please add me to this organization #70
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Check Join Requests | |
| on: | |
| issues: | |
| types: [opened] | |
| jobs: | |
| keycheck: | |
| name: Check requirements | |
| if: contains(github.event.issue.labels.*.name, 'auto join') | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check signature of join request | |
| id: openpgp-check | |
| env: | |
| DATA: ${{ github.event.issue.body }} | |
| run: | | |
| echo "${DATA}" > file.txt | |
| sed -e '0,/^```plain text$/d' -e '/```$/,$d' -i file.txt | |
| ghuser=$(sed -e ':a;N;$!ba;s/\n/ /g' -e '/github[[:space:]]*user[[:space:]]*/I!d' -e "s/.*github[[:space:]]*user[[:space:]]*'\([^']*\)'.*/\1/I" file.txt) | |
| rm -rf mygpg | |
| mkdir -v -m 0700 mygpg | |
| gpg --homedir mygpg --verify --status-fd 1 file.txt 2>/dev/null || true | |
| # 0: success | |
| # 2: no public key | |
| echo "extracting OpenPGP certificate ID..." | |
| key=$(gpg --homedir mygpg --verify --status-fd 1 file.txt 2>/dev/null | awk '{if ($2 == "ERRSIG") print $9; else if ($2 == "VALIDSIG") print $3}') | |
| echo "KEY: ${key}" | |
| echo "fetching OpenPGP certificate from keyring.debian.org..." | |
| gpg --homedir mygpg --keyserver keyring.debian.org --recv-keys "$key" | |
| debuser=$(gpg --homedir mygpg -k ${key} | grep -E "^uid[[:space:]].*@debian.org>" | sed -e 's|.*<\([^@]*\)@debian.org>.*|\1|' | head -1) | |
| userid=$(gpg --homedir mygpg -k ${key} | grep -E "^uid[[:space:]].*\[" | sed -e 's|.*][[:space:]]*||' -e '/^[[:space:]]*$/d' | head -1) | |
| echo "primary USER: ${userid}" | |
| echo "Debian USER: ${debuser}" | |
| echo "GitHub issue owner: ${{ github.event.issue.user.login }}" | |
| echo "GitHub claimed user: ${ghuser}" | |
| echo "verifying the signature..." | |
| gpg --homedir mygpg --verify file.txt | |
| echo "DEBUSER=${debuser}" >> $GITHUB_OUTPUT | |
| echo "USERID=${userid}" >> $GITHUB_OUTPUT | |
| echo "GHUSER=${ghuser}" >> $GITHUB_OUTPUT | |
| outputs: | |
| deb-username: ${{ steps.openpgp-check.outputs.DEBUSER }} | |
| pgp-userid: ${{ steps.openpgp-check.outputs.USERID }} | |
| gh-user: ${{ steps.openpgp-check.outputs.GHUSER }} | |
| decline: | |
| name: Decline membership | |
| if: always() && (needs.keycheck.result == 'failure') | |
| runs-on: ubuntu-latest | |
| needs: ["keycheck"] | |
| steps: | |
| - name: Close issue | |
| uses: peter-evans/close-issue@v2 | |
| with: | |
| issue-number: ${{ github.event.issue.number }} | |
| close-reason: not_planned | |
| comment: | | |
| It seems that the membership application was either not PGP signed at all, or signed with a key that is not currently in the Debian keyring (as offered by https://keyring.debian.org). | |
| The [Debian GitHub](https://github.com/Debian) organization is intended for [Debian Developers (DD)](https://wiki.debian.org/DebianDeveloper). | |
| Therefore this issue is closed automatically. | |
| If you feel that this is unwarranted (e.g. because the auto-closing :robot: has a bug), please leave a comment. | |
| decline-github: | |
| name: Wrong GitHub user | |
| if: always() && (needs.keycheck.outputs.gh-user != '') && (needs.keycheck.outputs.gh-user != github.event.issue.user.login ) | |
| runs-on: ubuntu-latest | |
| needs: ["keycheck", "debuser", "otheremail"] | |
| steps: | |
| - name: Close issue | |
| uses: peter-evans/close-issue@v2 | |
| with: | |
| issue-number: ${{ github.event.issue.number }} | |
| close-reason: not_planned | |
| comment: | | |
| Your GitHub login `${{ github.event.issue.user.login }}` does not match the username `${{ needs.keycheck.outputs.gh-user }}` in the form. | |
| Therefore this issue is closed automatically. | |
| If you feel that this is unwarranted (e.g. because the auto-closing :robot: has a bug), please leave a comment. | |
| If you just mistyped your GitHub username, please open a new issue with the correct one. | |
| debuser: | |
| name: Debian Developer | |
| runs-on: ubuntu-latest | |
| needs: ["keycheck"] | |
| if: "${{ needs.keycheck.outputs.deb-username != '' }}" | |
| steps: | |
| - name: Post username | |
| env: | |
| DEBUSERNAME: ${{ needs.keycheck.outputs.deb-username }} | |
| uses: peter-evans/create-or-update-comment@v2 | |
| with: | |
| issue-number: ${{ github.event.issue.number }} | |
| body: | | |
| Your membership application was correctly PGP signed with a key that is in the Debian keyring :tada:, | |
| and you were were identified via your debian.org email as Debian user `${{ needs.keycheck.outputs.deb-username }}`. | |
| Please stay tuned until some human administrator accepts your application. | |
| otheremail: | |
| name: Debian Developer without @debian.org email | |
| runs-on: ubuntu-latest | |
| needs: ["keycheck"] | |
| if: "${{ needs.keycheck.outputs.deb-username == '' }}" | |
| steps: | |
| - name: Post username | |
| uses: peter-evans/create-or-update-comment@v2 | |
| with: | |
| issue-number: ${{ github.event.issue.number }} | |
| body: | | |
| Your membership application was correctly PGP signed with a key that is in the Debian keyring :tada:, | |
| although there's no debian.org email associated with that key. | |
| The first user ID in the key is `${{ needs.keycheck.outputs.pgp-userid }}`. | |
| Please stay tuned until some human administrator accepts your application. |