ci(github): action #9
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Verify Commit Signatures | |
| on: | |
| pull_request: | |
| branches: | |
| - master | |
| - develop | |
| push: | |
| branches: | |
| - master | |
| - develop | |
| jobs: | |
| verify-commit-signature: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 1 | |
| - name: Import GPG key | |
| run: | | |
| AUTHOR_EMAIL=$(git show -s --format='%ae' HEAD) | |
| mkdir -p ~/.gnupg | |
| chmod 700 ~/.gnupg | |
| # Configure GPG to use SHA256 | |
| echo "personal-digest-preferences SHA256" > ~/.gnupg/gpg.conf | |
| echo "default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed" >> ~/.gnupg/gpg.conf | |
| # Import GPG key | |
| curl -s https://github.com/${{ github.actor }}.gpg | gpg --import - | |
| # Trust the imported key | |
| echo "Setting trust level for imported keys..." | |
| gpg --list-keys --keyid-format LONG $AUTHOR_EMAIL | |
| # List all keys for debugging | |
| echo "Listing all GPG keys:" | |
| gpg --list-keys | |
| - name: Verify latest commit signature | |
| run: | | |
| # Get the latest commit hash | |
| latest_commit=$(git rev-parse HEAD) | |
| result=$(git verify-commit "$latest_commit") | |
| echo "Latest commit verification result:" | |
| git log --show-signature -1 | |
| SIGNATURE_STATUS=$(git log --format='%G?' -n 1 "$LATEST_COMMIT") | |
| # check if the status is G or U | |
| if [[ "$SIGNATURE_STATUS" == "G" || "$SIGNATURE_STATUS" == "U" ]]; then | |
| echo "Commit signature is valid." | |
| else | |
| echo "Commit signature is invalid." | |
| exit 1 | |
| fi |