mirror of
https://gitlab.eurecom.fr/oai/openairinterface5g.git
synced 2026-07-13 04:30:28 +00:00
Merge remote-tracking branch 'origin/ci-duranta-fixes' into integration_2026_w27
CI: Add label check and signature verification in GitHub Actions (#203) - Update contributing guidelines for signing of commits - Check for unsigned commits in the github actions workflow - Skip CI when no mandatory CI label present on the PR - Always remove retrigger-ci label when present - Like post-always or post-cleanup Reviewed-by: Robert Schmidt <robert.schmidt@openairinterface.org> Reviewed-by: Sagar Arora <sagar.arora@openairinterface.org> Reviewed-by: Shubhika Garg <shubhika.garg@openairinterface.org>
This commit is contained in:
86
.github/workflows/jenkins-dispatch.yml
vendored
86
.github/workflows/jenkins-dispatch.yml
vendored
@@ -17,12 +17,72 @@ permissions:
|
|||||||
pull-requests: write
|
pull-requests: write
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
|
verify-signed-commits:
|
||||||
|
runs-on: ubuntu-24.04
|
||||||
|
|
||||||
|
if: github.event_name == 'pull_request_target'
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- name: Check all commits are signed
|
||||||
|
env:
|
||||||
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
run: |
|
||||||
|
UNSIGNED=$(gh api repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/commits \
|
||||||
|
--paginate --jq '[.[] | select(.commit.verification.verified == false) | .sha[:7]] | join(", ")')
|
||||||
|
|
||||||
|
if [ -n "$UNSIGNED" ]; then
|
||||||
|
echo -e "$UNSIGNED commits are missing signature"
|
||||||
|
gh pr comment ${{ github.event.pull_request.number }} --repo ${{ github.repository }} --body "$(cat <<EOF
|
||||||
|
**Validation:**
|
||||||
|
The following commit(s) are missing signature:
|
||||||
|
|
||||||
|
$UNSIGNED
|
||||||
|
|
||||||
|
Please use 'git commit -S' to sign your commits.
|
||||||
|
For detailed instructions, refer to the [CONTRIBUTING.md](https://github.com/duranta-project/openairinterface5g/blob/develop/CONTRIBUTING.md) file at the root of this repository or [GitHub Docs](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification)
|
||||||
|
EOF
|
||||||
|
)"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
check-labels:
|
||||||
|
needs: verify-signed-commits
|
||||||
|
runs-on: ubuntu-24.04
|
||||||
|
|
||||||
|
if: github.event_name == 'pull_request_target'
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- name: Check for mandatory CI label
|
||||||
|
run: |
|
||||||
|
PR_LABELS=$(echo '${{ toJson(github.event.pull_request.labels) }}' | jq -r '.[].name')
|
||||||
|
|
||||||
|
for label in \
|
||||||
|
"${{ vars.BUILD_ONLY_LABEL }}" \
|
||||||
|
"${{ vars.DOC_LABEL }}" \
|
||||||
|
"${{ vars.NR_LABEL }}" \
|
||||||
|
"${{ vars.NRUE_LABEL }}" \
|
||||||
|
"${{ vars.LTE_LABEL }}" \
|
||||||
|
"${{ vars.CI_LABEL }}" \
|
||||||
|
"${{ vars.RETRIGGER_CI_LABEL }}"; do
|
||||||
|
if echo "$PR_LABELS" | grep -qxF "$label"; then
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
exit 1
|
||||||
|
|
||||||
detect-changes:
|
detect-changes:
|
||||||
|
needs: check-labels
|
||||||
runs-on: ubuntu-24.04
|
runs-on: ubuntu-24.04
|
||||||
|
|
||||||
if: |
|
if: |
|
||||||
|
always() && (
|
||||||
|
github.event_name == 'push' ||
|
||||||
|
needs.check-labels.result == 'success'
|
||||||
|
) && (
|
||||||
github.event.action != 'labeled' ||
|
github.event.action != 'labeled' ||
|
||||||
github.event.label.name == vars.RETRIGGER_CI_LABEL
|
github.event.label.name == vars.RETRIGGER_CI_LABEL
|
||||||
|
)
|
||||||
|
|
||||||
outputs:
|
outputs:
|
||||||
protected_files_changed: ${{ steps.filter.outputs.protected }}
|
protected_files_changed: ${{ steps.filter.outputs.protected }}
|
||||||
@@ -49,8 +109,9 @@ jobs:
|
|||||||
require-maintainer-approval:
|
require-maintainer-approval:
|
||||||
needs: detect-changes
|
needs: detect-changes
|
||||||
|
|
||||||
if: needs.detect-changes.outputs.protected_files_changed == 'true'
|
if: |
|
||||||
|
always() &&
|
||||||
|
needs.detect-changes.outputs.protected_files_changed == 'true'
|
||||||
runs-on: ubuntu-24.04
|
runs-on: ubuntu-24.04
|
||||||
|
|
||||||
environment:
|
environment:
|
||||||
@@ -61,6 +122,7 @@ jobs:
|
|||||||
|
|
||||||
trigger-jenkins:
|
trigger-jenkins:
|
||||||
needs:
|
needs:
|
||||||
|
- check-labels
|
||||||
- detect-changes
|
- detect-changes
|
||||||
- require-maintainer-approval
|
- require-maintainer-approval
|
||||||
|
|
||||||
@@ -105,8 +167,24 @@ jobs:
|
|||||||
-H "X-Github-Hook-Installation-Target-Type: repository" \
|
-H "X-Github-Hook-Installation-Target-Type: repository" \
|
||||||
--data @/tmp/filtered_payload.json
|
--data @/tmp/filtered_payload.json
|
||||||
|
|
||||||
|
cleanup:
|
||||||
|
needs:
|
||||||
|
- verify-signed-commits
|
||||||
|
- check-labels
|
||||||
|
- detect-changes
|
||||||
|
- require-maintainer-approval
|
||||||
|
- trigger-jenkins
|
||||||
|
|
||||||
|
if: always() && github.event_name == 'pull_request_target'
|
||||||
|
|
||||||
|
runs-on: ubuntu-24.04
|
||||||
|
|
||||||
|
steps:
|
||||||
- name: Remove retrigger-ci label
|
- name: Remove retrigger-ci label
|
||||||
if: always() && github.event.action == 'labeled' && github.event.label.name == vars.RETRIGGER_CI_LABEL
|
run: |
|
||||||
run: gh pr edit ${{ github.event.pull_request.number }} --remove-label "${{ vars.RETRIGGER_CI_LABEL }}"
|
PR_LABELS=$(echo '${{ toJson(github.event.pull_request.labels) }}' | jq -r '.[].name')
|
||||||
|
if echo "$PR_LABELS" | grep -qxF "${{ vars.RETRIGGER_CI_LABEL }}"; then
|
||||||
|
gh pr edit ${{ github.event.pull_request.number }} --remove-label "${{ vars.RETRIGGER_CI_LABEL }}" --repo ${{ github.repository }}
|
||||||
|
fi
|
||||||
env:
|
env:
|
||||||
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
|||||||
125
CONTRIBUTING.md
125
CONTRIBUTING.md
@@ -1,6 +1,6 @@
|
|||||||
<!-- SPDX-License-Identifier: CC-BY-4.0 -->
|
<!-- SPDX-License-Identifier: CC-BY-4.0 -->
|
||||||
|
|
||||||
# Contributing to OpenAirInterface
|
# Contributing to Duranta
|
||||||
|
|
||||||
We want to make contributing to this project as easy and transparent as possible.
|
We want to make contributing to this project as easy and transparent as possible.
|
||||||
|
|
||||||
@@ -18,41 +18,134 @@ We want to make contributing to this project as easy and transparent as possible
|
|||||||
|
|
||||||
## Commit Guidelines
|
## Commit Guidelines
|
||||||
|
|
||||||
|
Every pull request must pass two CI checks before it can be merged:
|
||||||
|
|
||||||
|
1. **[Developer Certificate of Origin (DCO)](https://en.wikipedia.org/wiki/Developer_Certificate_of_Origin)**:
|
||||||
|
Each commit must include a `Signed-off-by:` trailer in the commit message.
|
||||||
|
Use `git commit -s` (or `--signoff`).
|
||||||
|
|
||||||
|
2. **[Verified commits](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification)**:
|
||||||
|
Each commit must be cryptographically signed using SSH or GPG keys to confirm
|
||||||
|
its origin.
|
||||||
|
|
||||||
### Signing Commits
|
### Signing Commits
|
||||||
|
|
||||||
To sign commits:
|
GitHub supports commit signing using either SSH keys or GPG keys.
|
||||||
|
For more information, see the
|
||||||
|
[GitHub documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits).
|
||||||
|
|
||||||
You can also get the verified label on your commits via using [SSH keys or GPG
|
Before configuring commit signing:
|
||||||
keys](https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits)
|
|
||||||
|
- Generate an SSH key pair or GPG key pair.
|
||||||
|
- Add your public key to your GitHub account.
|
||||||
|
- Verify your GitHub email address (required for “Verified” commits to work).
|
||||||
|
- If using SSH signing, ensure the key is registered in GitHub for:
|
||||||
|
- Authentication (SSH and GPG keys)
|
||||||
|
- Signing commits (Signing Keys)
|
||||||
|
|
||||||
|
> **NOTE:**
|
||||||
|
> Adding an SSH key for repo access does not automatically enable commit signing.
|
||||||
|
> The key must also be added under GitHub's Signing Keys settings.
|
||||||
|
|
||||||
|
|
||||||
|
To ensure commits show as Verified on GitHub:
|
||||||
|
|
||||||
|
- Your `git config user.email` must match a GitHub email
|
||||||
|
- That email must be verified in your GitHub account
|
||||||
|
|
||||||
|
For more information, see the
|
||||||
|
[GitHub Docs](https://docs.github.com/en/account-and-profile/how-tos/email-preferences/verifying-your-email-address)
|
||||||
|
|
||||||
|
Configure your repository's `.git/config`:
|
||||||
|
|
||||||
|
```ini
|
||||||
|
# Edit the git configuration
|
||||||
|
|
||||||
```
|
|
||||||
# Edit .git/config in the git repository you are working on
|
|
||||||
# Add the user section
|
|
||||||
[user]
|
[user]
|
||||||
name = YOUR NAME
|
name = YOUR NAME
|
||||||
email = YOUR EMAIL ADDRESS
|
email = YOUR VERIFIED EMAIL ADDRESS
|
||||||
|
|
||||||
# If you use a signing key, use the below configuration instead
|
# REQUIRED for commit signing
|
||||||
[user]
|
# Use ONE signing method (SSH or GPG)
|
||||||
name = YOUR NAME
|
|
||||||
email = YOUR EMAIL ADDRESS
|
signingkey = YOUR_SIGNING_KEY
|
||||||
signingkey = LOCATION OF SSH KEYS or GPG KEY
|
|
||||||
|
# Examples:
|
||||||
|
# SSH signing:
|
||||||
|
# signingkey = ~/.ssh/id_ed25519.pub
|
||||||
|
|
||||||
|
# GPG signing:
|
||||||
|
# signingkey = YOUR_GPG_KEY_ID
|
||||||
|
|
||||||
[gpg]
|
[gpg]
|
||||||
format = ssh
|
# REQUIRED: defines signing method (SSH or GPG)
|
||||||
|
|
||||||
|
format = YOUR_SIGNING_FORMAT
|
||||||
|
|
||||||
|
# Examples:
|
||||||
|
# SSH signing:
|
||||||
|
# format = ssh
|
||||||
|
|
||||||
|
# GPG signing:
|
||||||
|
# format = openpgp
|
||||||
|
|
||||||
[commit]
|
[commit]
|
||||||
gpgsign = true
|
gpgsign = true
|
||||||
```
|
```
|
||||||
|
|
||||||
> **NOTE:** If your commits are not signed the CI framework will not accept the PR.
|
> The private key is used automatically by SSH/Git when signing commits (SSH only).
|
||||||
|
|
||||||
|
#### Verifying Signed Commits
|
||||||
|
|
||||||
|
You can verify that commits are properly signed locally using:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
git log --show-signature
|
||||||
|
```
|
||||||
|
|
||||||
|
GitHub should also display a Verified badge next to signed commits once the
|
||||||
|
signing key has been correctly configured in your account.
|
||||||
|
|
||||||
|
##### SSH Signature Verification (`allowed_signers`)
|
||||||
|
|
||||||
|
For SSH commit signing, local Git verification may require an `allowed_signers`
|
||||||
|
file. This is only used for local verification in Git and is not required
|
||||||
|
by GitHub.
|
||||||
|
|
||||||
|
If you see errors such as:
|
||||||
|
|
||||||
|
```text
|
||||||
|
No principal matched
|
||||||
|
Can't check signature
|
||||||
|
error: gpg.ssh.allowedSignersFile needs to be configured
|
||||||
|
```
|
||||||
|
you may need to configure it.
|
||||||
|
|
||||||
|
Create the file and add your signing identity:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
mkdir -p ~/.config/git
|
||||||
|
touch ~/.config/git/allowed_signers
|
||||||
|
echo "user@example.com ssh-ed25519 AAAACexamplekeystringhere" > ~/.config/git/allowed_signers
|
||||||
|
```
|
||||||
|
|
||||||
|
Enable it in local repository Git config:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
git config gpg.ssh.allowedSignersFile ~/.config/git/allowed_signers
|
||||||
|
```
|
||||||
|
|
||||||
|
> **NOTE:**
|
||||||
|
> This is only for local Git signature verification and does not affect GitHub,
|
||||||
|
> or remote repository behavior.
|
||||||
|
|
||||||
|
> **NOTE:** If your commits are not signed, the CI framework will not accept the PR.
|
||||||
For more information regarding contribution guidelines
|
For more information regarding contribution guidelines
|
||||||
please check [this document](doc/code-style-contrib.md)
|
please check [this document](doc/code-style-contrib.md)
|
||||||
|
|
||||||
## License
|
## License
|
||||||
|
|
||||||
By contributing to OpenAirInterface, you agree that your contributions will be
|
By contributing to Duranta, you agree that your contributions will be
|
||||||
licensed under
|
licensed under
|
||||||
|
|
||||||
1. [CSSL v1.0 license](LICENSES/preferred/CSSL-v1.0.txt): for RAN and UE
|
1. [CSSL v1.0 license](LICENSES/preferred/CSSL-v1.0.txt): for RAN and UE
|
||||||
|
|||||||
Reference in New Issue
Block a user