fix(docs): add gpgsign to devcontainer,add GHA sign check, update doc…

…test
microsoft · Oct 16, 2024 · 8491444 · 8491444
1 parent 4239165
commit 8491444
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 16 deletions.
diff --git a/.devcontainer/installMoreTools.sh b/.devcontainer/installMoreTools.sh
@@ -6,3 +6,6 @@ sudo apt-get update && sudo apt-get install -y lsb-release wget software-propert
 # Install LLVM 14
 export LLVM_VERSION=14
 curl -sL https://apt.llvm.org/llvm.sh | sudo bash -s "$LLVM_VERSION"
+
+# Configure Git client to sign commits by default
+git config commit.gpgsign true
diff --git a/.github/workflows/commit-message.yaml → .github/workflows/commit-verifier.yaml b/.github/workflows/commit-message.yaml → .github/workflows/commit-verifier.yaml
@@ -1,4 +1,4 @@
-name: commit-message
+name: commit-verifier
 on:
   merge_group:
   pull_request:
@@ -9,10 +9,13 @@ on:
       - edited
       - reopened
 jobs:
-  commit-message:
+  commit-verifier:
     if: ${{ github.event_name != 'merge_group' }}
     runs-on: ubuntu-20.04
     steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
       - name: verify_commit_message
         env:
           TITLE: ${{ github.event.pull_request.title }}
@@ -36,3 +39,12 @@ jobs:
             echo "For more details, see .github/workflows/commit-message.yaml"
             exit 1
           }
+
+      - name: Verify GPG Signature
+        run: |
+            LAST_COMMIT=$(git rev-parse HEAD)
+            SIGNATURE=$(git log --show-signature -1 $LAST_COMMIT)
+            echo "$SIGNATURE" | grep 'gpg: Signature made' || {
+            echo "ERROR: The last commit is not GPG signed. Please sign your commit."
+            exit 1
+            }
diff --git a/docs/07-Contributing/developing.md b/docs/07-Contributing/developing.md
@@ -190,23 +190,10 @@ In order to certify the provenance of commits and defend against impersonation,
 Documentation for setting up Git and Github to sign your commits can be found [here](https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits).
 Additional information about Git's use of GPG can be found [here](https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work)
 
-This can be accomplished by providing a `-S` flag to `git commit` as documented [here](https://git-scm.com/docs/git-commit#Documentation/git-commit.txt--Sltkeyidgt)
+> To configure your Git client to sign commits by default for a local repository, run `git config commit.gpgsign true`.
 
 ### Developers Certificate of Origin (DCO)
 
 Contributions to Retina must contain a Developers Certificate of Origin within their constituent commits.
 This can be accomplished by providing a `-s` flag to `git commit` as documented [here](https://git-scm.com/docs/git-commit#Documentation/git-commit.txt--s).
 This will add a `Signed-off-by` trailer to your Git commit, affirming your acceptance of the Contributor License Agreement.
-
-### Example commit
-
-Here is an example development flow to add a change made to file `docs/07-Contributing/developing.md`
-
-```sh
-git checkout -b feat-branch-1
-git add docs/07-Contributing/developing.md
-git commit -m "fix(doc): update contributing docs" -sS
-git push origin feat-branch-1 -u
-```
-
-After committing your change, when accessing [retina project's repo](https://github.com/microsoft/retina) you will get a prompt to create a PR from your fork.
diff --git a/test.sh b/test.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+if git log -1 --pretty=%G? | grep -q "G"; 
+then
+	echo "The latest commit is signed."
+else
+	echo "Error: The latest commit is not signed."
+	exit 1;
+fi