Update policy-enforcement.yml#18
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 84a66ad950
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if [ "${{ github.event_name }}" = "pull_request" ]; then | ||
| git fetch origin ${{ github.base_ref }} | ||
| RANGE="origin/${{ github.base_ref }}...HEAD" | ||
| else | ||
| RANGE="HEAD~1..HEAD" |
There was a problem hiding this comment.
Check every commit in a push, not only the last one
For push events, the verification range is set to HEAD~1..HEAD, which only inspects the most recent commit. If a push to main contains multiple commits and any earlier commit is unsigned or unverified, this job will still pass because those commits aren’t in the range. This weakens the policy enforcement for multi-commit pushes; consider using the push range (${{ github.event.before }}..${{ github.sha }}) or a similar range that includes all commits in the push.
Useful? React with 👍 / 👎.
Harden CI policy enforcement and validation gates