chore: bump some action deps to node24 versions #107
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Sigscanner Check" | |
| description: "This check ensures all commits in a PR have verified signatures" | |
| on: | |
| merge_group: | |
| pull_request: | |
| concurrency: | |
| group: ${{ github.workflow }}-pr-${{ github.event.pull_request.number || github.run_id }} | |
| cancel-in-progress: true | |
| permissions: {} | |
| jobs: | |
| sigscanner-check: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| # Skip on merge group events | |
| if: ${{ github.event_name == 'pull_request' }} | |
| env: | |
| REPOSITORY: ${{ github.repository }} | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| PR_COMMIT_COUNT: ${{ github.event.pull_request.commits }} | |
| VERIFY_MAX_ATTEMPTS: "3" | |
| steps: | |
| - name: "Sigscanner check" | |
| id: sigscanner | |
| env: | |
| SIGSCANNER_URL: ${{ secrets.SIGSCANNER_URL }} | |
| SIGSCANNER_API_KEY: ${{ secrets.SIGSCANNER_API_KEY }} | |
| run: | | |
| echo "Verifying $PR_COMMIT_COUNT commits..." | |
| request_attempt=1 | |
| total_start=$SECONDS | |
| while [[ $request_attempt -le $VERIFY_MAX_ATTEMPTS ]]; do | |
| echo "::group::Attempt $request_attempt/$VERIFY_MAX_ATTEMPTS — calling Sigscanner API..." | |
| attempt_start=$SECONDS | |
| http_code=$(curl -s -o /tmp/sigscanner_response --max-time 300 -w '%{http_code}' -G \ | |
| -H "X-SIGSCANNER-SECRET: $SIGSCANNER_API_KEY" \ | |
| --data-urlencode "pr=$PR_NUMBER" \ | |
| --data-urlencode "repository=$REPOSITORY" \ | |
| "$SIGSCANNER_URL") | |
| response=$(cat /tmp/sigscanner_response) | |
| elapsed=$(( SECONDS - attempt_start )) | |
| echo "API responded in ${elapsed}s (HTTP $http_code)" | |
| echo "::endgroup::" | |
| if [[ "$http_code" != "200" ]]; then | |
| echo "❌ Sigscanner API returned HTTP $http_code (attempt $request_attempt, ${elapsed}s)" | |
| echo "If this PR has many commits, Sigscanner might time out. Try running the workflow again. Sigscanner will pick up from the last verified commit." | |
| if [[ $request_attempt -lt $VERIFY_MAX_ATTEMPTS ]]; then | |
| echo "⏳ Retrying in 15s..." | |
| sleep 15 | |
| fi | |
| request_attempt=$((request_attempt + 1)) | |
| continue | |
| fi | |
| if ! echo "$response" | jq empty >/dev/null 2>&1; then | |
| echo "❌ HTTP 200 but body is not valid JSON (attempt $request_attempt, ${elapsed}s)" | |
| echo | |
| if [[ $request_attempt -lt $VERIFY_MAX_ATTEMPTS ]]; then | |
| echo "⏳ Retrying in 15s..." | |
| sleep 15 | |
| fi | |
| request_attempt=$((request_attempt + 1)) | |
| continue | |
| fi | |
| res_verified=$(echo "$response" | jq -r '.verified') | |
| res_error=$(echo "$response" | jq -r '.error') | |
| if [[ "$res_verified" == "true" ]]; then | |
| echo "✅ All commits verified" | |
| exit 0 | |
| elif [[ "$(echo "$response" | jq '(.unverified_commits // []) | length > 0')" == "true" ]]; then | |
| # Non-empty unverified_commits: definitive result, do not retry | |
| echo "❌ Unverified commits:" | |
| echo "$response" | jq -r '.unverified_commits[] | " - \(.)"' | |
| break | |
| else | |
| echo "❌ Error: $res_error" | |
| fi | |
| if [[ $request_attempt -lt $VERIFY_MAX_ATTEMPTS ]]; then | |
| echo "⏳ Retrying in 15s..." | |
| sleep 15 | |
| fi | |
| request_attempt=$((request_attempt + 1)) | |
| done | |
| total_elapsed=$(( SECONDS - total_start )) | |
| echo "❌ Not all commits verified (total time: ${total_elapsed}s)" | |
| exit 1 |