Skip to content
Portfolio CI

SEO: services page #115

Sign in to view logs

SEO: services page

SEO: services page #115

Workflow file for this run

.github/workflows/doc-check-linter.yml at c536789
name: Portfolio CI
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
# -------------------
# 1. Lint HTML, CSS, JS
# -------------------
lint:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: 20
- name: Install linters
run: npm install -g eslint stylelint htmlhint
- name: Lint JavaScript
run: eslint . --ext .js,.jsx || true
- name: Lint CSS
run: stylelint "**/*.{css,scss}" || true
- name: Lint HTML
run: htmlhint "**/*.html" || true
# -------------------
# 2. DCO + GPG Check (latest commit only)
# -------------------
commit-checks:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0 # full history, but we’ll check only the latest commit
# ---------- DCO Check ----------
- name: DCO Check
if: github.event_name == 'pull_request'
uses: tisonkun/actions-dco@v1.1
# ---------- Import GPG Public Key ----------
- name: Import trusted GPG public key
if: ${{ github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request' }}
env:
GPG_PUBLIC_KEY: ${{ secrets.GPG_PUBLIC_KEY }}
GPG_PUBLIC_KEY_1: ${{ secrets.GPG_PUBLIC_KEY_1 }}
run: |
# Check for primary GPG key
if [ -z "$GPG_PUBLIC_KEY" ] && [ -z "$GPG_PUBLIC_KEY_1" ]; then
echo "⚠️ Skipping GPG import: No secrets available (forked PR or missing keys)."
exit 0
fi
# Function to import and trust a GPG key
import_key() {
local key="$1"
local varname="$2"
if [ -n "$key" ]; then
echo "$key" | gpg --import
echo "✅ Imported $varname successfully."
fingerprint=$(echo "$key" | gpg --with-colons --import-options show-only --import 2>/dev/null | awk -F: '$1=="fpr"{print $10; exit}')
if [ -n "$fingerprint" ]; then
echo "$fingerprint:6:" | gpg --import-ownertrust
echo "🔐 Set $varname ($fingerprint) to ultimate trust."
fi
fi
}
# Import your own keys
import_key "$GPG_PUBLIC_KEY" "GPG_PUBLIC_KEY"
import_key "$GPG_PUBLIC_KEY_1" "GPG_PUBLIC_KEY_1"
# ✅ Import GitHub’s official signing keys (commit + merge)
echo "🌐 Importing GitHub official GPG signing keys..."
curl -fsSL https://github.com/web-flow.gpg | gpg --import || true
curl -fsSL https://github.com/actions/runner-images/blob/main/images/github-bot.gpg?raw=true | gpg --import || true
echo "✅ Imported GitHub web-flow and merge bot keys successfully."
echo "🎉 All available GPG public keys imported successfully."
# ---------- Verify latest commit signature ----------
- name: Verify latest commit signature
if: ${{ github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request' }}
run: |
LATEST_COMMIT=$(git rev-parse HEAD)
echo "🔍 Checking latest commit: $LATEST_COMMIT"
SIG=$(git log --show-signature -1 "$LATEST_COMMIT")
echo "$SIG"
# ✅ Include all trusted fingerprints
TRUSTED_KEYS="7F4C7CA953E1C09E D432152833DA3244 88F6CD4E295C9062 BE677DAEFE33CB57 C97540DA6C9FA85C"
GITHUB_COMMIT_KEY="4AEE18F83AFDEB23" # GitHub web-flow
GITHUB_MERGE_KEY="B5690EEEBB952194" # GitHub merge bot
TRUSTED="$TRUSTED_KEYS $GITHUB_COMMIT_KEY $GITHUB_MERGE_KEY"
if echo "$SIG" | grep -q "Good signature"; then
for key in $TRUSTED; do
if echo "$SIG" | grep -q "$key"; then
echo "✅ Commit signed with trusted key: $key"
exit 0
fi
done
fi
echo "❌ Commit is not GPG signed with a trusted key!"
exit 1
# ---------- Optional status for skipped forked PRs ----------
- name: Skip GPG checks for external PRs
if: ${{ github.event.pull_request.head.repo.full_name != github.repository && github.event_name == 'pull_request' }}
run: echo "🟡 Skipping GPG verification for external PR (no access to secrets)."