From 3fa378c7e6c1c9d09a015f4b53ff221ccc33f5d8 Mon Sep 17 00:00:00 2001 From: vimal-java-dev Date: Wed, 22 Apr 2026 08:33:47 +0530 Subject: [PATCH 1/2] all 3 merge methods (merge, squash, rebase) Signed-off-by: vimal-java-dev --- .github/workflows/doc-check-linter.yml | 55 ++++++++++++++++---------- 1 file changed, 35 insertions(+), 20 deletions(-) diff --git a/.github/workflows/doc-check-linter.yml b/.github/workflows/doc-check-linter.yml index 8693cfa..147ad53 100644 --- a/.github/workflows/doc-check-linter.yml +++ b/.github/workflows/doc-check-linter.yml @@ -63,34 +63,49 @@ jobs: fi # ---------- Verify latest commit ---------- - - name: Verify latest commit signature + - name: Verify commit signature run: | if [ "${{ github.event_name }}" = "pull_request" ]; then - LATEST_COMMIT=${{ github.event.pull_request.head.sha }} - else - LATEST_COMMIT=$(git rev-parse HEAD) - fi + echo "🔍 PR mode: verifying ALL commits in PR" - echo "🔍 Verifying commit: $LATEST_COMMIT" + BASE=${{ github.event.pull_request.base.sha }} + HEAD=${{ github.event.pull_request.head.sha }} - if git verify-commit "$LATEST_COMMIT" >/dev/null 2>&1; then - echo "✅ Signature is cryptographically valid" - else - echo "❌ Invalid or missing GPG signature" - exit 1 - fi + # Get all commits in PR + COMMITS=$(git rev-list $BASE..$HEAD) + + for COMMIT in $COMMITS; do + echo "🔎 Checking commit: $COMMIT" - FINGERPRINT=$(git log -1 --pretty=format:'%GF' "$LATEST_COMMIT") - echo "🔑 Signing fingerprint: $FINGERPRINT" + # Step 1: Cryptographic verification + if git verify-commit "$COMMIT" >/dev/null 2>&1; then + echo "✅ Signature valid" + else + echo "❌ Commit not signed properly" + exit 1 + fi - TRUSTED_KEYS="83FB991D930D7177F25456C07F4C7CA953E1C09E D432152833DA3244 4AEE18F83AFDEB23 B5690EEEBB952194" + # Step 2: Fingerprint check + FINGERPRINT=$(git log -1 --pretty=format:'%GF' "$COMMIT") + echo "🔑 Fingerprint: $FINGERPRINT" + + TRUSTED_KEYS="83FB991D930D7177F25456C07F4C7CA953E1C09E D432152833DA3244" + + if echo "$TRUSTED_KEYS" | grep -q "$FINGERPRINT"; then + echo "✅ Trusted key" + else + echo "❌ Untrusted key!" + exit 1 + fi + done + + echo "🎉 All PR commits are valid and trusted" - if echo "$TRUSTED_KEYS" | grep -q "$FINGERPRINT"; then - echo "✅ Trusted signer" else - echo "❌ Untrusted signing key!" - exit 1 - fi + echo "🔍 Push to main detected" + + echo "ℹī¸ Skipping strict GPG verification for merge/rebase/squash commit" + git log -1 --oneline # ---------- Optional status for skipped forked PRs ---------- - name: Skip GPG checks for external PRs From d1814b448b787e5ba842d98b685cfc54c2723ac2 Mon Sep 17 00:00:00 2001 From: vimal-java-dev Date: Wed, 22 Apr 2026 08:43:36 +0530 Subject: [PATCH 2/2] Nested if accidentally duplicated Missing fi Signed-off-by: vimal-java-dev --- .github/workflows/doc-check-linter.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/doc-check-linter.yml b/.github/workflows/doc-check-linter.yml index 147ad53..d4f475c 100644 --- a/.github/workflows/doc-check-linter.yml +++ b/.github/workflows/doc-check-linter.yml @@ -100,12 +100,12 @@ jobs: done echo "🎉 All PR commits are valid and trusted" - + else echo "🔍 Push to main detected" - echo "ℹī¸ Skipping strict GPG verification for merge/rebase/squash commit" git log -1 --oneline + fi # ---------- Optional status for skipped forked PRs ---------- - name: Skip GPG checks for external PRs