Avoid sigscanner for PRs from chainlink-release-pusher[bot]

chainchad · chainchad · commit f7815a2236ba · 2026-02-25T08:59:58.000-05:00
diff --git a/.github/workflows/sigscanner.yml b/.github/workflows/sigscanner.yml
@@ -1,20 +1,43 @@
-name: 'SigScanner Check'
+name: "SigScanner Check"
 
 on:
+  pull_request:
   merge_group:
   push:
+    branches:
+      - develop
 
 jobs:
   sigscanner-check:
+    # On pull_request, github.actor is the PR creator, so we can reliably
+    # skip the bot's PRs. On merge_group the actor is whoever enqueued the
+    # merge, so we skip entirely to avoid false positives.
+    if: >-
+      github.event_name != 'merge_group'
+      && github.actor != 'chainlink-release-pusher[bot]'
     runs-on: ubuntu-latest
+    env:
+      # On pull_request, github.sha is a temporary merge commit; use the
+      # actual PR head commit so SigScanner verifies the developer's signed
+      # commit. On push, github.sha is the real commit on develop.
+      COMMIT_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
     steps:
-      - name: "SigScanner checking ${{ github.sha }} by ${{ github.actor }}"
+      - name: "SigScanner checking ${{ env.COMMIT_SHA }} by ${{ github.actor }}"
         env:
           API_TOKEN: ${{ secrets.SIGSCANNER_API_TOKEN }}
           API_URL: ${{ secrets.SIGSCANNER_API_URL }}
         run: |
-          echo "🔎 Checking commit ${{ github.sha }} by ${{ github.actor }} in ${{ github.repository }} - ${{ github.event_name }}"
-          CODE=`curl --write-out '%{http_code}' -X POST -H "Content-Type: application/json" -H "Authorization: $API_TOKEN" --silent --output /dev/null --url "$API_URL" --data '{"commit":"${{ github.sha }}","repository":"${{ github.repository }}","author":"${{ github.actor }}"}'`
+          echo "🔎 Checking commit ${COMMIT_SHA} by ${GITHUB_ACTOR} in ${GITHUB_REPOSITORY} - ${GITHUB_EVENT_NAME}"
+          CODE=$(curl \
+            --write-out '%{http_code}' \
+            -X POST \
+            -H "Content-Type: application/json" \
+            -H "Authorization: $API_TOKEN" \
+            --silent \
+            --output /dev/null \
+            --url "$API_URL" \
+            --data "{\"commit\":\"${COMMIT_SHA}\",\"repository\":\"${GITHUB_REPOSITORY}\",\"author\":\"${GITHUB_ACTOR}\"}"
+          )
           echo "Received $CODE"
           if [[ "$CODE" == "200" ]]; then
             echo "✅ Commit is verified"
