Files
wolfssl/.github/workflows/pr-commit-check.yml
T
Juliusz Sosinowicz 844852202b .github: bump JavaScript actions to Node.js 24 runtimes
GitHub Actions now emits "Node.js 20 actions are deprecated" warnings:
actions are forced to Node.js 24 by default starting 2026-06-16, and
Node.js 20 is removed from the runners on 2026-09-16. Update every
JavaScript action referenced by the workflows and the local composite
actions to the lowest release that runs on Node.js 24:

  actions/checkout              v4     -> v5
  actions/checkout (SHA pin)    v4.1.7 -> v5
  actions/upload-artifact       v4     -> v6   (v5 still Node.js 20)
  actions/download-artifact     v4     -> v7   (v5/v6 still Node.js 20)
  actions/cache[/restore|/save] v4     -> v5
  actions/setup-python          v5     -> v6
  actions/github-script         v7     -> v8
  docker/setup-buildx-action    v3     -> v4
  docker/build-push-action      v5     -> v7   (v6 still Node.js 20)
  docker/login-action           v3     -> v4
  microsoft/setup-msbuild       v2     -> v3
  open-watcom/setup-watcom      v0     -> v1

Actions already running on Node.js 24 (jwlawson/actions-setup-cmake,
shogo82148/actions-setup-perl, msys2/setup-msys2, dorny/paths-filter)
are left unchanged. These bumps are runtime-only; no workflow uses an
input or output removed by the new majors, and v4-format artifacts
remain compatible across the upload v6 / download v7 backends.
2026-06-15 18:09:04 +00:00

63 lines
2.6 KiB
YAML

name: PR commit message checks
on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
branches: [ '**' ]
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# END OF COMMON SECTION
jobs:
commit-messages:
if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }}
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v5
with:
fetch-depth: 0
- name: Reject AI attribution trailers
env:
BASE_SHA: ${{ github.event.pull_request.base.sha }}
HEAD_SHA: ${{ github.event.pull_request.head.sha }}
run: |
set -euo pipefail
fail=0
while IFS= read -r sha; do
[ -z "$sha" ] && continue
trailers=$(git log -1 --format=%B "$sha" | git interpret-trailers --parse)
if echo "$trailers" | \
grep -iE '^(Co-authored-by|Signed-off-by):.*<?noreply@(anthropic|openai)\.com>?[[:space:]]*$' >/dev/null; then
echo "::error::Commit $sha contains a Co-authored-by or Signed-off-by trailer for a disallowed AI vendor"
git log -1 --format=' %h %s' "$sha"
fail=1
fi
if echo "$trailers" | \
grep -iE '^(Co-authored-by|Signed-off-by):.*<?[0-9]+\+Copilot@users\.noreply\.github\.com>?[[:space:]]*$' >/dev/null; then
echo "::error::Commit $sha contains a Co-authored-by or Signed-off-by trailer for GitHub Copilot"
git log -1 --format=' %h %s' "$sha"
fail=1
fi
if echo "$trailers" | \
grep -iE '^(Co-authored-by|Signed-off-by):.*\[bot\]@users\.noreply\.github\.com>?[[:space:]]*$' >/dev/null; then
echo "::error::Commit $sha contains a Co-authored-by or Signed-off-by trailer for a bot account"
git log -1 --format=' %h %s' "$sha"
fail=1
fi
author_email=$(git log -1 --format=%ae "$sha")
if echo "$author_email" | \
grep -iE '\[bot\]@users\.noreply\.github\.com$' >/dev/null; then
echo "::error::Commit $sha is authored by a bot account ($author_email)"
git log -1 --format=' %h %s' "$sha"
fail=1
fi
done < <(git rev-list "$BASE_SHA".."$HEAD_SHA")
if [ "$fail" -ne 0 ]; then
echo "One or more commits contain disallowed AI attribution; please amend them out."
exit 1
fi
echo "No disallowed AI attribution found."