Operator attestation policy #22417
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Pre-merge checks | |
on: | |
pull_request: | |
types: | |
- opened | |
- reopened | |
- synchronize | |
- converted_to_draft | |
- ready_for_review | |
- labeled | |
- unlabeled | |
- auto_merge_enabled | |
- auto_merge_disabled | |
merge_group: | |
jobs: | |
wait-integration-pre-checks: | |
runs-on: ubuntu-latest | |
steps: | |
- shell: bash | |
run: echo "TODO remove this vestigial job" | |
merge-strategy: | |
runs-on: ubuntu-latest | |
if: >- | |
github.event_name != 'pull_request' || | |
github.event.pull_request.draft == true || | |
github.event.pull_request.base.ref != 'master' || ( | |
contains(github.event.pull_request.labels.*.name, 'automerge:squash') || | |
contains(github.event.pull_request.labels.*.name, 'automerge:no-update') || | |
contains(github.event.pull_request.labels.*.name, 'automerge:rebase') || | |
contains(github.event.pull_request.labels.*.name, 'bypass:automerge') || | |
github.event.pull_request.auto_merge != null | |
) | |
strategy: | |
# abuse the matrix feature to create a check which stays pending until | |
# a merge strategy is chosen | |
matrix: | |
merge: [chosen] | |
steps: | |
- shell: bash | |
run: echo "Merge strategy chosen" | |
linear-history: | |
runs-on: ubuntu-latest | |
if: >- | |
github.event_name == 'pull_request' && | |
github.event.pull_request.draft == false && | |
github.event.pull_request.base.ref == 'master' && ( | |
contains(github.event.pull_request.labels.*.name, 'automerge:no-update') || | |
contains(github.event.pull_request.labels.*.name, 'bypass:automerge') | |
) && | |
!contains(github.event.pull_request.labels.*.name, 'bypass:linear-history') | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- shell: bash | |
env: | |
HEAD_SHA: ${{ github.event.pull_request.head.sha }} | |
HEAD_LABEL: ${{ github.event.pull_request.head.label }} | |
BASE_SHA: ${{ github.event.pull_request.base.sha }} | |
BASE_LABEL: ${{ github.event.pull_request.base.label }} | |
run: | | |
merge_commits=$(git rev-list --merges "$BASE_SHA".."$HEAD_SHA") | |
if [ -n "$merge_commits" ]; then | |
echo "Error: merge commits found in $BASE_LABEL..$HEAD_LABEL" | |
for merge_commit in $merge_commits; do | |
echo "$merge_commit" | |
done | |
exit 1 | |
fi | |
fixup_commits= | |
for commit in $(git rev-list $BASE_SHA..$HEAD_SHA); do | |
case $(git show --pretty=format:%s -s $commit) in fixup\!*|squash\!*|amend\!*) | |
fixup_commits="$fixup_commits\n$commit" | |
;; | |
esac | |
done | |
if [ -n "$fixup_commits" ]; then | |
echo "Error: fixup/squash/amend commits found in $BASE_LABEL..$HEAD_LABEL" | |
echo -e "$fixup_commits" | |
exit 1 | |
fi | |
no-fixup-commits: | |
runs-on: ubuntu-latest | |
if: >- | |
github.event_name == 'pull_request' && | |
github.event.pull_request.draft == false && | |
github.event.pull_request.base.ref == 'master' && | |
contains(github.event.pull_request.labels.*.name, 'automerge:rebase') && | |
!contains(github.event.pull_request.labels.*.name, 'bypass:linear-history') | |
env: | |
HEAD_SHA: ${{ github.event.pull_request.head.sha }} | |
BASE_SHA: ${{ github.event.pull_request.base.sha }} | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Check for fixup commits | |
id: fixup-commits | |
run: | | |
if ! git merge-base --is-ancestor "$BASE_SHA" "$HEAD_SHA"; then | |
echo "PR is not up to date with target branch, skipping fixup commit check" | |
elif [[ $(git rev-list "$BASE_SHA".."$HEAD_SHA" --grep="^\(fixup\|amend\|squash\)! " | wc -l) -eq 0 ]]; then | |
echo "No fixup/amend/squash commits found in commit history" | |
else | |
echo "fixup/amend/squash commits found in commit history" | |
exit 1 | |
fi |