Merge remote-tracking branch 'origin/ci-duranta-fixes' into integration_2026_w27

CI: Add label check and signature verification in GitHub Actions (#203)

- Update contributing guidelines for signing of commits
- Check for unsigned commits in the github actions workflow
- Skip CI when no mandatory CI label present on the PR
- Always remove retrigger-ci label when present - Like post-always or
  post-cleanup

Reviewed-by: Robert Schmidt <robert.schmidt@openairinterface.org>
Reviewed-by: Sagar Arora <sagar.arora@openairinterface.org>
Reviewed-by: Shubhika Garg <shubhika.garg@openairinterface.org>
This commit is contained in:
Robert Schmidt
2026-07-03 15:56:17 +02:00
2 changed files with 193 additions and 22 deletions

View File

@@ -17,12 +17,72 @@ permissions:
pull-requests: write pull-requests: write
jobs: jobs:
verify-signed-commits:
runs-on: ubuntu-24.04
if: github.event_name == 'pull_request_target'
steps:
- name: Check all commits are signed
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
UNSIGNED=$(gh api repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/commits \
--paginate --jq '[.[] | select(.commit.verification.verified == false) | .sha[:7]] | join(", ")')
if [ -n "$UNSIGNED" ]; then
echo -e "$UNSIGNED commits are missing signature"
gh pr comment ${{ github.event.pull_request.number }} --repo ${{ github.repository }} --body "$(cat <<EOF
**Validation:**
The following commit(s) are missing signature:
$UNSIGNED
Please use 'git commit -S' to sign your commits.
For detailed instructions, refer to the [CONTRIBUTING.md](https://github.com/duranta-project/openairinterface5g/blob/develop/CONTRIBUTING.md) file at the root of this repository or [GitHub Docs](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification)
EOF
)"
exit 1
fi
check-labels:
needs: verify-signed-commits
runs-on: ubuntu-24.04
if: github.event_name == 'pull_request_target'
steps:
- name: Check for mandatory CI label
run: |
PR_LABELS=$(echo '${{ toJson(github.event.pull_request.labels) }}' | jq -r '.[].name')
for label in \
"${{ vars.BUILD_ONLY_LABEL }}" \
"${{ vars.DOC_LABEL }}" \
"${{ vars.NR_LABEL }}" \
"${{ vars.NRUE_LABEL }}" \
"${{ vars.LTE_LABEL }}" \
"${{ vars.CI_LABEL }}" \
"${{ vars.RETRIGGER_CI_LABEL }}"; do
if echo "$PR_LABELS" | grep -qxF "$label"; then
exit 0
fi
done
exit 1
detect-changes: detect-changes:
needs: check-labels
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
if: | if: |
always() && (
github.event_name == 'push' ||
needs.check-labels.result == 'success'
) && (
github.event.action != 'labeled' || github.event.action != 'labeled' ||
github.event.label.name == vars.RETRIGGER_CI_LABEL github.event.label.name == vars.RETRIGGER_CI_LABEL
)
outputs: outputs:
protected_files_changed: ${{ steps.filter.outputs.protected }} protected_files_changed: ${{ steps.filter.outputs.protected }}
@@ -49,8 +109,9 @@ jobs:
require-maintainer-approval: require-maintainer-approval:
needs: detect-changes needs: detect-changes
if: needs.detect-changes.outputs.protected_files_changed == 'true' if: |
always() &&
needs.detect-changes.outputs.protected_files_changed == 'true'
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
environment: environment:
@@ -61,6 +122,7 @@ jobs:
trigger-jenkins: trigger-jenkins:
needs: needs:
- check-labels
- detect-changes - detect-changes
- require-maintainer-approval - require-maintainer-approval
@@ -105,8 +167,24 @@ jobs:
-H "X-Github-Hook-Installation-Target-Type: repository" \ -H "X-Github-Hook-Installation-Target-Type: repository" \
--data @/tmp/filtered_payload.json --data @/tmp/filtered_payload.json
cleanup:
needs:
- verify-signed-commits
- check-labels
- detect-changes
- require-maintainer-approval
- trigger-jenkins
if: always() && github.event_name == 'pull_request_target'
runs-on: ubuntu-24.04
steps:
- name: Remove retrigger-ci label - name: Remove retrigger-ci label
if: always() && github.event.action == 'labeled' && github.event.label.name == vars.RETRIGGER_CI_LABEL run: |
run: gh pr edit ${{ github.event.pull_request.number }} --remove-label "${{ vars.RETRIGGER_CI_LABEL }}" PR_LABELS=$(echo '${{ toJson(github.event.pull_request.labels) }}' | jq -r '.[].name')
if echo "$PR_LABELS" | grep -qxF "${{ vars.RETRIGGER_CI_LABEL }}"; then
gh pr edit ${{ github.event.pull_request.number }} --remove-label "${{ vars.RETRIGGER_CI_LABEL }}" --repo ${{ github.repository }}
fi
env: env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

View File

@@ -1,6 +1,6 @@
<!-- SPDX-License-Identifier: CC-BY-4.0 --> <!-- SPDX-License-Identifier: CC-BY-4.0 -->
# Contributing to OpenAirInterface # Contributing to Duranta
We want to make contributing to this project as easy and transparent as possible. We want to make contributing to this project as easy and transparent as possible.
@@ -18,41 +18,134 @@ We want to make contributing to this project as easy and transparent as possible
## Commit Guidelines ## Commit Guidelines
Every pull request must pass two CI checks before it can be merged:
1. **[Developer Certificate of Origin (DCO)](https://en.wikipedia.org/wiki/Developer_Certificate_of_Origin)**:
Each commit must include a `Signed-off-by:` trailer in the commit message.
Use `git commit -s` (or `--signoff`).
2. **[Verified commits](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification)**:
Each commit must be cryptographically signed using SSH or GPG keys to confirm
its origin.
### Signing Commits ### Signing Commits
To sign commits: GitHub supports commit signing using either SSH keys or GPG keys.
For more information, see the
[GitHub documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits).
You can also get the verified label on your commits via using [SSH keys or GPG Before configuring commit signing:
keys](https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits)
- Generate an SSH key pair or GPG key pair.
- Add your public key to your GitHub account.
- Verify your GitHub email address (required for “Verified” commits to work).
- If using SSH signing, ensure the key is registered in GitHub for:
- Authentication (SSH and GPG keys)
- Signing commits (Signing Keys)
> **NOTE:**
> Adding an SSH key for repo access does not automatically enable commit signing.
> The key must also be added under GitHub's Signing Keys settings.
To ensure commits show as Verified on GitHub:
- Your `git config user.email` must match a GitHub email
- That email must be verified in your GitHub account
For more information, see the
[GitHub Docs](https://docs.github.com/en/account-and-profile/how-tos/email-preferences/verifying-your-email-address)
Configure your repository's `.git/config`:
```ini
# Edit the git configuration
```
# Edit .git/config in the git repository you are working on
# Add the user section
[user] [user]
name = YOUR NAME name = YOUR NAME
email = YOUR EMAIL ADDRESS email = YOUR VERIFIED EMAIL ADDRESS
# If you use a signing key, use the below configuration instead # REQUIRED for commit signing
[user] # Use ONE signing method (SSH or GPG)
name = YOUR NAME
email = YOUR EMAIL ADDRESS signingkey = YOUR_SIGNING_KEY
signingkey = LOCATION OF SSH KEYS or GPG KEY
# Examples:
# SSH signing:
# signingkey = ~/.ssh/id_ed25519.pub
# GPG signing:
# signingkey = YOUR_GPG_KEY_ID
[gpg] [gpg]
format = ssh # REQUIRED: defines signing method (SSH or GPG)
format = YOUR_SIGNING_FORMAT
# Examples:
# SSH signing:
# format = ssh
# GPG signing:
# format = openpgp
[commit] [commit]
gpgsign = true gpgsign = true
``` ```
> **NOTE:** If your commits are not signed the CI framework will not accept the PR. > The private key is used automatically by SSH/Git when signing commits (SSH only).
#### Verifying Signed Commits
You can verify that commits are properly signed locally using:
```bash
git log --show-signature
```
GitHub should also display a Verified badge next to signed commits once the
signing key has been correctly configured in your account.
##### SSH Signature Verification (`allowed_signers`)
For SSH commit signing, local Git verification may require an `allowed_signers`
file. This is only used for local verification in Git and is not required
by GitHub.
If you see errors such as:
```text
No principal matched
Can't check signature
error: gpg.ssh.allowedSignersFile needs to be configured
```
you may need to configure it.
Create the file and add your signing identity:
```bash
mkdir -p ~/.config/git
touch ~/.config/git/allowed_signers
echo "user@example.com ssh-ed25519 AAAACexamplekeystringhere" > ~/.config/git/allowed_signers
```
Enable it in local repository Git config:
```bash
git config gpg.ssh.allowedSignersFile ~/.config/git/allowed_signers
```
> **NOTE:**
> This is only for local Git signature verification and does not affect GitHub,
> or remote repository behavior.
> **NOTE:** If your commits are not signed, the CI framework will not accept the PR.
For more information regarding contribution guidelines For more information regarding contribution guidelines
please check [this document](doc/code-style-contrib.md) please check [this document](doc/code-style-contrib.md)
## License ## License
By contributing to OpenAirInterface, you agree that your contributions will be By contributing to Duranta, you agree that your contributions will be
licensed under licensed under
1. [CSSL v1.0 license](LICENSES/preferred/CSSL-v1.0.txt): for RAN and UE 1. [CSSL v1.0 license](LICENSES/preferred/CSSL-v1.0.txt): for RAN and UE