forked from snowdreamtech/base
-
Notifications
You must be signed in to change notification settings - Fork 0
123 lines (117 loc) · 4.42 KB
/
Copy pathdco.yml
File metadata and controls
123 lines (117 loc) · 4.42 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
# Copyright (c) 2026 SnowdreamTech. All rights reserved.
# Licensed under the MIT License. See LICENSE file in the project root for full license information.
---
# DCO Check
# Purpose: Enforces the Developer Certificate of Origin (DCO) by verifying commits include 'Signed-off-by'.
# Standards: Rule 07 (Git), Industry Best Practices for OSS Governance.
name: "✍️ DCO"
"on":
pull_request:
branches: [main, dev]
permissions: {}
env:
UNIRTM_LOCKED: 1
jobs:
dco:
name: "🛡️ Verify Signed-off-by"
runs-on: ubuntu-latest
# Skip DCO check for bot-created PRs and repository maintainer
# When release-please uses GITHUB_TOKEN, it creates PRs as user 'snowdream' (not the org 'snowdreamtech')
# Security: github.event.pull_request.user.login cannot be forged by external contributors
# Note: github.repository_owner = 'snowdreamtech' (org), but PR user = 'snowdream' (user)
if: |
github.event.pull_request.user.login != 'dependabot[bot]' &&
github.event.pull_request.user.login != 'github-actions[bot]' &&
github.event.pull_request.user.login != 'release-please[bot]' &&
github.event.pull_request.user.login != 'snowdream'
concurrency:
group: dco-${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
timeout-minutes: 30
steps:
- name: "🔒 Harden Runner"
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
raw.githubusercontent.com:443
objects.githubusercontent.com:443
pkg-containers.githubusercontent.com:443
avatars.githubusercontent.com:443
github.com:443
packages.microsoft.com:443
archive.ubuntu.com:80
archive.ubuntu.com:443
security.ubuntu.com:80
security.ubuntu.com:443
ports.ubuntu.com:80
ports.ubuntu.com:443
keyserver.ubuntu.com:80
keyserver.ubuntu.com:443
changelogs.ubuntu.com:80
changelogs.ubuntu.com:443
deb.debian.org:80
deb.debian.org:443
security.debian.org:80
security.debian.org:443
snapshot.debian.org:80
snapshot.debian.org:443
dl.rockylinux.org:443
mirrors.rockylinux.org:443
mirror.centos.org:443
vault.centos.org:443
isv-data.centos.org:443
mirrorlist.centos.org:80
mirrorlist.centos.org:443
cdn.redhat.com:443
cdn-ubi.redhat.com:443
access.redhat.com:443
sso.redhat.com:443
dl-cdn.alpinelinux.org:443
registry.npmjs.org:443
registry.yarnpkg.com:443
pypi.org:443
files.pythonhosted.org:443
proxy.golang.org:443
sum.golang.org:443
index.crates.io:443
static.rust-lang.org:443
packagist.org:443
repo.maven.apache.org:443
golang.org:443
pkg.go.dev:443
dl.google.com:443
rubygems.org:443
registry.terraform.io:443
formulae.brew.sh:443
repo.yarnpkg.com:443
ghcr.io:443
production.cloudflare.docker.com:80
production.cloudflare.docker.com:443
registry-1.docker.io:443
auth.docker.io:443
docker.io:443
quay.io:443
cdn.quay.io:443
docker-images-prod.s3.us-west-2.amazonaws.com:443
docker-images-prod.s3.us-east-1.amazonaws.com:443
docker-images-prod.s3.amazonaws.com:443
s3.amazonaws.com:443
s3.us-west-2.amazonaws.com:443
s3.us-east-1.amazonaws.com:443
osv-vulnerabilities.storage.googleapis.com:443
api.osv.dev:443
get.trivy.dev:443
aquasecurity.github.io:443
tuf-repo-cdn.sigstore.dev:443
oauth2.sigstore.dev:443
rekor.sigstore.dev:443
fulcio.sigstore.dev:443
api.sigstore.dev:443
- name: "🛡️ Check DCO Signature"
uses: tisonkun/actions-dco@f1024cd563550b5632e754df11b7d30b73be54a5 # v1.1
# This action fails if any commit in the PR lacks a 'Signed-off-by' line.