git-commit-guard 0.22.2__py3-none-any.whl → 0.22.3__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- git_commit_guard/__init__.py +11 -11
- {git_commit_guard-0.22.2.dist-info → git_commit_guard-0.22.3.dist-info}/METADATA +12 -12
- git_commit_guard-0.22.3.dist-info/RECORD +6 -0
- git_commit_guard-0.22.2.dist-info/RECORD +0 -6
- {git_commit_guard-0.22.2.dist-info → git_commit_guard-0.22.3.dist-info}/WHEEL +0 -0
- {git_commit_guard-0.22.2.dist-info → git_commit_guard-0.22.3.dist-info}/entry_points.txt +0 -0
- {git_commit_guard-0.22.2.dist-info → git_commit_guard-0.22.3.dist-info}/licenses/LICENSE +0 -0
git_commit_guard/__init__.py
CHANGED
|
@@ -295,9 +295,9 @@ def check_required_trailers(message, required, result):
|
|
|
295
295
|
result.error(f"missing required trailer: {trailer}")
|
|
296
296
|
|
|
297
297
|
|
|
298
|
-
def
|
|
298
|
+
def _get_committer_email(rev):
|
|
299
299
|
return subprocess.check_output( # noqa: S603
|
|
300
|
-
["git", "log", "-1", "--format=%
|
|
300
|
+
["git", "log", "-1", "--format=%ce", rev], # noqa: S607
|
|
301
301
|
text=True,
|
|
302
302
|
stderr=subprocess.PIPE,
|
|
303
303
|
timeout=_git_timeout(),
|
|
@@ -320,7 +320,7 @@ def _get_github_remote_info():
|
|
|
320
320
|
return match.group("owner"), match.group("repo")
|
|
321
321
|
|
|
322
322
|
|
|
323
|
-
def
|
|
323
|
+
def _fetch_github_commit_committer(owner, repo, sha):
|
|
324
324
|
url = f"https://api.github.com/repos/{owner}/{repo}/commits/{sha}"
|
|
325
325
|
headers = {"Accept": "application/vnd.github+json"}
|
|
326
326
|
token = os.environ.get("GITHUB_TOKEN") or os.environ.get("GH_TOKEN")
|
|
@@ -329,8 +329,8 @@ def _fetch_github_commit_author(owner, repo, sha):
|
|
|
329
329
|
req = urllib.request.Request(url, headers=headers) # noqa: S310 Audit URL open for permitted schemes
|
|
330
330
|
with urllib.request.urlopen(req, timeout=_git_timeout()) as resp: # noqa: S310 Audit URL open for permitted schemes
|
|
331
331
|
data = json.loads(resp.read())
|
|
332
|
-
|
|
333
|
-
return
|
|
332
|
+
committer = data.get("committer")
|
|
333
|
+
return committer["login"] if committer else None
|
|
334
334
|
|
|
335
335
|
|
|
336
336
|
def _parse_noreply_username(email):
|
|
@@ -435,7 +435,7 @@ def _resolve_github_username(rev, email):
|
|
|
435
435
|
if remote:
|
|
436
436
|
owner, repo = remote
|
|
437
437
|
try:
|
|
438
|
-
username =
|
|
438
|
+
username = _fetch_github_commit_committer(owner, repo, rev)
|
|
439
439
|
except urllib.error.HTTPError as e:
|
|
440
440
|
if e.code == HTTPStatus.NOT_FOUND:
|
|
441
441
|
commits_api_404 = True
|
|
@@ -450,24 +450,24 @@ def _resolve_github_username(rev, email):
|
|
|
450
450
|
return username, commits_api_404
|
|
451
451
|
|
|
452
452
|
|
|
453
|
-
def
|
|
453
|
+
def _committer_not_found_message(commits_api_404):
|
|
454
454
|
had_token = bool(os.environ.get("GITHUB_TOKEN") or os.environ.get("GH_TOKEN"))
|
|
455
455
|
if commits_api_404 and not had_token:
|
|
456
456
|
return (
|
|
457
|
-
"
|
|
457
|
+
"committer not found on GitHub — if the repo is private, "
|
|
458
458
|
"set GITHUB_TOKEN in the workflow step "
|
|
459
459
|
"(env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }})"
|
|
460
460
|
)
|
|
461
|
-
return "
|
|
461
|
+
return "committer not found on GitHub — cannot verify signature"
|
|
462
462
|
|
|
463
463
|
|
|
464
464
|
def check_signature(rev, result):
|
|
465
465
|
try:
|
|
466
|
-
email =
|
|
466
|
+
email = _get_committer_email(rev)
|
|
467
467
|
username, commits_api_404 = _resolve_github_username(rev, email)
|
|
468
468
|
if username is None:
|
|
469
469
|
result.error(
|
|
470
|
-
|
|
470
|
+
_committer_not_found_message(commits_api_404),
|
|
471
471
|
check=Check.SIGNATURE,
|
|
472
472
|
)
|
|
473
473
|
return
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
Metadata-Version: 2.4
|
|
2
2
|
Name: git-commit-guard
|
|
3
|
-
Version: 0.22.
|
|
3
|
+
Version: 0.22.3
|
|
4
4
|
Summary: Opinionated conventional commit message linter with imperative mood detection
|
|
5
5
|
Project-URL: Homepage, https://github.com/benner/commit-guard
|
|
6
6
|
Project-URL: Repository, https://github.com/benner/commit-guard
|
|
@@ -36,7 +36,7 @@ Opinionated conventional commit message linter with imperative mood detection.
|
|
|
36
36
|
verb, verified via nltk POS tagging — not a hand-coded regex of "bad"
|
|
37
37
|
words.
|
|
38
38
|
* **Signature verification without a local keyring.** Resolves the commit
|
|
39
|
-
|
|
39
|
+
committer via the GitHub API and verifies GPG/SSH against their published
|
|
40
40
|
`.gpg`/`.keys` — no per-runner key management.
|
|
41
41
|
* **Strict by default.** Subject format, body, trailers, `Signed-off-by`,
|
|
42
42
|
and signature all enforced out of the box; opt out with `--disable`.
|
|
@@ -242,7 +242,7 @@ independently of `--enable`/`--disable`.
|
|
|
242
242
|
The `signature` check verifies the commit without any local keyring setup:
|
|
243
243
|
|
|
244
244
|
1. If the repo has a GitHub remote, call the Commits API
|
|
245
|
-
(`GET /repos/{owner}/{repo}/commits/{sha}`) to resolve the
|
|
245
|
+
(`GET /repos/{owner}/{repo}/commits/{sha}`) to resolve the committer's GitHub
|
|
246
246
|
username — this works for corporate emails, noreply addresses, or any email
|
|
247
247
|
not listed publicly on a GitHub profile.
|
|
248
248
|
2. If the Commits API is unavailable (no GitHub remote, commit not yet pushed,
|
|
@@ -250,7 +250,7 @@ The `signature` check verifies the commit without any local keyring setup:
|
|
|
250
250
|
(`{id}+{username}@users.noreply.github.com` or
|
|
251
251
|
`{username}@users.noreply.github.com`) — no API call needed.
|
|
252
252
|
3. If neither of the above resolves a username, fall back to searching GitHub
|
|
253
|
-
by the commit
|
|
253
|
+
by the commit committer's email.
|
|
254
254
|
4. Fetch the resolved user's public keys from `github.com/{username}.gpg`
|
|
255
255
|
(GPG) and the `/users/{username}/ssh_signing_keys` API (SSH keys tagged
|
|
256
256
|
with the **Signing key** role). Auth-only SSH keys are deliberately not
|
|
@@ -261,7 +261,7 @@ The `signature` check verifies the commit without any local keyring setup:
|
|
|
261
261
|
`git verify-commit` with the SSH allowed-signers config.
|
|
262
262
|
7. If any key verifies, the check passes. If none do, it fails.
|
|
263
263
|
|
|
264
|
-
If the
|
|
264
|
+
If the committer cannot be resolved via either method, or the GitHub API is
|
|
265
265
|
unreachable, the check fails with a clear error.
|
|
266
266
|
|
|
267
267
|
For private repositories, set `GITHUB_TOKEN` or `GH_TOKEN` so the Commits API
|
|
@@ -316,7 +316,7 @@ COMMIT_GUARD_GIT_TIMEOUT=30 commit-guard --range origin/main..HEAD
|
|
|
316
316
|
In GitHub Actions, set it at the step or job level:
|
|
317
317
|
|
|
318
318
|
```yaml
|
|
319
|
-
- uses: benner/commit-guard@v0.22.
|
|
319
|
+
- uses: benner/commit-guard@v0.22.3
|
|
320
320
|
env:
|
|
321
321
|
COMMIT_GUARD_GIT_TIMEOUT: 30
|
|
322
322
|
with:
|
|
@@ -400,7 +400,7 @@ steps:
|
|
|
400
400
|
- uses: actions/checkout@v4
|
|
401
401
|
with:
|
|
402
402
|
fetch-depth: 0
|
|
403
|
-
- uses: benner/commit-guard@v0.22.
|
|
403
|
+
- uses: benner/commit-guard@v0.22.3
|
|
404
404
|
```
|
|
405
405
|
|
|
406
406
|
Check all commits in a pull request:
|
|
@@ -416,7 +416,7 @@ jobs:
|
|
|
416
416
|
- uses: actions/checkout@v4
|
|
417
417
|
with:
|
|
418
418
|
fetch-depth: 0
|
|
419
|
-
- uses: benner/commit-guard@v0.22.
|
|
419
|
+
- uses: benner/commit-guard@v0.22.3
|
|
420
420
|
with:
|
|
421
421
|
range: ${{ env.PR_BASE }}..${{ env.PR_HEAD }}
|
|
422
422
|
```
|
|
@@ -424,7 +424,7 @@ jobs:
|
|
|
424
424
|
Check a specific commit SHA (mirrors the positional CLI argument):
|
|
425
425
|
|
|
426
426
|
```yaml
|
|
427
|
-
- uses: benner/commit-guard@v0.22.
|
|
427
|
+
- uses: benner/commit-guard@v0.22.3
|
|
428
428
|
with:
|
|
429
429
|
rev: ${{ github.sha }}
|
|
430
430
|
```
|
|
@@ -442,7 +442,7 @@ jobs:
|
|
|
442
442
|
- uses: actions/checkout@v4
|
|
443
443
|
with:
|
|
444
444
|
fetch-depth: 0
|
|
445
|
-
- uses: benner/commit-guard@v0.22.
|
|
445
|
+
- uses: benner/commit-guard@v0.22.3
|
|
446
446
|
with:
|
|
447
447
|
range: ${{ env.PR_BASE }}..${{ env.PR_HEAD }}
|
|
448
448
|
disable: signed-off,signature
|
|
@@ -462,7 +462,7 @@ jobs:
|
|
|
462
462
|
When `output-file` is set the action exposes the path as an output:
|
|
463
463
|
|
|
464
464
|
```yaml
|
|
465
|
-
- uses: benner/commit-guard@v0.22.
|
|
465
|
+
- uses: benner/commit-guard@v0.22.3
|
|
466
466
|
id: cg
|
|
467
467
|
with:
|
|
468
468
|
range: ${{ env.PR_BASE }}..${{ env.PR_HEAD }}
|
|
@@ -478,7 +478,7 @@ Add to your `.pre-commit-config.yaml`:
|
|
|
478
478
|
---
|
|
479
479
|
repos:
|
|
480
480
|
- repo: https://github.com/benner/commit-guard
|
|
481
|
-
rev: v0.22.
|
|
481
|
+
rev: v0.22.3
|
|
482
482
|
hooks:
|
|
483
483
|
- id: commit-guard
|
|
484
484
|
- id: commit-guard-signature
|
|
@@ -0,0 +1,6 @@
|
|
|
1
|
+
git_commit_guard/__init__.py,sha256=NbdRkWxWEzt3-uunql1FYl4vA2Vt7ULbDI1i0yNRLXg,29621
|
|
2
|
+
git_commit_guard-0.22.3.dist-info/METADATA,sha256=PgMzlU9yXNHl3HvCI6-qPxECULeOxJqfX982gbGRvYM,15462
|
|
3
|
+
git_commit_guard-0.22.3.dist-info/WHEEL,sha256=mffPy8wBnZQn2VnJUU5jE99KsxaSfiyMHV9Yt0aLVxs,87
|
|
4
|
+
git_commit_guard-0.22.3.dist-info/entry_points.txt,sha256=24HK4TwCgn3tSQHOWnGE6zJK6nvg7EMAut7VHe9nuH4,55
|
|
5
|
+
git_commit_guard-0.22.3.dist-info/licenses/LICENSE,sha256=gXf5dRMhNSbfLPYYTY_5hsZ1r7UU1OaKQEAQUhuIBkM,18092
|
|
6
|
+
git_commit_guard-0.22.3.dist-info/RECORD,,
|
|
@@ -1,6 +0,0 @@
|
|
|
1
|
-
git_commit_guard/__init__.py,sha256=FrKpmqyW_YO2RgMj8Ff2m1TVEqQqBDhvm1pFtfem8rQ,29599
|
|
2
|
-
git_commit_guard-0.22.2.dist-info/METADATA,sha256=4pWaUYZ4ta6OwftzPFenE_KtBxzrFlmKcl1tKVi9qdE,15450
|
|
3
|
-
git_commit_guard-0.22.2.dist-info/WHEEL,sha256=mffPy8wBnZQn2VnJUU5jE99KsxaSfiyMHV9Yt0aLVxs,87
|
|
4
|
-
git_commit_guard-0.22.2.dist-info/entry_points.txt,sha256=24HK4TwCgn3tSQHOWnGE6zJK6nvg7EMAut7VHe9nuH4,55
|
|
5
|
-
git_commit_guard-0.22.2.dist-info/licenses/LICENSE,sha256=gXf5dRMhNSbfLPYYTY_5hsZ1r7UU1OaKQEAQUhuIBkM,18092
|
|
6
|
-
git_commit_guard-0.22.2.dist-info/RECORD,,
|
|
File without changes
|
|
File without changes
|
|
File without changes
|