6bc309baf2
Remove paths filters from contributor-check and supply-chain-audit workflows. When no matching files changed, the workflows never ran and the required checks (check-attribution, supply chain scan, dep bounds) stayed "pending" forever, blocking merge. Now both workflows always trigger. A path-check step/job determines whether the real work should run; gate jobs with matching names report success when the real job was skipped, so branch protection always gets a check status. Also fixes dep-bounds: the old condition if: contains(github.event.pull_request.changed_files_url, 'pyproject.toml') || true was always true (the || true made it unconditional). Now uses the proper changes.deps output from the shared filter job.
86 lines
3.1 KiB
YAML
86 lines
3.1 KiB
YAML
name: Contributor Attribution Check
|
|
|
|
on:
|
|
pull_request:
|
|
branches: [main]
|
|
# No paths filter — the job must always run so the required check
|
|
# reports a status (path-gated workflows leave checks "pending" forever
|
|
# when no matching files change, which blocks merge).
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
check-attribution:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
fetch-depth: 0 # Full history needed for git log
|
|
|
|
- name: Check if relevant files changed
|
|
id: filter
|
|
run: |
|
|
BASE="${{ github.event.pull_request.base.sha }}"
|
|
HEAD="${{ github.event.pull_request.head.sha }}"
|
|
CHANGED=$(git diff --name-only "$BASE"..."$HEAD" -- '*.py' '**/*.py' '.github/workflows/contributor-check.yml' || true)
|
|
if [ -n "$CHANGED" ]; then
|
|
echo "run=true" >> "$GITHUB_OUTPUT"
|
|
else
|
|
echo "run=false" >> "$GITHUB_OUTPUT"
|
|
echo "No Python files changed, skipping attribution check."
|
|
fi
|
|
|
|
- name: Check for unmapped contributor emails
|
|
if: steps.filter.outputs.run == 'true'
|
|
run: |
|
|
# Get the merge base between this PR and main
|
|
MERGE_BASE=$(git merge-base origin/main HEAD)
|
|
|
|
# Find any new author emails in this PR's commits
|
|
NEW_EMAILS=$(git log ${MERGE_BASE}..HEAD --format='%ae' --no-merges | sort -u)
|
|
|
|
if [ -z "$NEW_EMAILS" ]; then
|
|
echo "No new commits to check."
|
|
exit 0
|
|
fi
|
|
|
|
# Check each email against AUTHOR_MAP in release.py
|
|
MISSING=""
|
|
while IFS= read -r email; do
|
|
# Skip teknium and bot emails
|
|
case "$email" in
|
|
*teknium*|*noreply@github.com*|*dependabot*|*github-actions*|*anthropic.com*|*cursor.com*)
|
|
continue ;;
|
|
esac
|
|
|
|
# Check if email is in AUTHOR_MAP (either as a key or matches noreply pattern)
|
|
if echo "$email" | grep -qP '\+.*@users\.noreply\.github\.com'; then
|
|
continue # GitHub noreply emails auto-resolve
|
|
fi
|
|
|
|
if ! grep -qF "\"${email}\"" scripts/release.py 2>/dev/null; then
|
|
AUTHOR=$(git log --author="$email" --format='%an' -1)
|
|
MISSING="${MISSING}\n ${email} (${AUTHOR})"
|
|
fi
|
|
done <<< "$NEW_EMAILS"
|
|
|
|
if [ -n "$MISSING" ]; then
|
|
echo ""
|
|
echo "⚠️ New contributor email(s) not in AUTHOR_MAP:"
|
|
echo -e "$MISSING"
|
|
echo ""
|
|
echo "Please add mappings to scripts/release.py AUTHOR_MAP:"
|
|
echo -e "$MISSING" | while read -r line; do
|
|
email=$(echo "$line" | sed 's/^ *//' | cut -d' ' -f1)
|
|
[ -z "$email" ] && continue
|
|
echo " \"${email}\": \"<github-username>\","
|
|
done
|
|
echo ""
|
|
echo "To find the GitHub username for an email:"
|
|
echo " gh api 'search/users?q=EMAIL+in:email' --jq '.items[0].login'"
|
|
exit 1
|
|
else
|
|
echo "✅ All contributor emails are mapped in AUTHOR_MAP."
|
|
fi
|