causefolio
causefolio copied to clipboard
codeforcauseorg
Add check for signed commits
What is your feature request related to ?
- [ ] Front-end
- [ ] Back-end
- [x] Other: Automation, github actions, signed commits feature
What is your feature request ? Describe We want to have every commit being signed from the contributor, for the authorship management and to follow the best open source practices.
Describe the solution you'd like Github actions may work perfectly fine here.
@Abhishek-kumar09 Bhaiya How to do that ? I want to work on this issue ? any resource from where can I learn about github actions
This could help: https://github.com/marketplace/actions/verify-commit
Github actions is nothing but just the set of actions to perform automatically on some event triggers like pull requests, issues, etc.
Also @AdityaTeltia create a PR to include yourself in the contributor list :)
Also @AdityaTeltia create a PR to include yourself in the contributor list :) I have created the PR #15 . Thankyou
name: 'Verify commit'
description: 'Verify the authenticity of your commits with CodeNotary.io'
inputs:
signerID:
description: 'List of SignerID(s) (separated by space) to authenticate against'
required: false
org:
description: 'Organization''s ID to authenticate against'
required: false
path:
description: 'Default to the current directory'
required: false
default: '.'
runs:
using: 'docker'
image: 'docker://codenotary/vcn:0.7'
args: ["a", "git://${{ inputs.path }}"]
env:
VCN_SIGNERID: ${{ inputs.signerID }}
VCN_ORG: ${{ inputs.org }}
branding:
icon: 'check'
color: blue
Basically I have to add action.yml file github workflows with this following snippet ?
Yes, You have to add it in github workflows. Also try it in on your own fork and show if it working. These changes will work if you merge your code(.github/workflows) to master.
Where have you integrated it? Can you show the repo with the workflow
Give the link to doc you are following and I don't know what is the error you are facing, so please provide the error you are facing. Also if you are using some marketplace product provide the link to that too.
https://github.com/vchain-us/verify-action/blob/master/action.yml , Here check this
replace it with this, and let me know if it is working:
https://github.com/vchain-us/verify-action/blob/478d88788a690bb0e7e87cfd6aa708fbc4927462/.github/workflows/verify.yml#L1-L17
I've been trying to get this to work as well, but here's something that I observed with CodeNotary which felt a bit weird to me.
This screenshot shows the hash generated after notarization:
Here's the output I received from GitHub actions for my test commit in a private repository to check the verification:
Run vchain-us/verify-action@master
with:
org: vchain.us
path: .
/usr/bin/docker run --name codenotaryvcn07_7aa372 --label 8a33c1 --workdir /github/workspace --rm -e INPUT_ORG -e INPUT_SIGNERID -e INPUT_PATH -e VCN_SIGNERID -e VCN_ORG -e HOME -e GITHUB_JOB -e GITHUB_REF -e GITHUB_SHA -e GITHUB_REPOSITORY -e GITHUB_REPOSITORY_OWNER -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RETENTION_DAYS -e GITHUB_ACTOR -e GITHUB_WORKFLOW -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME -e GITHUB_SERVER_URL -e GITHUB_API_URL -e GITHUB_GRAPHQL_URL -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH -e GITHUB_ACTION_REPOSITORY -e GITHUB_ACTION_REF -e GITHUB_PATH -e GITHUB_ENV -e RUNNER_OS -e RUNNER_TOOL_CACHE -e RUNNER_TEMP -e RUNNER_WORKSPACE -e ACTIONS_RUNTIME_URL -e ACTIONS_RUNTIME_TOKEN -e ACTIONS_CACHE_URL -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/vchain-test/vchain-test":"/github/workspace" codenotary/vcn:0.7 "a" "git://."
Your asset(s) will not be uploaded but processed locally.
Looking for blockchain entry matching the organization (vchain.us)...
Kind: git
Name: https://github.com/zeborg/vchain-test@1db1279
Hash: 161e09a8525120a5a73090ba13f56e4073588e26888477fa734174fbb0c8ff7b
Size: 938 B
Metadata: git={
"Author": {
"Name": "Abhinav Sinha",
"Email": "REDACTED",
"When": "2021-04-28T23:33:27+05:30"
},
"Commit": "1db12797cf2ba0c4c33dcf4299ce6c8526bf62f2",
"Committer": {
"Name": "Abhinav Sinha",
"Email": "REDACTED",
"When": "2021-04-28T23:33:27+05:30"
},
"Message": "Updated test file for signature verification\n",
"PGPSignature": "-----BEGIN PGP SIGNATURE-----\n\niQGzBAABCAAdFiEE8jFd5MLLOO+HQ/9CVZbo6m8wdIkFAmCJo28ACgkQVZbo6m8w\ndIlJJwv7BxryQ9E+EC9ptbA8ERgmjP5cvNoRRNcfbybzx8NXg2z7qlkZP+y2BLad\nuyM+j9f8ytx37YmpF8y1lnZon8F9n/0Jmepb1RLV27FDBxJaLF+cgkv4gSVMVu7B\nFqv3gkeZjVE7OGm8PII5t4oM6JgmAw9iF9xlHox0mFN7ZTEHKjoV/2GRr8v9WBvI\n157ar43vdMOiF7F7lZaq9BNj18wjPHDENSO1G3BLWydHqeubAcAdZQ1e6+a5YTWI\nlIcwKj5OL+kpG8+bRLaZY2Lu6NpgPACvX60x8umUGJyZQinwyAKZ/DLxORnpuJ/t\nmaOsy+FhWEXIEvn/KjWU1K75zUlex8rFeSztU6ZSFfCS8oGfxIZGJDIA4rSSsvyK\nqIHyqKnVU/8IQ+VuEkkZ6VfQaOfY9LKRyM1bxq42L7KJkiRofYiZo+3Dq9FGO3Ol\nUXT5dG59BuXVj7lpGjUU8IXbSGnIkhcS8/nTLvZNsLJ7O7OKzWVDZQoZk5KxWvMc\n8rn8rwyn\n=t7V/\n-----END PGP SIGNATURE-----\n",
"Parents": [
"a431af3fcaa5c3def80df7806bbd33cedb8f05bb"
],
"Tree": "a84652327988f303ac450c0b76b95394cbda5d62"
}
Status: UNKNOWN
Error: 161e09a8525120a5a73090ba13f56e4073588e26888477fa734174fbb0c8ff7b was not notarized by "vchain.us"
A newer version of vcn is available to download.
Your version: v0.7.4
Latest version: v0.9.4
You can find the latest release at https://github.com/vchain-us/vcn/releases
Both of them show the same generated hash, but CLI shows that it's TRUSTED while GitHub shows it's UNKNOWN.
Lastly, here's my online notarization history in CodeNotary, which shows that the latest commit has the same commit ID as the one mentioned in both the image and the GitHub actions output:
