shithub: opus

Download patch

ref: 69b31099c6ce67a8279e2d61642957aed4d59af2
parent: 558a3c2a3f16fd21c16e5821bd8b71898af69bb8
author: Tim-Philipp Müller <tim@centricular.com>
date: Wed Apr 26 14:35:57 EDT 2023

ci: add ci-fairy linter to make sure commits are GPG signed

--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,6 +1,15 @@
 include:
   - template: 'Workflows/Branch-Pipelines.gitlab-ci.yml'
 
+# https://docs.gitlab.com/ee/ci/yaml/workflow.html#switch-between-branch-pipelines-and-merge-request-pipelines
+workflow:
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+    - if: $CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS && $CI_PIPELINE_SOURCE == "push"
+      when: never
+    - if: $CI_COMMIT_BRANCH
+    - if: $CI_COMMIT_TAG
+
 default:
   tags:
     - docker
@@ -23,6 +32,26 @@
   stage: test
   script:
     - git diff-tree --check origin/master HEAD
+
+# Make sure commits are GPG signed
+ci-fairy:
+  image: 'debian:bookworm-slim'
+  stage: test
+  script:
+    - apt update
+    - apt install -y python3-pip git
+    - pip3 install --break-system-packages git+https://gitlab.freedesktop.org/freedesktop/ci-templates@7811ba9814a3bad379377241c6c6b62d78b20eac
+    - echo Checking commits $CI_FAIRY_BASE_COMMIT..HEAD
+    - ci-fairy check-commits --gpg-signed-commit $CI_FAIRY_BASE_COMMIT..HEAD
+  tags:
+    - 'docker'
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+      variables:
+        CI_FAIRY_BASE_COMMIT: $CI_MERGE_REQUEST_DIFF_BASE_SHA
+    - if: $CI_PIPELINE_SOURCE != "merge_request_event"
+      variables:
+        CI_FAIRY_BASE_COMMIT: 'HEAD^1'
 
 autoconf:
   stage: build