name: Build containerization permissions: contents: read on: pull_request: types: [opened, reopened, synchronize] push: branches: - main - release/* jobs: verify-signatures: name: Verify commit signatures runs-on: ubuntu-latest if: github.event_name == 'pull_request' steps: - name: Check all commits are signed env: GH_TOKEN: ${{ github.token }} REPO: ${{ github.repository }} PR_NUMBER: ${{ github.event.pull_request.number }} run: | commits=$(gh api "repos/${REPO}/pulls/${PR_NUMBER}/commits" --paginate) unsigned_commits="" while IFS='|' read -r sha author verified; do if [ "$verified" != "true" ]; then unsigned_commits="$unsigned_commits - $sha by $author\n" fi done < <(echo "$commits" | jq -r '.[] | "\(.sha)|\(.commit.author.name)|\(.commit.verification.verified)"') if [ -n "$unsigned_commits" ]; then echo "::error::The following commits are not signed:" echo -e "$unsigned_commits" echo "" echo "Please sign your commits. See:" echo " - https://github.com/apple/containerization/blob/main/CONTRIBUTING.md#pull-requests" echo " - https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits" exit 1 fi echo "All commits are signed!" containerization: permissions: contents: read packages: write pages: write uses: ./.github/workflows/containerization-build-template.yml secrets: inherit