Merge pull request #3 from rogeruiz/rogeruiz/feat/add-support-for-checking-all-pr-changes

rogeruiz · web-flow · commit b6a7e3800a13 · 2025-11-12T08:03:44.000-06:00
feat: Support for verifying all commits in PR
diff --git a/.github/allowed_signers b/.github/allowed_signers
@@ -1 +1,2 @@
 hi@rog.gr,firstworldman@gmail.com,contact@rogeruiz.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIflGAaoiK4/55TYIzFfCW5fgR18BZrPboXXTTQatfJu
+hi@rog.gr,firstworldman@gmail.com,contact@rogeruiz.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINL+2VdQnANQ8Qpyu9D3j0tlT1ZUQlSELRnj0vEySjH4
diff --git a/.github/workflows/verify-commits.yml b/.github/workflows/verify-commits.yml
@@ -9,7 +9,7 @@ jobs:
       - name: Checkout the code
         uses: actions/checkout@v3
       - name: Run repasar on the latest SHA
-        uses: rogeruiz/repasar@v1.0.0
+        uses: rogeruiz/repasar@v1.1.0
         with:
           allowed-signers-file-path: ./.github/allowed_signers
           fail-on-unverified: true
diff --git a/README.md b/README.md
@@ -2,9 +2,13 @@
 
 # Repasar
 
-The Repasar GitHub Action (GHA) checks the current SHA that triggered the GHA
-and check to make sure that it is signed properly using subcommands supported by
-Git.
+The Repasar GitHub Action (GHA) checks the commit signatures for security. It
+now supports verifying **all commits in a pull request (PR)**, not just the
+latest commit. For push events, it continues to verify the latest commit as
+before.
+
+- For PRs: All commits in the PR are checked for verified signatures.
+- For pushes: Only the latest commit is checked.
 
 ## Setup
 
@@ -25,11 +29,12 @@ jobs:
       - name: Checkout the code
         uses: actions/checkout@v3
       - name: Run repasar on the latest SHA
-        uses: rogeruiz/repasar@v1.0.0
+        uses: rogeruiz/repasar@v1.1.0
         with:
           allowed-signers-file-path: ./.github/allowed_signers
           fail-on-unverified: true
 ```
+
 ## Required inputs
 
 The only required input is the `allowed-signers-file-path` which is recommended
@@ -40,19 +45,24 @@ keys in the following format per-line.
 <email>[,<email>...] <key type> <public key>
 ```
 
-These public keys are safe to check into your repository. To generate this file
-based on the public keys available on GitHub for committers to the repository,
-you can generate them using the `allowedSignersFile` project by @frankywahl.
-This file can also be maintained manually and checked in by each individual
-committer for your projects.
-
-[=> frankywahl/allowedSignersFile project](https://github.com/frankywahl/allowedSignersFile)
+> [!IMPORTANT]
+> This file can be created manually by taking the public key file you have
+> locally and rearranging the comment email at the end to the beginning.
+> Remember to add only the emails you'd like to allow for verification purposes.
 
 ## Optional inputs
 
 By default, this Action does not fail the run if the verification of the commit
-is unsuccessful. If you would like to have the Action fail, then set the `fail-on-unverified` to `true` in the `workflows/` YAML file.
+is unsuccessful. If you would like to have the Action fail, then set the
+`fail-on-unverified` to `true` in the `workflows/` Yaml file.
 
 ## Environment variables the action uses
 
-This action uses the `${GITHUB_SHA}` variable to pull the current commit.
+- `${GITHUB_SHA}`: Used for single commit verification (push events).
+- `${GITHUB_EVENT_NAME}` and `${GITHUB_EVENT_PATH}`: Used to detect PR context
+  and extract PR number.
+- `${GITHUB_TOKEN}`: **Required for PR verification** to fetch all commits in
+  the PR using the GitHub API.
+
+**Note:** For PRs, ensure the workflow has access to `GITHUB_TOKEN` (default in
+GitHub Actions) and that the token has `repo` scope for private repositories.
diff --git a/action.yml b/action.yml
@@ -1,22 +1,23 @@
-name: 'Repasar Action'
-author: 'Roger Steve Ruiz'
-description: 'Run git-verify-commit command on the latest SHA'
+name: "Repasar Action"
+author: "Roger Steve Ruiz"
+description: "Run git-verify-commit command on all commits in a PR (or the latest SHA for push events)"
 inputs:
   allowed-signers-file-path:
-    description: 'A path to a file in the repository to use as a list of SSH public keys IDs.'
+    description: "A path to a file in the repository to use as a list of SSH public keys IDs."
     required: true
+    # Note: For PR verification, GITHUB_TOKEN must be available in the environment to fetch commits via the GitHub API.'
   fail-on-unverified:
-    description: 'Set the variable to true to fail the Action on when the git-verify-commit fails to be verified.'
+    description: "Set the variable to true to fail the Action on when the git-verify-commit fails to be verified."
     required: false
 outputs:
   verified:
-    description: 'The verification status'
+    description: "The verification status"
 runs:
-  using: 'docker'
-  image: 'Dockerfile'
+  using: "docker"
+  image: "Dockerfile"
   args:
     - ${{ inputs.allowed-signers-file-path }}
     - ${{ inputs.fail-on-unverified }}
 branding:
-  icon: 'check-circle'
-  color: 'green'
+  icon: "check-circle"
+  color: "green"
diff --git a/entrypoint.sh b/entrypoint.sh
@@ -7,16 +7,56 @@ git config --global tag.gpgsign true
 git config --global gpg.format ssh
 git config --global gpg.ssh.allowedSignersFile "${1}"
 
-if git verify-commit "${GITHUB_SHA}" &>/dev/null
-then
-  echo "Commit ${GITHUB_SHA} is verified successfully!"
-  git verify-commit "${GITHUB_SHA}"
-  echo "verified=true" >> "${GITHUB_OUTPUT}"
+# Detect PR context
+if [[ "$GITHUB_EVENT_NAME" == "pull_request" || "$GITHUB_EVENT_NAME" == "pull_request_target" ]]; then
+  echo "Detected PR context. Verifying all commits in the PR."
+  # Extract PR number from event payload
+  if command -v jq &>/dev/null; then
+    PR_NUMBER=$(jq '.number' "$GITHUB_EVENT_PATH")
+  else
+    PR_NUMBER=$(grep '"number":' "$GITHUB_EVENT_PATH" | head -1 | sed 's/[^0-9]*//g')
+  fi
+  echo "PR number: $PR_NUMBER"
+  # Fetch all commit SHAs in the PR
+  COMMITS_JSON=$(curl -s -H "Authorization: Bearer $GITHUB_TOKEN" "https://api.github.com/repos/${GITHUB_REPOSITORY}/pulls/${PR_NUMBER}/commits")
+  if command -v jq &>/dev/null; then
+    SHAS=($(echo "$COMMITS_JSON" | jq -r '.[].sha'))
+  else
+    SHAS=($(echo "$COMMITS_JSON" | grep '"sha":' | awk -F '"' '{print $4}'))
+  fi
+  FAILED_SHAS=()
+  for sha in "${SHAS[@]}"; do
+    if git verify-commit "$sha" &>/dev/null; then
+      echo "Commit $sha is verified successfully!"
+      git verify-commit "$sha"
+    else
+      echo "Failed to verify the commit $sha."
+      FAILED_SHAS+=("$sha")
+    fi
+  done
+  if [[ ${#FAILED_SHAS[@]} -eq 0 ]]; then
+    echo "All commits in PR are verified."
+    echo "verified=true" >> "${GITHUB_OUTPUT}"
+  else
+    echo "The following commits failed verification: ${FAILED_SHAS[*]}"
+    echo "verified=false" >> "${GITHUB_OUTPUT}"
+    if [[ ${2} == 'true' ]]; then
+      exit 1
+    fi
+  fi
 else
-  echo "Failed to verify the commit ${GITHUB_SHA}."
-  echo "verified=false" >> "${GITHUB_OUTPUT}"
-  if [[ ${2} == 'true' ]]
+  # Fallback: verify latest commit as before
+  if git verify-commit "${GITHUB_SHA}" &>/dev/null
   then
-    exit 1
+    echo "Commit ${GITHUB_SHA} is verified successfully!"
+    git verify-commit "${GITHUB_SHA}"
+    echo "verified=true" >> "${GITHUB_OUTPUT}"
+  else
+    echo "Failed to verify the commit ${GITHUB_SHA}."
+    echo "verified=false" >> "${GITHUB_OUTPUT}"
+    if [[ ${2} == 'true' ]]
+    then
+      exit 1
+    fi
   fi
 fi

Original file line number	Diff line number	Diff line change
`@@ -1 +1,2 @@`
`1`	`1`	`[email protected],[email protected],[email protected] ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIflGAaoiK4/55TYIzFfCW5fgR18BZrPboXXTTQatfJu`
	`2`	`+[email protected],[email protected],[email protected] ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINL+2VdQnANQ8Qpyu9D3j0tlT1ZUQlSELRnj0vEySjH4`