git-commit-guard 0.22.2__tar.gz → 0.23.0__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/.github/workflows/coverage-baseline.yml +2 -2
- {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/.github/workflows/coverage-comment.yml +2 -2
- {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/.github/workflows/lint-commits.yml +1 -1
- {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/.github/workflows/lint-md.yml +1 -1
- {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/.github/workflows/lint-workflows.yml +2 -2
- {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/.github/workflows/release.yml +1 -1
- git_commit_guard-0.23.0/.github/workflows/security-audit.yml +69 -0
- {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/.github/workflows/test.yml +2 -2
- {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/PKG-INFO +28 -12
- {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/README.md +27 -11
- {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/docs/index.html +17 -8
- {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/src/git_commit_guard/__init__.py +42 -24
- {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/tests/test_git_commit_guard.py +277 -48
- git_commit_guard-0.23.0/uv.lock +315 -0
- git_commit_guard-0.22.2/.github/workflows/security-audit.yml +0 -22
- git_commit_guard-0.22.2/uv.lock +0 -320
- {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/.editorconfig +0 -0
- {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/.github/workflows/lint-python.yml +0 -0
- {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/.gitignore +0 -0
- {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/.markdownlint.json +0 -0
- {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/.pre-commit-hooks.yaml +0 -0
- {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/.python-version +0 -0
- {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/LICENSE +0 -0
- {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/action.yml +0 -0
- {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/cliff.toml +0 -0
- {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/docs/commit-guard-icon.svg +0 -0
- {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/pyproject.toml +0 -0
- {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/ruff.toml +0 -0
- {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/tests/__init__.py +0 -0
|
@@ -16,7 +16,7 @@ jobs:
|
|
|
16
16
|
persist-credentials: false
|
|
17
17
|
- name: Install uv
|
|
18
18
|
# yamllint disable-line rule:line-length
|
|
19
|
-
uses: astral-sh/setup-uv@
|
|
19
|
+
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # ratchet:astral-sh/setup-uv@v8.2.0
|
|
20
20
|
- name: Cache NLTK data
|
|
21
21
|
# yamllint disable-line rule:line-length
|
|
22
22
|
uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
|
|
@@ -27,7 +27,7 @@ jobs:
|
|
|
27
27
|
run: uv run --dev pytest tests/ --cov=git_commit_guard --cov-report=xml
|
|
28
28
|
- name: Upload coverage baseline
|
|
29
29
|
# yamllint disable-line rule:line-length
|
|
30
|
-
uses: actions/upload-artifact@
|
|
30
|
+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # ratchet:actions/upload-artifact@v7
|
|
31
31
|
with:
|
|
32
32
|
name: main-coverage
|
|
33
33
|
path: coverage.xml
|
|
@@ -16,7 +16,7 @@ jobs:
|
|
|
16
16
|
steps:
|
|
17
17
|
- name: Download artifact
|
|
18
18
|
# yamllint disable-line rule:line-length
|
|
19
|
-
uses: actions/download-artifact@
|
|
19
|
+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # ratchet:actions/download-artifact@v8
|
|
20
20
|
with:
|
|
21
21
|
run-id: ${{ github.event.workflow_run.id }}
|
|
22
22
|
name: pr
|
|
@@ -57,7 +57,7 @@ jobs:
|
|
|
57
57
|
- name: Download baseline coverage
|
|
58
58
|
if: steps.baseline.outputs.run-id != ''
|
|
59
59
|
# yamllint disable-line rule:line-length
|
|
60
|
-
uses: actions/download-artifact@
|
|
60
|
+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # ratchet:actions/download-artifact@v8
|
|
61
61
|
with:
|
|
62
62
|
run-id: ${{ steps.baseline.outputs.run-id }}
|
|
63
63
|
name: main-coverage
|
|
@@ -22,6 +22,6 @@ jobs:
|
|
|
22
22
|
key: nltk-averaged-perceptron-tagger-punkt
|
|
23
23
|
- name: Lint commits
|
|
24
24
|
# yamllint disable-line rule:line-length
|
|
25
|
-
uses: benner/commit-guard@
|
|
25
|
+
uses: benner/commit-guard@4f989e92ddf04153ec33040da42bc2f788c71584 # v0.22.3
|
|
26
26
|
with:
|
|
27
27
|
range: origin/${{ github.base_ref }}..HEAD
|
|
@@ -37,7 +37,7 @@ jobs:
|
|
|
37
37
|
persist-credentials: false
|
|
38
38
|
- name: Set up uv
|
|
39
39
|
# yamllint disable-line rule:line-length
|
|
40
|
-
uses: astral-sh/setup-uv@
|
|
40
|
+
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
|
|
41
41
|
with:
|
|
42
42
|
enable-cache: false
|
|
43
43
|
- name: Set up reviewdog
|
|
@@ -34,7 +34,7 @@ jobs:
|
|
|
34
34
|
persist-credentials: false
|
|
35
35
|
- name: Set up uv
|
|
36
36
|
# yamllint disable-line rule:line-length
|
|
37
|
-
uses: astral-sh/setup-uv@
|
|
37
|
+
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # ratchet:astral-sh/setup-uv@v8.2.0
|
|
38
38
|
- name: Set up reviewdog
|
|
39
39
|
# yamllint disable-line rule:line-length
|
|
40
40
|
uses: reviewdog/action-setup@d8a7baabd7f3e8544ee4dbde3ee41d0011c3a93f # ratchet:reviewdog/action-setup@v1
|
|
@@ -59,7 +59,7 @@ jobs:
|
|
|
59
59
|
persist-credentials: false
|
|
60
60
|
- name: Set up uv
|
|
61
61
|
# yamllint disable-line rule:line-length
|
|
62
|
-
uses: astral-sh/setup-uv@
|
|
62
|
+
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # ratchet:astral-sh/setup-uv@v8.2.0
|
|
63
63
|
- name: Set up reviewdog
|
|
64
64
|
# yamllint disable-line rule:line-length
|
|
65
65
|
uses: reviewdog/action-setup@d8a7baabd7f3e8544ee4dbde3ee41d0011c3a93f # ratchet:reviewdog/action-setup@v1
|
|
@@ -20,7 +20,7 @@ jobs:
|
|
|
20
20
|
fetch-depth: 0
|
|
21
21
|
- name: Set up uv
|
|
22
22
|
# yamllint disable-line rule:line-length
|
|
23
|
-
uses: astral-sh/setup-uv@
|
|
23
|
+
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
|
|
24
24
|
with:
|
|
25
25
|
enable-cache: false
|
|
26
26
|
- name: Build package
|
|
@@ -0,0 +1,69 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: Security Audit
|
|
3
|
+
on: # yamllint disable-line rule:truthy
|
|
4
|
+
pull_request:
|
|
5
|
+
schedule:
|
|
6
|
+
- cron: 13 3 * * *
|
|
7
|
+
permissions:
|
|
8
|
+
contents: read
|
|
9
|
+
jobs:
|
|
10
|
+
audit:
|
|
11
|
+
runs-on: ubuntu-latest
|
|
12
|
+
permissions:
|
|
13
|
+
contents: read
|
|
14
|
+
issues: write
|
|
15
|
+
steps:
|
|
16
|
+
- name: Checkout code
|
|
17
|
+
# yamllint disable-line rule:line-length
|
|
18
|
+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
19
|
+
with:
|
|
20
|
+
persist-credentials: false
|
|
21
|
+
- name: Install uv
|
|
22
|
+
# yamllint disable-line rule:line-length
|
|
23
|
+
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
|
|
24
|
+
- name: Audit dependencies
|
|
25
|
+
run: |
|
|
26
|
+
set -o pipefail
|
|
27
|
+
uv audit --frozen --preview-features audit-command 2>&1 |
|
|
28
|
+
tee audit.log
|
|
29
|
+
- name: Report failure in a tracking issue
|
|
30
|
+
if: failure() && github.event_name == 'schedule'
|
|
31
|
+
env:
|
|
32
|
+
GH_TOKEN: ${{ github.token }}
|
|
33
|
+
GH_REPO: ${{ github.repository }}
|
|
34
|
+
run: |
|
|
35
|
+
run_url="$GITHUB_SERVER_URL/$GITHUB_REPOSITORY"
|
|
36
|
+
run_url="$run_url/actions/runs/$GITHUB_RUN_ID"
|
|
37
|
+
{
|
|
38
|
+
echo "Scheduled security audit failed: $run_url"
|
|
39
|
+
echo
|
|
40
|
+
echo '```'
|
|
41
|
+
cat audit.log
|
|
42
|
+
echo '```'
|
|
43
|
+
echo
|
|
44
|
+
echo '<!-- security-audit -->'
|
|
45
|
+
} > issue-body.md
|
|
46
|
+
issue=$(gh issue list --state open \
|
|
47
|
+
--search 'Security audit failing in:title' \
|
|
48
|
+
--json number --jq '.[0].number')
|
|
49
|
+
if [ -n "$issue" ]; then
|
|
50
|
+
gh issue comment "$issue" --body-file issue-body.md
|
|
51
|
+
else
|
|
52
|
+
gh issue create --title "Security audit failing" \
|
|
53
|
+
--body-file issue-body.md
|
|
54
|
+
fi
|
|
55
|
+
- name: Close the tracking issue
|
|
56
|
+
if: success() && github.event_name == 'schedule'
|
|
57
|
+
env:
|
|
58
|
+
GH_TOKEN: ${{ github.token }}
|
|
59
|
+
GH_REPO: ${{ github.repository }}
|
|
60
|
+
run: |-
|
|
61
|
+
run_url="$GITHUB_SERVER_URL/$GITHUB_REPOSITORY"
|
|
62
|
+
run_url="$run_url/actions/runs/$GITHUB_RUN_ID"
|
|
63
|
+
issue=$(gh issue list --state open \
|
|
64
|
+
--search 'Security audit failing in:title' \
|
|
65
|
+
--json number --jq '.[0].number')
|
|
66
|
+
if [ -n "$issue" ]; then
|
|
67
|
+
gh issue close "$issue" \
|
|
68
|
+
--comment "Scheduled security audit is green again: $run_url"
|
|
69
|
+
fi
|
|
@@ -15,7 +15,7 @@ jobs:
|
|
|
15
15
|
persist-credentials: false
|
|
16
16
|
- name: Install uv
|
|
17
17
|
# yamllint disable-line rule:line-length
|
|
18
|
-
uses: astral-sh/setup-uv@
|
|
18
|
+
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
|
|
19
19
|
- name: Cache NLTK data
|
|
20
20
|
uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
|
|
21
21
|
with:
|
|
@@ -35,7 +35,7 @@ jobs:
|
|
|
35
35
|
cp coverage.xml ./pr/
|
|
36
36
|
- name: Upload PR artifact
|
|
37
37
|
# yamllint disable-line rule:line-length
|
|
38
|
-
uses: actions/upload-artifact@
|
|
38
|
+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # ratchet:actions/upload-artifact@v7
|
|
39
39
|
with:
|
|
40
40
|
name: pr
|
|
41
41
|
path: pr/
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
Metadata-Version: 2.4
|
|
2
2
|
Name: git-commit-guard
|
|
3
|
-
Version: 0.
|
|
3
|
+
Version: 0.23.0
|
|
4
4
|
Summary: Opinionated conventional commit message linter with imperative mood detection
|
|
5
5
|
Project-URL: Homepage, https://github.com/benner/commit-guard
|
|
6
6
|
Project-URL: Repository, https://github.com/benner/commit-guard
|
|
@@ -36,7 +36,7 @@ Opinionated conventional commit message linter with imperative mood detection.
|
|
|
36
36
|
verb, verified via nltk POS tagging — not a hand-coded regex of "bad"
|
|
37
37
|
words.
|
|
38
38
|
* **Signature verification without a local keyring.** Resolves the commit
|
|
39
|
-
|
|
39
|
+
committer via the GitHub API and verifies GPG/SSH against their published
|
|
40
40
|
`.gpg`/`.keys` — no per-runner key management.
|
|
41
41
|
* **Strict by default.** Subject format, body, trailers, `Signed-off-by`,
|
|
42
42
|
and signature all enforced out of the box; opt out with `--disable`.
|
|
@@ -242,7 +242,7 @@ independently of `--enable`/`--disable`.
|
|
|
242
242
|
The `signature` check verifies the commit without any local keyring setup:
|
|
243
243
|
|
|
244
244
|
1. If the repo has a GitHub remote, call the Commits API
|
|
245
|
-
(`GET /repos/{owner}/{repo}/commits/{sha}`) to resolve the
|
|
245
|
+
(`GET /repos/{owner}/{repo}/commits/{sha}`) to resolve the committer's GitHub
|
|
246
246
|
username — this works for corporate emails, noreply addresses, or any email
|
|
247
247
|
not listed publicly on a GitHub profile.
|
|
248
248
|
2. If the Commits API is unavailable (no GitHub remote, commit not yet pushed,
|
|
@@ -250,7 +250,7 @@ The `signature` check verifies the commit without any local keyring setup:
|
|
|
250
250
|
(`{id}+{username}@users.noreply.github.com` or
|
|
251
251
|
`{username}@users.noreply.github.com`) — no API call needed.
|
|
252
252
|
3. If neither of the above resolves a username, fall back to searching GitHub
|
|
253
|
-
by the commit
|
|
253
|
+
by the commit committer's email.
|
|
254
254
|
4. Fetch the resolved user's public keys from `github.com/{username}.gpg`
|
|
255
255
|
(GPG) and the `/users/{username}/ssh_signing_keys` API (SSH keys tagged
|
|
256
256
|
with the **Signing key** role). Auth-only SSH keys are deliberately not
|
|
@@ -261,7 +261,7 @@ The `signature` check verifies the commit without any local keyring setup:
|
|
|
261
261
|
`git verify-commit` with the SSH allowed-signers config.
|
|
262
262
|
7. If any key verifies, the check passes. If none do, it fails.
|
|
263
263
|
|
|
264
|
-
If the
|
|
264
|
+
If the committer cannot be resolved via either method, or the GitHub API is
|
|
265
265
|
unreachable, the check fails with a clear error.
|
|
266
266
|
|
|
267
267
|
For private repositories, set `GITHUB_TOKEN` or `GH_TOKEN` so the Commits API
|
|
@@ -316,7 +316,7 @@ COMMIT_GUARD_GIT_TIMEOUT=30 commit-guard --range origin/main..HEAD
|
|
|
316
316
|
In GitHub Actions, set it at the step or job level:
|
|
317
317
|
|
|
318
318
|
```yaml
|
|
319
|
-
- uses: benner/commit-guard@v0.
|
|
319
|
+
- uses: benner/commit-guard@v0.23.0
|
|
320
320
|
env:
|
|
321
321
|
COMMIT_GUARD_GIT_TIMEOUT: 30
|
|
322
322
|
with:
|
|
@@ -352,6 +352,22 @@ misconfigured range specs in CI. Use `--allow-empty` to exit 0 instead:
|
|
|
352
352
|
commit-guard --range origin/main..HEAD --allow-empty
|
|
353
353
|
```
|
|
354
354
|
|
|
355
|
+
### Quiet mode
|
|
356
|
+
|
|
357
|
+
Use `--quiet` (or `-q`) to suppress output for commits that have nothing to
|
|
358
|
+
report — only commits with errors or warnings are printed. On a long range
|
|
359
|
+
this leaves exactly the offending commits in the output; a fully compliant
|
|
360
|
+
range prints nothing and exits 0:
|
|
361
|
+
|
|
362
|
+
```bash
|
|
363
|
+
commit-guard --range origin/main..HEAD --quiet
|
|
364
|
+
```
|
|
365
|
+
|
|
366
|
+
Quiet mode applies to single-commit and range mode, in both text and
|
|
367
|
+
`--output jsonl` formats. Exit codes are unchanged, so it composes with CI
|
|
368
|
+
gating. `--output-file` is not affected — the file always receives the
|
|
369
|
+
complete record stream.
|
|
370
|
+
|
|
355
371
|
### Machine-readable output
|
|
356
372
|
|
|
357
373
|
Use `--output jsonl` to emit one JSON line per commit to stdout instead of the
|
|
@@ -400,7 +416,7 @@ steps:
|
|
|
400
416
|
- uses: actions/checkout@v4
|
|
401
417
|
with:
|
|
402
418
|
fetch-depth: 0
|
|
403
|
-
- uses: benner/commit-guard@v0.
|
|
419
|
+
- uses: benner/commit-guard@v0.23.0
|
|
404
420
|
```
|
|
405
421
|
|
|
406
422
|
Check all commits in a pull request:
|
|
@@ -416,7 +432,7 @@ jobs:
|
|
|
416
432
|
- uses: actions/checkout@v4
|
|
417
433
|
with:
|
|
418
434
|
fetch-depth: 0
|
|
419
|
-
- uses: benner/commit-guard@v0.
|
|
435
|
+
- uses: benner/commit-guard@v0.23.0
|
|
420
436
|
with:
|
|
421
437
|
range: ${{ env.PR_BASE }}..${{ env.PR_HEAD }}
|
|
422
438
|
```
|
|
@@ -424,7 +440,7 @@ jobs:
|
|
|
424
440
|
Check a specific commit SHA (mirrors the positional CLI argument):
|
|
425
441
|
|
|
426
442
|
```yaml
|
|
427
|
-
- uses: benner/commit-guard@v0.
|
|
443
|
+
- uses: benner/commit-guard@v0.23.0
|
|
428
444
|
with:
|
|
429
445
|
rev: ${{ github.sha }}
|
|
430
446
|
```
|
|
@@ -442,7 +458,7 @@ jobs:
|
|
|
442
458
|
- uses: actions/checkout@v4
|
|
443
459
|
with:
|
|
444
460
|
fetch-depth: 0
|
|
445
|
-
- uses: benner/commit-guard@v0.
|
|
461
|
+
- uses: benner/commit-guard@v0.23.0
|
|
446
462
|
with:
|
|
447
463
|
range: ${{ env.PR_BASE }}..${{ env.PR_HEAD }}
|
|
448
464
|
disable: signed-off,signature
|
|
@@ -462,7 +478,7 @@ jobs:
|
|
|
462
478
|
When `output-file` is set the action exposes the path as an output:
|
|
463
479
|
|
|
464
480
|
```yaml
|
|
465
|
-
- uses: benner/commit-guard@v0.
|
|
481
|
+
- uses: benner/commit-guard@v0.23.0
|
|
466
482
|
id: cg
|
|
467
483
|
with:
|
|
468
484
|
range: ${{ env.PR_BASE }}..${{ env.PR_HEAD }}
|
|
@@ -478,7 +494,7 @@ Add to your `.pre-commit-config.yaml`:
|
|
|
478
494
|
---
|
|
479
495
|
repos:
|
|
480
496
|
- repo: https://github.com/benner/commit-guard
|
|
481
|
-
rev: v0.
|
|
497
|
+
rev: v0.23.0
|
|
482
498
|
hooks:
|
|
483
499
|
- id: commit-guard
|
|
484
500
|
- id: commit-guard-signature
|
|
@@ -15,7 +15,7 @@ Opinionated conventional commit message linter with imperative mood detection.
|
|
|
15
15
|
verb, verified via nltk POS tagging — not a hand-coded regex of "bad"
|
|
16
16
|
words.
|
|
17
17
|
* **Signature verification without a local keyring.** Resolves the commit
|
|
18
|
-
|
|
18
|
+
committer via the GitHub API and verifies GPG/SSH against their published
|
|
19
19
|
`.gpg`/`.keys` — no per-runner key management.
|
|
20
20
|
* **Strict by default.** Subject format, body, trailers, `Signed-off-by`,
|
|
21
21
|
and signature all enforced out of the box; opt out with `--disable`.
|
|
@@ -221,7 +221,7 @@ independently of `--enable`/`--disable`.
|
|
|
221
221
|
The `signature` check verifies the commit without any local keyring setup:
|
|
222
222
|
|
|
223
223
|
1. If the repo has a GitHub remote, call the Commits API
|
|
224
|
-
(`GET /repos/{owner}/{repo}/commits/{sha}`) to resolve the
|
|
224
|
+
(`GET /repos/{owner}/{repo}/commits/{sha}`) to resolve the committer's GitHub
|
|
225
225
|
username — this works for corporate emails, noreply addresses, or any email
|
|
226
226
|
not listed publicly on a GitHub profile.
|
|
227
227
|
2. If the Commits API is unavailable (no GitHub remote, commit not yet pushed,
|
|
@@ -229,7 +229,7 @@ The `signature` check verifies the commit without any local keyring setup:
|
|
|
229
229
|
(`{id}+{username}@users.noreply.github.com` or
|
|
230
230
|
`{username}@users.noreply.github.com`) — no API call needed.
|
|
231
231
|
3. If neither of the above resolves a username, fall back to searching GitHub
|
|
232
|
-
by the commit
|
|
232
|
+
by the commit committer's email.
|
|
233
233
|
4. Fetch the resolved user's public keys from `github.com/{username}.gpg`
|
|
234
234
|
(GPG) and the `/users/{username}/ssh_signing_keys` API (SSH keys tagged
|
|
235
235
|
with the **Signing key** role). Auth-only SSH keys are deliberately not
|
|
@@ -240,7 +240,7 @@ The `signature` check verifies the commit without any local keyring setup:
|
|
|
240
240
|
`git verify-commit` with the SSH allowed-signers config.
|
|
241
241
|
7. If any key verifies, the check passes. If none do, it fails.
|
|
242
242
|
|
|
243
|
-
If the
|
|
243
|
+
If the committer cannot be resolved via either method, or the GitHub API is
|
|
244
244
|
unreachable, the check fails with a clear error.
|
|
245
245
|
|
|
246
246
|
For private repositories, set `GITHUB_TOKEN` or `GH_TOKEN` so the Commits API
|
|
@@ -295,7 +295,7 @@ COMMIT_GUARD_GIT_TIMEOUT=30 commit-guard --range origin/main..HEAD
|
|
|
295
295
|
In GitHub Actions, set it at the step or job level:
|
|
296
296
|
|
|
297
297
|
```yaml
|
|
298
|
-
- uses: benner/commit-guard@v0.
|
|
298
|
+
- uses: benner/commit-guard@v0.23.0
|
|
299
299
|
env:
|
|
300
300
|
COMMIT_GUARD_GIT_TIMEOUT: 30
|
|
301
301
|
with:
|
|
@@ -331,6 +331,22 @@ misconfigured range specs in CI. Use `--allow-empty` to exit 0 instead:
|
|
|
331
331
|
commit-guard --range origin/main..HEAD --allow-empty
|
|
332
332
|
```
|
|
333
333
|
|
|
334
|
+
### Quiet mode
|
|
335
|
+
|
|
336
|
+
Use `--quiet` (or `-q`) to suppress output for commits that have nothing to
|
|
337
|
+
report — only commits with errors or warnings are printed. On a long range
|
|
338
|
+
this leaves exactly the offending commits in the output; a fully compliant
|
|
339
|
+
range prints nothing and exits 0:
|
|
340
|
+
|
|
341
|
+
```bash
|
|
342
|
+
commit-guard --range origin/main..HEAD --quiet
|
|
343
|
+
```
|
|
344
|
+
|
|
345
|
+
Quiet mode applies to single-commit and range mode, in both text and
|
|
346
|
+
`--output jsonl` formats. Exit codes are unchanged, so it composes with CI
|
|
347
|
+
gating. `--output-file` is not affected — the file always receives the
|
|
348
|
+
complete record stream.
|
|
349
|
+
|
|
334
350
|
### Machine-readable output
|
|
335
351
|
|
|
336
352
|
Use `--output jsonl` to emit one JSON line per commit to stdout instead of the
|
|
@@ -379,7 +395,7 @@ steps:
|
|
|
379
395
|
- uses: actions/checkout@v4
|
|
380
396
|
with:
|
|
381
397
|
fetch-depth: 0
|
|
382
|
-
- uses: benner/commit-guard@v0.
|
|
398
|
+
- uses: benner/commit-guard@v0.23.0
|
|
383
399
|
```
|
|
384
400
|
|
|
385
401
|
Check all commits in a pull request:
|
|
@@ -395,7 +411,7 @@ jobs:
|
|
|
395
411
|
- uses: actions/checkout@v4
|
|
396
412
|
with:
|
|
397
413
|
fetch-depth: 0
|
|
398
|
-
- uses: benner/commit-guard@v0.
|
|
414
|
+
- uses: benner/commit-guard@v0.23.0
|
|
399
415
|
with:
|
|
400
416
|
range: ${{ env.PR_BASE }}..${{ env.PR_HEAD }}
|
|
401
417
|
```
|
|
@@ -403,7 +419,7 @@ jobs:
|
|
|
403
419
|
Check a specific commit SHA (mirrors the positional CLI argument):
|
|
404
420
|
|
|
405
421
|
```yaml
|
|
406
|
-
- uses: benner/commit-guard@v0.
|
|
422
|
+
- uses: benner/commit-guard@v0.23.0
|
|
407
423
|
with:
|
|
408
424
|
rev: ${{ github.sha }}
|
|
409
425
|
```
|
|
@@ -421,7 +437,7 @@ jobs:
|
|
|
421
437
|
- uses: actions/checkout@v4
|
|
422
438
|
with:
|
|
423
439
|
fetch-depth: 0
|
|
424
|
-
- uses: benner/commit-guard@v0.
|
|
440
|
+
- uses: benner/commit-guard@v0.23.0
|
|
425
441
|
with:
|
|
426
442
|
range: ${{ env.PR_BASE }}..${{ env.PR_HEAD }}
|
|
427
443
|
disable: signed-off,signature
|
|
@@ -441,7 +457,7 @@ jobs:
|
|
|
441
457
|
When `output-file` is set the action exposes the path as an output:
|
|
442
458
|
|
|
443
459
|
```yaml
|
|
444
|
-
- uses: benner/commit-guard@v0.
|
|
460
|
+
- uses: benner/commit-guard@v0.23.0
|
|
445
461
|
id: cg
|
|
446
462
|
with:
|
|
447
463
|
range: ${{ env.PR_BASE }}..${{ env.PR_HEAD }}
|
|
@@ -457,7 +473,7 @@ Add to your `.pre-commit-config.yaml`:
|
|
|
457
473
|
---
|
|
458
474
|
repos:
|
|
459
475
|
- repo: https://github.com/benner/commit-guard
|
|
460
|
-
rev: v0.
|
|
476
|
+
rev: v0.23.0
|
|
461
477
|
hooks:
|
|
462
478
|
- id: commit-guard
|
|
463
479
|
- id: commit-guard-signature
|
|
@@ -315,7 +315,7 @@
|
|
|
315
315
|
</li>
|
|
316
316
|
<li>
|
|
317
317
|
<strong>Signature verification without a local keyring.</strong>
|
|
318
|
-
Resolves the commit
|
|
318
|
+
Resolves the commit committer via the GitHub API and verifies GPG/SSH
|
|
319
319
|
against their published <code>.gpg</code>/<code>.keys</code> — no
|
|
320
320
|
per-runner key management.
|
|
321
321
|
</li>
|
|
@@ -456,7 +456,7 @@ require-subject-pattern = "[A-Z]+-[0-9]+"</code></pre>
|
|
|
456
456
|
<ol>
|
|
457
457
|
<li>If the repo has a GitHub remote, call the Commits API
|
|
458
458
|
(<code>GET /repos/{owner}/{repo}/commits/{sha}</code>) to resolve
|
|
459
|
-
the
|
|
459
|
+
the committer's GitHub username — works for corporate emails, noreply
|
|
460
460
|
addresses, or any email not listed publicly on a GitHub profile.</li>
|
|
461
461
|
<li>If the Commits API is unavailable (no GitHub remote, commit not
|
|
462
462
|
yet pushed, or API error), parse the username directly from a
|
|
@@ -464,7 +464,7 @@ require-subject-pattern = "[A-Z]+-[0-9]+"</code></pre>
|
|
|
464
464
|
(<code>{id}+{username}@users.noreply.github.com</code>) — no API
|
|
465
465
|
call needed.</li>
|
|
466
466
|
<li>If neither of the above resolves a username, fall back to
|
|
467
|
-
searching GitHub by the commit
|
|
467
|
+
searching GitHub by the commit committer's email.</li>
|
|
468
468
|
<li>Fetch the resolved user's public keys from
|
|
469
469
|
<code>github.com/{username}.gpg</code> (GPG) and
|
|
470
470
|
<code>/users/{username}/ssh_signing_keys</code> (SSH keys tagged
|
|
@@ -476,7 +476,7 @@ require-subject-pattern = "[A-Z]+-[0-9]+"</code></pre>
|
|
|
476
476
|
<li>Pass if any key verifies; fail if none do.</li>
|
|
477
477
|
</ol>
|
|
478
478
|
<p>
|
|
479
|
-
If the
|
|
479
|
+
If the committer cannot be resolved via either method, or the GitHub API
|
|
480
480
|
is unreachable, the check fails with a clear error. For private
|
|
481
481
|
repositories, set <code>GITHUB_TOKEN</code> or <code>GH_TOKEN</code>
|
|
482
482
|
so the Commits API can authenticate. The official GitHub Action wires
|
|
@@ -551,6 +551,15 @@ require-subject-pattern = "[A-Z]+-[0-9]+"</code></pre>
|
|
|
551
551
|
readable logs and structured results for downstream steps:
|
|
552
552
|
</p>
|
|
553
553
|
<pre><code class="language-bash">commit-guard --range origin/main..HEAD --output-file results.jsonl</code></pre>
|
|
554
|
+
<p>
|
|
555
|
+
Use <code>--quiet</code> (or <code>-q</code>) to suppress output for
|
|
556
|
+
commits that have nothing to report — only commits with errors or
|
|
557
|
+
warnings are printed, in both text and JSONL formats. A fully
|
|
558
|
+
compliant range prints nothing and exits 0. Exit codes are unchanged,
|
|
559
|
+
and <code>--output-file</code> always receives the complete record
|
|
560
|
+
stream:
|
|
561
|
+
</p>
|
|
562
|
+
<pre><code class="language-bash">commit-guard --range origin/main..HEAD --quiet</code></pre>
|
|
554
563
|
</section>
|
|
555
564
|
|
|
556
565
|
<section id="github-actions">
|
|
@@ -566,13 +575,13 @@ require-subject-pattern = "[A-Z]+-[0-9]+"</code></pre>
|
|
|
566
575
|
- uses: actions/checkout@v4
|
|
567
576
|
with:
|
|
568
577
|
fetch-depth: 0
|
|
569
|
-
- uses: benner/commit-guard@v0.
|
|
578
|
+
- uses: benner/commit-guard@v0.23.0
|
|
570
579
|
with:
|
|
571
580
|
range: ${{ env.PR_BASE }}..${{ env.PR_HEAD }}
|
|
572
581
|
disable: signed-off,signature</code></pre>
|
|
573
582
|
|
|
574
583
|
<p>Check a specific commit SHA:</p>
|
|
575
|
-
<pre><code class="language-yaml"> - uses: benner/commit-guard@v0.
|
|
584
|
+
<pre><code class="language-yaml"> - uses: benner/commit-guard@v0.23.0
|
|
576
585
|
with:
|
|
577
586
|
rev: ${{ github.sha }}</code></pre>
|
|
578
587
|
|
|
@@ -591,7 +600,7 @@ require-subject-pattern = "[A-Z]+-[0-9]+"</code></pre>
|
|
|
591
600
|
When <code>output-file</code> is set the action exposes the path as
|
|
592
601
|
a step output, making JSONL results available to subsequent steps:
|
|
593
602
|
</p>
|
|
594
|
-
<pre><code class="language-yaml"> - uses: benner/commit-guard@v0.
|
|
603
|
+
<pre><code class="language-yaml"> - uses: benner/commit-guard@v0.23.0
|
|
595
604
|
id: cg
|
|
596
605
|
with:
|
|
597
606
|
range: ${{ env.PR_BASE }}..${{ env.PR_HEAD }}
|
|
@@ -604,7 +613,7 @@ require-subject-pattern = "[A-Z]+-[0-9]+"</code></pre>
|
|
|
604
613
|
<p>Add to <code>.pre-commit-config.yaml</code>:</p>
|
|
605
614
|
<pre><code class="language-yaml">repos:
|
|
606
615
|
- repo: https://github.com/benner/commit-guard
|
|
607
|
-
rev: v0.
|
|
616
|
+
rev: v0.23.0
|
|
608
617
|
hooks:
|
|
609
618
|
- id: commit-guard
|
|
610
619
|
- id: commit-guard-signature</code></pre>
|