Skip to content

security: call /usr/libexec/fips-setup-helper #8626

security: call /usr/libexec/fips-setup-helper

security: call /usr/libexec/fips-setup-helper #8626

Workflow file for this run

# Check if only infrastructure files were changed. Runs only when the infrastructure label is set.
# - if a commit WITH #infra in it's title CHANGES NON-INFRA FILES, the workflow FAILS.
# - if a commit WITHOUT #infra in it's title CHANGES NON-INFRA FILES, the workflow SUCCEEDS and
# lists all non-infra files changed in a GitHub comment.
# - if the PR DOESN'T CHANGE any infra files, the workflow SUCCEEDS.
#
# The list of infrastructure files is located in .structure-config.
name: Infrastructure check
on:
pull_request_target:
types: [ "synchronize", "reopened", "labeled", "unlabeled" ]
permissions:
contents: read
pull-requests: write
jobs:
commit-message-check:
if: contains(github.event.pull_request.labels.*.name, 'infrastructure') && github.event.pull_request.merged != 'true'
runs-on: ubuntu-22.04
name: Infra tags in commit messages
steps:
- name: Clone Anaconda repository
uses: actions/checkout@v4
with:
# TODO: Are we able to remove ref, fetch-depth and Rebase task? Seems that the checkout
# without ref is doing the rebase for us.
# otherwise we are testing target branch instead of the PR branch (see pull_request_target trigger)
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 0
- name: Rebase to current
run: |
git config user.name github-actions
git config user.email github-actions@github.com
git log --oneline -1 origin/${{ github.event.pull_request.base.ref }}
git rebase origin/${{ github.event.pull_request.base.ref }}
- name: Check if all commits have infra postfix or prefix
run: |
# get commit headers of all the commits added in this PR
for i in "$(git log --oneline --pretty=format:%s origin/${{ github.event.pull_request.base.ref }}..HEAD)"; do
if ! ( [[ $i =~ \(#infra\)$ ]] || [[ $i =~ ^infra: ]] ); then
echo "$i --> Is missing 'infra:' prefix or '(#infra)' postfix"
exit 1
fi
done
- name: Check if all changed files are infra related
run: |
set -eu
changed_files=$(git diff --name-only origin/${{ github.event.pull_request.base.ref }}..HEAD)
# print for debugging
echo "-------- Changed files --------"
echo "$changed_files"
echo "-------------------------------"
echo "--- Files with failed check ---"
# load infrastructure file list
. .structure-config
failed_check="no"
echo -e 'Infrastructure check **failed** on these files. Please do a double check of these files before merge!\n' > ./message.txt
for f in $changed_files; do
matched="no"
for infra_f in "${INFRASTRUCTURE_FILES[@]}"; do
if [[ "$f" =~ "$infra_f" ]]; then
matched="yes"
break
fi
done
if [ $matched == "no" ]; then
echo "$f" | tee -a ./message.txt
failed_check="yes"
fi
done
# Label related actions should only trigger comment if the "infrastructure" label triggered it specifically.
skip_comment="no"
if ([ "${{ github.event.action }}" == "labeled" ] || [ "${{ github.event.action }}" == "unlabeled" ]) && [ "${{ github.event.label.name }}" != "infrastructure" ]; then
skip_comment="yes"
fi
if [ "$failed_check" == "yes" ] && [ "$skip_comment" != "yes" ]; then
gh pr comment ${{ github.event.pull_request.number }} -F ./message.txt
fi
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}