-
-
Notifications
You must be signed in to change notification settings - Fork 126
74 lines (68 loc) · 2.6 KB
/
verify_cla_signature_pr.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
name: Checking CLA Signature
# https://docs.github.com/en/actions/reference/context-and-expression-syntax-for-github-actions#github-context
# The pull request target event provides RW token to github
# https://github.blog/2020-08-03-github-actions-improvements-for-fork-and-pull-request-workflows/
# But `on: pull_request_target` should be avoided due to security
# reasons. Read more: [SEC_ADV_1] https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
#
# We will use a mix of github pull_request that does not provide any write access to pull requests on forks
# and workflow event, as discussed in [SEC_ADV_1]
on:
pull_request:
branches:
- main
jobs:
one:
runs-on: ubuntu-22.04
strategy:
matrix:
python-version: [3.8]
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 100
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v2
with:
python-version: ${{ matrix.python-version }}
- name: Setting up prerequisites
run: |
mkdir ./.tmp
pip3 install requests
- name: Getting commit details
uses: wei/wget@v1
with:
args: -O ./.tmp/commitDetails.json ${{ toJSON(github.event.pull_request._links.commits.href) }}
- name: Dump GitHub context
env:
GITHUB_CONTEXT: ${{ toJSON(github) }}
run: |
echo "$GITHUB_CONTEXT" > ./.tmp/github.json
echo ${{ github.event.number }} > ./.tmp/PRNumber
cat ./.tmp/github.json
echo "commit details: "
cat ./.tmp/commitDetails.json
- name: Review pull request
run: |
which git
if ! python ./.github/workflows/python/verify_cla_signature_pr.py $PERSONAL_CLA_LINK $EMPLOYER_CLA_LINK; then
echo "Pull request details could not be extracted"
exit 1
else
echo "all good"
fi
env:
EMPLOYER_CLA_LINK: https://raw.githubusercontent.com/phcode-dev/contributor-license-agreement/main/employer_contributor_license_agreement.md
PERSONAL_CLA_LINK: https://raw.githubusercontent.com/phcode-dev/contributor-license-agreement/main/personal_contributor_licence_agreement.md
- uses: actions/upload-artifact@v4
with:
name: prcontext
path: .tmp/
- name: Fail on validation errors
run: |
FILE=./.tmp/failed
if test -f "$FILE"; then
echo "Validation failed. Reason:"
cat ./.tmp/failed
exit 1
fi