mirror of
https://github.com/NVIDIA-NeMo/DataDesigner
synced 2026-05-24 09:48:29 +00:00
ff5277088d
* fix(ci): trust generated agentic CI PRs Signed-off-by: Andre Manoel <amanoel@nvidia.com> * fix(ci): authorize generated PR checks Signed-off-by: Andre Manoel <amanoel@nvidia.com> * fix(ci): pin authorized agentic checks Signed-off-by: Andre Manoel <amanoel@nvidia.com> * fix(ci): narrow agentic CI trust * fix(ci): reject stale agentic authorizations * fix(ci): serialize agentic authorization --------- Signed-off-by: Andre Manoel <amanoel@nvidia.com>
81 lines
3.4 KiB
YAML
81 lines
3.4 KiB
YAML
name: "DCO Assistant"
|
|
on:
|
|
issue_comment:
|
|
types: [created]
|
|
pull_request_target:
|
|
types: [opened,closed,synchronize]
|
|
|
|
permissions:
|
|
actions: write
|
|
checks: none
|
|
contents: write
|
|
deployments: none
|
|
id-token: none
|
|
issues: none
|
|
discussions: none
|
|
packages: none
|
|
pages: none
|
|
pull-requests: write
|
|
repository-projects: none
|
|
security-events: none
|
|
statuses: write
|
|
|
|
jobs:
|
|
DCOAssistant:
|
|
if: github.repository_owner == 'NVIDIA-NeMo'
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Check trusted Agentic CI PR
|
|
id: trusted-agentic-ci
|
|
env:
|
|
GH_TOKEN: ${{ github.token }}
|
|
EVENT_NAME: ${{ github.event_name }}
|
|
PR_AUTHOR: ${{ github.event.pull_request.user.login }}
|
|
HEAD_REPO: ${{ github.event.pull_request.head.repo.full_name }}
|
|
HEAD_REF: ${{ github.event.pull_request.head.ref }}
|
|
PR_BODY: ${{ github.event.pull_request.body }}
|
|
ISSUE_NUMBER: ${{ github.event.issue.number }}
|
|
REPO: ${{ github.repository }}
|
|
run: |
|
|
TRUSTED=false
|
|
|
|
if [ "$EVENT_NAME" = "issue_comment" ] && [ -n "$ISSUE_NUMBER" ]; then
|
|
PR_JSON=$(gh api "repos/${REPO}/pulls/${ISSUE_NUMBER}" 2>/dev/null || true)
|
|
if [ -n "$PR_JSON" ]; then
|
|
PR_AUTHOR=$(printf '%s' "$PR_JSON" | jq -r '.user.login')
|
|
HEAD_REPO=$(printf '%s' "$PR_JSON" | jq -r '.head.repo.full_name')
|
|
HEAD_REF=$(printf '%s' "$PR_JSON" | jq -r '.head.ref')
|
|
PR_BODY=$(printf '%s' "$PR_JSON" | jq -r '.body // ""')
|
|
fi
|
|
fi
|
|
|
|
printf '%s' "$PR_BODY" > /tmp/pr-body-raw.txt
|
|
# Commit authors can be spoofed; trust only PR metadata GitHub controls.
|
|
if [ "$PR_AUTHOR" = "github-actions[bot]" ] && \
|
|
[ "$HEAD_REPO" = "$REPO" ] && \
|
|
[[ "$HEAD_REF" == agentic-ci/* ]] && \
|
|
grep -Eq '<!-- agentic-ci finding=[^[:space:]]+ suite=[^[:space:]]+ -->' /tmp/pr-body-raw.txt; then
|
|
TRUSTED=true
|
|
fi
|
|
|
|
echo "trusted=${TRUSTED}" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: "DCO Assistant"
|
|
if: >-
|
|
steps.trusted-agentic-ci.outputs.trusted != 'true'
|
|
&& ((github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the DCO document and I hereby sign the DCO.') || github.event_name == 'pull_request_target')
|
|
uses: contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
PERSONAL_ACCESS_TOKEN: ${{ secrets.DCO_ASSISTANT_TOKEN }}
|
|
with:
|
|
path-to-signatures: "dco-signatures.json"
|
|
path-to-document: 'https://github.com/NVIDIA-NeMo/DataDesigner/blob/main/DCO'
|
|
branch: 'signatures'
|
|
allowlist: dependabot[bot]
|
|
create-file-commit-message: "chore: create file to store dco signatures"
|
|
signed-commit-message: "chore: $contributorName has signed the dco in #$pullRequestNo"
|
|
custom-notsigned-prcomment: "Thank you for your submission! We ask that $you sign our [Developer Certificate of Origin](https://github.com/NVIDIA-NeMo/DataDesigner/blob/main/DCO) before we can accept your contribution. You can sign the DCO by adding a comment below using this text:"
|
|
custom-pr-sign-comment: "I have read the DCO document and I hereby sign the DCO."
|
|
lock-pullrequest-aftermerge: false
|
|
use-dco-flag: true
|