bugfix/handle-branch-merges-commit-trailers #569
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Organisation ruleset: Common CI" | |
| on: | |
| push: | |
| branches-ignore: | |
| - main | |
| paths: | |
| - .github/workflows/org.common-ci.yml | |
| pull_request: | |
| types: [opened, edited, reopened, synchronize] | |
| branches: [main, master, dev] | |
| jobs: | |
| pre-commit-check: | |
| if: ${{ github.actor != 'dependabot[bot]' }} | |
| env: | |
| SIGNED_OFF_MESSAGE: "Signed-off-by: DBT pre-commit check" | |
| FAILURE_MESSAGE: "Your PR has commits that are missing the Signed-off-by trailer. This is likely due to the pre-commit hook not being configured on your local machine. The usual fix for this issue is to run `pre-commit install --install-hooks --overwrite -t commit-msg -t pre-commit`, however for more detailed help in setting up the pre-commit hooks, follow the instructions at https://github.com/uktrade/github-standards/blob/main/README.md#usage" | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| steps: | |
| - name: Checkout current repo | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| - name: Check if pre-commit hook ran before push | |
| id: pre-commit-check | |
| run: | | |
| git log ${{ github.event.pull_request.head.sha }} --format=%B -1 | git interpret-trailers --parse | grep '${{ env.SIGNED_OFF_MESSAGE }}' | |
| continue-on-error: true # This is only here while we are testing, it should be removed during the go live process so PRs cannot be merged | |
| - name: Find failure comment | |
| uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad | |
| id: find-comment | |
| with: | |
| issue-number: ${{ github.event.pull_request.number }} | |
| body-includes: ${{ env.FAILURE_MESSAGE }} | |
| continue-on-error: true # Here incase this step breaks, which would break all org PRs. Don't remove | |
| - name: Create or update failure comment | |
| if: failure() || steps.pre-commit-check.outcome == 'failure' | |
| uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 | |
| with: | |
| comment-id: ${{ steps.find-comment.outputs.comment-id }} | |
| issue-number: ${{ github.event.pull_request.number }} | |
| body: ${{ env.FAILURE_MESSAGE }} | |
| edit-mode: replace | |
| continue-on-error: true # Here incase this step breaks, which would break all org PRs | |
| - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd | |
| name: Remove pre-commit comment | |
| if: success() && steps.pre-commit-check.outcome == 'success' && steps.find-comment.outputs.comment-id | |
| with: | |
| script: | | |
| github.rest.issues.deleteComment({ | |
| comment_id: ${{ steps.find-comment.outputs.comment-id }}, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo | |
| }) | |
| continue-on-error: true # Here incase this step breaks, which would break all org PRs | |
| secret-scanning: | |
| env: | |
| DOCKER_IMAGE: ghcr.io/uktrade/github-standards | |
| RELEASE_URL: https://api.github.com/repos/uktrade/github-standards/releases/latest | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 | |
| with: | |
| fetch-depth: 0 | |
| - name: Build docker image | |
| if: ${{ github.event_name == 'push' }} | |
| id: build | |
| uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 | |
| with: | |
| push: false | |
| build-args: TRUFFLEHOG_VERSION=${{ vars.TRUFFLEHOG_VERSION }} | |
| tags: github-standards-hooks:common-ci | |
| target: testing | |
| - name: Security scanning using the locally built docker image | |
| if: steps.build.conclusion == 'success' | |
| run: | | |
| docker run --user $(id -u):$(id -g) -e FORCE_HOOK_CHECKS=0 --rm -v .:/src -w /src \ | |
| github-standards-hooks:common-ci \ | |
| run_scan \ | |
| --github-action \ | |
| /src | |
| - name: Get latest release | |
| if: ${{ github.event_name == 'pull_request' }} | |
| id: get-version | |
| run: | | |
| current_release=$(curl ${{env.RELEASE_URL}} | jq .name) | |
| echo "current_release=$current_release" >> $GITHUB_OUTPUT | |
| continue-on-error: true # if the call to get the latest release fails, continue with this job but fall back to using the :latest docker image tag | |
| - name: Security scanning using the latest released docker image | |
| if: steps.get-version.outcome == 'success' | |
| run: | | |
| tag=${{steps.get-version.outputs.current_release}} | |
| # if the release tag is missing from the previous step, use latest instead | |
| if [[ -z $tag ]]; then | |
| tag='latest' | |
| fi | |
| echo $tag | |
| docker run --user $(id -u):$(id -g) -e FORCE_HOOK_CHECKS=0 --rm -v .:/src -w /src \ | |
| ${{ env.DOCKER_IMAGE }}:$tag \ | |
| run_scan \ | |
| --github-action \ | |
| /src |