diff --git a/.devcontainer/installMoreTools.sh b/.devcontainer/installMoreTools.sh index 8d8fc3b369..c3eadcee99 100755 --- a/.devcontainer/installMoreTools.sh +++ b/.devcontainer/installMoreTools.sh @@ -6,3 +6,6 @@ sudo apt-get update && sudo apt-get install -y lsb-release wget software-propert # Install LLVM 14 export LLVM_VERSION=14 curl -sL https://apt.llvm.org/llvm.sh | sudo bash -s "$LLVM_VERSION" + +# Configure Git client to sign commits by default +git config commit.gpgsign true diff --git a/.github/workflows/commit-message.yaml b/.github/workflows/commit-verifier.yaml similarity index 74% rename from .github/workflows/commit-message.yaml rename to .github/workflows/commit-verifier.yaml index de88a7d9e0..ae7735c9c9 100644 --- a/.github/workflows/commit-message.yaml +++ b/.github/workflows/commit-verifier.yaml @@ -1,4 +1,4 @@ -name: commit-message +name: commit-verifier on: merge_group: pull_request: @@ -9,10 +9,13 @@ on: - edited - reopened jobs: - commit-message: + commit-verifier: if: ${{ github.event_name != 'merge_group' }} runs-on: ubuntu-20.04 steps: + - name: Checkout repository + uses: actions/checkout@v2 + - name: verify_commit_message env: TITLE: ${{ github.event.pull_request.title }} @@ -36,3 +39,12 @@ jobs: echo "For more details, see .github/workflows/commit-message.yaml" exit 1 } + + - name: Verify GPG Signature + run: | + LAST_COMMIT=$(git rev-parse HEAD) + SIGNATURE=$(git log --show-signature -1 $LAST_COMMIT) + echo "$SIGNATURE" | grep 'gpg: Signature made' || { + echo "ERROR: The last commit is not GPG signed. Please sign your commit." + exit 1 + } diff --git a/docs/07-Contributing/developing.md b/docs/07-Contributing/developing.md index 2474ca14b2..fd90a4fa60 100644 --- a/docs/07-Contributing/developing.md +++ b/docs/07-Contributing/developing.md @@ -190,23 +190,10 @@ In order to certify the provenance of commits and defend against impersonation, Documentation for setting up Git and Github to sign your commits can be found [here](https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits). Additional information about Git's use of GPG can be found [here](https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work) -This can be accomplished by providing a `-S` flag to `git commit` as documented [here](https://git-scm.com/docs/git-commit#Documentation/git-commit.txt--Sltkeyidgt) +> To configure your Git client to sign commits by default for a local repository, run `git config commit.gpgsign true`. ### Developers Certificate of Origin (DCO) Contributions to Retina must contain a Developers Certificate of Origin within their constituent commits. This can be accomplished by providing a `-s` flag to `git commit` as documented [here](https://git-scm.com/docs/git-commit#Documentation/git-commit.txt--s). This will add a `Signed-off-by` trailer to your Git commit, affirming your acceptance of the Contributor License Agreement. - -### Example commit - -Here is an example development flow to add a change made to file `docs/07-Contributing/developing.md` - -```sh -git checkout -b feat-branch-1 -git add docs/07-Contributing/developing.md -git commit -m "fix(doc): update contributing docs" -sS -git push origin feat-branch-1 -u -``` - -After committing your change, when accessing [retina project's repo](https://github.com/microsoft/retina) you will get a prompt to create a PR from your fork. diff --git a/test.sh b/test.sh new file mode 100755 index 0000000000..19d605956f --- /dev/null +++ b/test.sh @@ -0,0 +1,8 @@ +#!/bin/bash +if git log -1 --pretty=%G? | grep -q "G"; +then + echo "The latest commit is signed." +else + echo "Error: The latest commit is not signed." + exit 1; +fi