
||||
);
|
||||
expect(source.match(/if \.signature == null then "missing"/gu)).toHaveLength(2);
|
||||
expect(source.match(/\$signature_status" == "invalid"/gu)).toHaveLength(2);
|
||||
expect(
|
||||
source.match(/\$signature_status" == "missing" \|\| "\$signer" == "web-flow"/gu),
|
||||
).toHaveLength(2);
|
||||
expect(source.match(/\.mergeCommit\.oid == \$sha/gu)).toHaveLength(2);
|
||||
expect(source.match(/\.baseRefName == \$base/gu)).toHaveLength(2);
|
||||
expect(source.match(/\.baseRepository\.nameWithOwner == \$repo/gu)).toHaveLength(2);
|
||||
|
||||
Reference in New Issue
Block a user