From 61384826329407a80552a58aed1a42a0cd6599fb Mon Sep 17 00:00:00 2001 From: vimal-tech-dev Date: Sat, 11 Oct 2025 08:19:15 +0530 Subject: [PATCH] Checking purpose as linter failed Signed-off-by: vimal-tech-dev --- .github/workflows/doc-check-linter.yml | 50 +++++++++++++------------- 1 file changed, 24 insertions(+), 26 deletions(-) diff --git a/.github/workflows/doc-check-linter.yml b/.github/workflows/doc-check-linter.yml index fc93834..0f15640 100644 --- a/.github/workflows/doc-check-linter.yml +++ b/.github/workflows/doc-check-linter.yml @@ -51,18 +51,17 @@ jobs: # ---------- Import GPG Public Key ---------- - name: Import trusted GPG public key - # Run only if this is NOT a forked PR if: ${{ github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request' }} env: GPG_PUBLIC_KEY: ${{ secrets.GPG_PUBLIC_KEY }} - GPG_PUBLIC_KEY_1: ${{ secrets.GPG_PUBLIC_KEY_1 }} # Public key from Machine HP + GPG_PUBLIC_KEY_1: ${{ secrets.GPG_PUBLIC_KEY_1 }} run: | # Check for primary GPG key if [ -z "$GPG_PUBLIC_KEY" ] && [ -z "$GPG_PUBLIC_KEY_1" ]; then echo "⚠️ Skipping GPG import: No secrets available (forked PR or missing keys)." exit 0 fi - + # Function to import and trust a GPG key import_key() { local key="$1" @@ -70,42 +69,42 @@ jobs: if [ -n "$key" ]; then echo "$key" | gpg --import echo "βœ… Imported $varname successfully." - - # Extract fingerprint - fingerprint=$(echo "$key" | gpg --with-colons --import-options show-only --import 2>/dev/null \ - | awk -F: '$1=="fpr"{print $10; exit}') + fingerprint=$(echo "$key" | gpg --with-colons --import-options show-only --import 2>/dev/null | awk -F: '$1=="fpr"{print $10; exit}') if [ -n "$fingerprint" ]; then - # Set ultimate trust echo "$fingerprint:6:" | gpg --import-ownertrust - echo "πŸ” Set $varname (fingerprint $fingerprint) to ultimate trust." - else - echo "⚠️ Could not determine fingerprint for $varname." + echo "πŸ” Set $varname ($fingerprint) to ultimate trust." fi fi } - - # Import both keys + + # Import your own keys import_key "$GPG_PUBLIC_KEY" "GPG_PUBLIC_KEY" import_key "$GPG_PUBLIC_KEY_1" "GPG_PUBLIC_KEY_1" - + + # βœ… Import GitHub’s official signing keys (commit + merge) + echo "🌐 Importing GitHub official GPG signing keys..." + curl -fsSL https://github.com/web-flow.gpg | gpg --import || true + curl -fsSL https://github.com/actions/runner-images/blob/main/images/github-bot.gpg?raw=true | gpg --import || true + echo "βœ… Imported GitHub web-flow and merge bot keys successfully." + echo "πŸŽ‰ All available GPG public keys imported successfully." - + # ---------- Verify latest commit signature ---------- - name: Verify latest commit signature - # Skip verification if forked PR (same condition for consistency) if: ${{ github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request' }} run: | - # Only check the latest commit LATEST_COMMIT=$(git rev-parse HEAD) echo "πŸ” Checking latest commit: $LATEST_COMMIT" - + SIG=$(git log --show-signature -1 "$LATEST_COMMIT") echo "$SIG" - + + # βœ… Include all trusted fingerprints TRUSTED_KEYS="7F4C7CA953E1C09E D432152833DA3244 88F6CD4E295C9062 BE677DAEFE33CB57 C97540DA6C9FA85C" - GITHUB_KEY="4AEE18F83AFDEB23" - TRUSTED="$TRUSTED_KEYS $GITHUB_KEY" - + GITHUB_COMMIT_KEY="4AEE18F83AFDEB23" # GitHub web-flow + GITHUB_MERGE_KEY="B5690EEEBB952194" # GitHub merge bot + TRUSTED="$TRUSTED_KEYS $GITHUB_COMMIT_KEY $GITHUB_MERGE_KEY" + if echo "$SIG" | grep -q "Good signature"; then for key in $TRUSTED; do if echo "$SIG" | grep -q "$key"; then @@ -114,12 +113,11 @@ jobs: fi done fi - + echo "❌ Commit is not GPG signed with a trusted key!" exit 1 - + # ---------- Optional status for skipped forked PRs ---------- - name: Skip GPG checks for external PRs if: ${{ github.event.pull_request.head.repo.full_name != github.repository && github.event_name == 'pull_request' }} - run: echo "🟑 Skipping GPG verification for external PR (no access to secrets)." - + run: echo "🟑 Skipping GPG verification for external PR (no access to secrets)." \ No newline at end of file