fix: gitsigner github workflow #2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Signed-commits gate | |
| on: | |
| pull_request: | |
| push: | |
| branches: [main] | |
| jobs: | |
| verify: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| # Default checkout is shallow, deepen so gitsigner can see history. | |
| fetch-depth: 0 | |
| - name: Install gitsigner | |
| run: | | |
| BASE=https://github.com/deoktr/gitsigner/releases/latest/download | |
| curl -fsSL -O "$BASE/gitsigner-x86_64-unknown-linux-gnu.tar.gz" | |
| curl -fsSL -O "$BASE/gitsigner-x86_64-unknown-linux-gnu.sha256" | |
| sha256sum -c gitsigner-x86_64-unknown-linux-gnu.sha256 | |
| tar -xzf gitsigner-x86_64-unknown-linux-gnu.tar.gz | |
| sudo install -m 0755 gitsigner /usr/local/bin/gitsigner | |
| - name: Verify signatures | |
| run: | | |
| gitsigner --allowed-signers ./.config/allowed_signers \ | |
| --format sarif > findings.sarif | |
| continue-on-error: true # let the upload step run even on findings | |
| - name: Upload findings to Code Scanning | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: findings.sarif | |
| if: always() | |
| - name: Re-fail the job on policy violations | |
| run: gitsigner --allowed-signers ./.config/allowed_signers |