security: transfer certificates from intiramfs to root in dracut #9239
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Check if only infrastructure files were changed. Runs only when the infrastructure label is set. | |
# - if a commit WITH #infra in it's title CHANGES NON-INFRA FILES, the workflow FAILS. | |
# - if a commit WITHOUT #infra in it's title CHANGES NON-INFRA FILES, the workflow SUCCEEDS and | |
# lists all non-infra files changed in a GitHub comment. | |
# - if the PR DOESN'T CHANGE any infra files, the workflow SUCCEEDS. | |
# | |
# The list of infrastructure files is located in .structure-config. | |
name: Infrastructure check | |
on: | |
pull_request_target: | |
types: [ "synchronize", "reopened", "labeled", "unlabeled" ] | |
permissions: | |
contents: read | |
pull-requests: write | |
jobs: | |
commit-message-check: | |
if: contains(github.event.pull_request.labels.*.name, 'infrastructure') && github.event.pull_request.merged != 'true' | |
runs-on: ubuntu-22.04 | |
name: Infra tags in commit messages | |
steps: | |
- name: Clone Anaconda repository | |
uses: actions/checkout@v4 | |
with: | |
# TODO: Are we able to remove ref, fetch-depth and Rebase task? Seems that the checkout | |
# without ref is doing the rebase for us. | |
# otherwise we are testing target branch instead of the PR branch (see pull_request_target trigger) | |
ref: ${{ github.event.pull_request.head.sha }} | |
fetch-depth: 0 | |
- name: Rebase to current | |
run: | | |
git config user.name github-actions | |
git config user.email [email protected] | |
git log --oneline -1 origin/${{ github.event.pull_request.base.ref }} | |
git rebase origin/${{ github.event.pull_request.base.ref }} | |
- name: Check if all commits have infra postfix or prefix | |
run: | | |
# get commit headers of all the commits added in this PR | |
for i in "$(git log --oneline --pretty=format:%s origin/${{ github.event.pull_request.base.ref }}..HEAD)"; do | |
if ! ( [[ $i =~ \(#infra\)$ ]] || [[ $i =~ ^infra: ]] ); then | |
echo "$i --> Is missing 'infra:' prefix or '(#infra)' postfix" | |
exit 1 | |
fi | |
done | |
- name: Check if all changed files are infra related | |
run: | | |
set -eu | |
changed_files=$(git diff --name-only origin/${{ github.event.pull_request.base.ref }}..HEAD) | |
# print for debugging | |
echo "-------- Changed files --------" | |
echo "$changed_files" | |
echo "-------------------------------" | |
echo "--- Files with failed check ---" | |
# load infrastructure file list | |
. .structure-config | |
failed_check="no" | |
echo -e 'Infrastructure check **failed** on these files. Please do a double check of these files before merge!\n' > ./message.txt | |
for f in $changed_files; do | |
matched="no" | |
for infra_f in "${INFRASTRUCTURE_FILES[@]}"; do | |
if [[ "$f" =~ "$infra_f" ]]; then | |
matched="yes" | |
break | |
fi | |
done | |
if [ $matched == "no" ]; then | |
echo "$f" | tee -a ./message.txt | |
failed_check="yes" | |
fi | |
done | |
# Label related actions should only trigger comment if the "infrastructure" label triggered it specifically. | |
skip_comment="no" | |
if ([ "${{ github.event.action }}" == "labeled" ] || [ "${{ github.event.action }}" == "unlabeled" ]) && [ "${{ github.event.label.name }}" != "infrastructure" ]; then | |
skip_comment="yes" | |
fi | |
if [ "$failed_check" == "yes" ] && [ "$skip_comment" != "yes" ]; then | |
gh pr comment ${{ github.event.pull_request.number }} -F ./message.txt | |
fi | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |