Skip to content

Operator attestation policy #22417

Operator attestation policy

Operator attestation policy #22417

Workflow file for this run

name: Pre-merge checks
on:
pull_request:
types:
- opened
- reopened
- synchronize
- converted_to_draft
- ready_for_review
- labeled
- unlabeled
- auto_merge_enabled
- auto_merge_disabled
merge_group:
jobs:
wait-integration-pre-checks:
runs-on: ubuntu-latest
steps:
- shell: bash
run: echo "TODO remove this vestigial job"
merge-strategy:
runs-on: ubuntu-latest
if: >-
github.event_name != 'pull_request' ||
github.event.pull_request.draft == true ||
github.event.pull_request.base.ref != 'master' || (
contains(github.event.pull_request.labels.*.name, 'automerge:squash') ||
contains(github.event.pull_request.labels.*.name, 'automerge:no-update') ||
contains(github.event.pull_request.labels.*.name, 'automerge:rebase') ||
contains(github.event.pull_request.labels.*.name, 'bypass:automerge') ||
github.event.pull_request.auto_merge != null
)
strategy:
# abuse the matrix feature to create a check which stays pending until
# a merge strategy is chosen
matrix:
merge: [chosen]
steps:
- shell: bash
run: echo "Merge strategy chosen"
linear-history:
runs-on: ubuntu-latest
if: >-
github.event_name == 'pull_request' &&
github.event.pull_request.draft == false &&
github.event.pull_request.base.ref == 'master' && (
contains(github.event.pull_request.labels.*.name, 'automerge:no-update') ||
contains(github.event.pull_request.labels.*.name, 'bypass:automerge')
) &&
!contains(github.event.pull_request.labels.*.name, 'bypass:linear-history')
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- shell: bash
env:
HEAD_SHA: ${{ github.event.pull_request.head.sha }}
HEAD_LABEL: ${{ github.event.pull_request.head.label }}
BASE_SHA: ${{ github.event.pull_request.base.sha }}
BASE_LABEL: ${{ github.event.pull_request.base.label }}
run: |
merge_commits=$(git rev-list --merges "$BASE_SHA".."$HEAD_SHA")
if [ -n "$merge_commits" ]; then
echo "Error: merge commits found in $BASE_LABEL..$HEAD_LABEL"
for merge_commit in $merge_commits; do
echo "$merge_commit"
done
exit 1
fi
fixup_commits=
for commit in $(git rev-list $BASE_SHA..$HEAD_SHA); do
case $(git show --pretty=format:%s -s $commit) in fixup\!*|squash\!*|amend\!*)
fixup_commits="$fixup_commits\n$commit"
;;
esac
done
if [ -n "$fixup_commits" ]; then
echo "Error: fixup/squash/amend commits found in $BASE_LABEL..$HEAD_LABEL"
echo -e "$fixup_commits"
exit 1
fi
no-fixup-commits:
runs-on: ubuntu-latest
if: >-
github.event_name == 'pull_request' &&
github.event.pull_request.draft == false &&
github.event.pull_request.base.ref == 'master' &&
contains(github.event.pull_request.labels.*.name, 'automerge:rebase') &&
!contains(github.event.pull_request.labels.*.name, 'bypass:linear-history')
env:
HEAD_SHA: ${{ github.event.pull_request.head.sha }}
BASE_SHA: ${{ github.event.pull_request.base.sha }}
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Check for fixup commits
id: fixup-commits
run: |
if ! git merge-base --is-ancestor "$BASE_SHA" "$HEAD_SHA"; then
echo "PR is not up to date with target branch, skipping fixup commit check"
elif [[ $(git rev-list "$BASE_SHA".."$HEAD_SHA" --grep="^\(fixup\|amend\|squash\)! " | wc -l) -eq 0 ]]; then
echo "No fixup/amend/squash commits found in commit history"
else
echo "fixup/amend/squash commits found in commit history"
exit 1
fi