CI: Add local developer versions of test-git-signatures and test-git-lfs. Modify test-git-lfs, test-git-signatures, and test-links to all add comments on PRs and link to the failures.

Author: brycelelbach

.github/workflows/test-git-lfs.yml

@@ -1,4 +1,4 @@
-name: Test Git LFS Tracking
+name: Test Git LFS
 
 on:
   push:
@@ -8,66 +8,106 @@ on:
   # see the "Reviewing PRs from forks" section in CONTRIBUTING.md for more details
 
 jobs:
-  check-lfs:
+  test-git-lfs:
     runs-on: ubuntu-latest
 
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
 
       - name: Check that binary files are tracked by LFS
-        run: |
-          echo "Checking that all binary files are tracked by Git LFS..."
-
-          # File extensions that should be tracked by LFS (from .gitattributes)
-          EXTENSIONS="pptx pdf png jpg jpeg gif webp"
-
-          # Build find pattern
-          FIND_PATTERN=""
-          for ext in $EXTENSIONS; do
-            if [ -n "$FIND_PATTERN" ]; then
-              FIND_PATTERN="$FIND_PATTERN -o"
-            fi
-            FIND_PATTERN="$FIND_PATTERN -name *.$ext"
-          done
-
-          # Find all matching files
-          FILES=$(find . -type f \( $FIND_PATTERN \) ! -path "./.git/*" ! -path "./venv/*" 2>/dev/null || true)
-
-          if [ -z "$FILES" ]; then
-            echo "No binary files found to check."
-            exit 0
-          fi
-
-          FAILED=0
-          NOT_LFS_FILES=""
-
-          for file in $FILES; do
-            # Check if file is an LFS pointer (starts with "version https://git-lfs.github.com/spec/v1")
-            if head -c 50 "$file" 2>/dev/null | grep -q "version https://git-lfs.github.com/spec/v1"; then
-              echo "✓ $file (LFS pointer)"
-            else
-              echo "✗ $file (NOT tracked by LFS)"
-              NOT_LFS_FILES="$NOT_LFS_FILES\n  - $file"
-              FAILED=1
-            fi
-          done
-
-          if [ $FAILED -eq 1 ]; then
-            echo ""
-            echo "=========================================="
-            echo "ERROR: The following files should be tracked by Git LFS but are not:"
-            echo -e "$NOT_LFS_FILES"
-            echo ""
-            echo "To fix this, run:"
-            echo "  git rm --cached <file>"
-            echo "  git add <file>"
-            echo "  git commit -m 'Track file with Git LFS'"
-            echo ""
-            echo "Make sure Git LFS is installed and .gitattributes includes the file pattern."
-            echo "=========================================="
-            exit 1
-          fi
-
-          echo ""
-          echo "All binary files are properly tracked by Git LFS!"
+        id: git-lfs-check
+        run: bash brev/test-git-lfs.bash .
+
+      - name: Comment on PR if check failed
+        if: failure() && steps.git-lfs-check.outputs.error_type != ''
+        uses: actions/github-script@v7
+        with:
+          script: |
+            // Find PR associated with this branch
+            const { data: pulls } = await github.rest.pulls.list({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              head: `${context.repo.owner}:${process.env.GITHUB_REF_NAME}`,
+              state: 'open'
+            });
+
+            if (pulls.length === 0) {
+              console.log('No open PR found for this branch, skipping comment.');
+              return;
+            }
+
+            const prNumber = pulls[0].number;
+            const errorType = '${{ steps.git-lfs-check.outputs.error_type }}';
+            const errorFiles = `${{ steps.git-lfs-check.outputs.error_files }}`;
+            const runUrl = `${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}/actions/runs/${process.env.GITHUB_RUN_ID}`;
+
+            let commentBody;
+            if (errorType === 'subdir_gitattributes') {
+              commentBody = `## ❌ Git LFS Check Failed
+
+**Found \`.gitattributes\` file(s) in subdirectories.** Only the top-level \`.gitattributes\` should be used for LFS configuration.
+
+🔗 [View workflow run logs](${runUrl})
+
+### Files to remove:
+${errorFiles.split('\n').map(f => f.trim()).filter(f => f).map(f => '- \`' + f + '\`').join('\n')}
+
+### How to fix:
+\`\`\`bash
+git rm <path/to/.gitattributes>
+git commit -m "Remove subdirectory .gitattributes"
+\`\`\`
+`;
+            } else if (errorType === 'not_lfs_tracked') {
+              commentBody = `## ❌ Git LFS Check Failed
+
+**The following files should be tracked by Git LFS but are not:**
+
+🔗 [View workflow run logs](${runUrl})
+
+${errorFiles}
+
+### How to fix:
+\`\`\`bash
+# For each file listed above:
+git rm --cached <file>
+git add <file>
+git commit -m "Track file with Git LFS"
+\`\`\`
+
+Make sure Git LFS is installed locally (\`git lfs install\`) before running these commands.
+`;
+            }
+
+            // Check if we already commented on this PR to avoid spam
+            const { data: comments } = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: prNumber
+            });
+
+            const botComment = comments.find(comment =>
+              comment.user.type === 'Bot' &&
+              comment.body.includes('Git LFS Check Failed')
+            );
+
+            if (botComment) {
+              // Update existing comment
+              await github.rest.issues.updateComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: botComment.id,
+                body: commentBody
+              });
+              console.log(`Updated existing comment on PR #${prNumber}`);
+            } else {
+              // Create new comment
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: prNumber,
+                body: commentBody
+              });
+              console.log(`Created comment on PR #${prNumber}`);
+            }

.github/workflows/test-signature.yml .github/workflows/test-git-signatures.yml.github/workflows/test-signature.yml renamed to .github/workflows/test-git-signatures.yml

@@ -1,4 +1,4 @@
-name: Test Commit Signatures
+name: Test Git Signatures
 
 on:
   push:
@@ -8,7 +8,7 @@ on:
   # see the "Reviewing PRs from forks" section in CONTRIBUTING.md for more details
 
 jobs:
-  test-signatures:
+  test-git-signatures:
     runs-on: ubuntu-latest
 
     steps:
@@ -17,7 +17,13 @@ jobs:
         with:
           fetch-depth: 0  # Need full history to compare with main
 
-      - name: Check commit signatures
+      - name: Check commit signatures (local verification)
+        id: git-signatures-check
+        run: bash brev/test-git-signatures.bash origin/main
+
+      - name: Check commit signatures (GitHub API verification)
+        id: github-api-check
+        if: always() && !cancelled()
         uses: actions/github-script@v7
         with:
           script: |
@@ -50,7 +56,7 @@ jobs:
               return;
             }
 
-            console.log(`Checking ${commitShas.length} commit(s) for signatures...`);
+            console.log(`Checking ${commitShas.length} commit(s) via GitHub API...`);
 
             // Check each commit's verification status via GitHub API
             const unsignedCommits = [];
@@ -86,6 +92,10 @@ jobs:
             }
 
             if (unsignedCommits.length > 0) {
+              // Set outputs for PR comment
+              core.setOutput('unsigned_count', unsignedCommits.length);
+              core.setOutput('unsigned_commits', unsignedCommits.map(c => `- \`${c.sha}\`: ${c.message} (${c.reason})`).join('\n'));
+
               console.log('\n❌ Found unsigned commits:');
               for (const commit of unsignedCommits) {
                 console.log(`   ${commit.sha}: ${commit.message} (reason: ${commit.reason})`);
@@ -97,3 +107,88 @@ jobs:
               console.log(`\n✅ All ${commitShas.length} commit(s) are properly signed.`);
             }
 
+      - name: Comment on PR if check failed
+        if: failure() && steps.github-api-check.outputs.unsigned_count != ''
+        uses: actions/github-script@v7
+        with:
+          script: |
+            // Find PR associated with this branch
+            const { data: pulls } = await github.rest.pulls.list({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              head: `${context.repo.owner}:${process.env.GITHUB_REF_NAME}`,
+              state: 'open'
+            });
+
+            if (pulls.length === 0) {
+              console.log('No open PR found for this branch, skipping comment.');
+              return;
+            }
+
+            const prNumber = pulls[0].number;
+            const unsignedCount = '${{ steps.github-api-check.outputs.unsigned_count }}';
+            const unsignedCommits = `${{ steps.github-api-check.outputs.unsigned_commits }}`;
+            const runUrl = `${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}/actions/runs/${process.env.GITHUB_RUN_ID}`;
+
+            const commentBody = `## ❌ Commit Signature Check Failed
+
+**Found ${unsignedCount} unsigned commit(s):**
+
+🔗 [View workflow run logs](${runUrl})
+
+${unsignedCommits}
+
+### All commits must be signed
+
+#### How to fix:
+
+1. **Configure commit signing** (if not already done):
+   \`\`\`bash
+   # For GPG signing
+   git config --global commit.gpgsign true
+
+   # Or for SSH signing (Git 2.34+)
+   git config --global gpg.format ssh
+   git config --global user.signingkey ~/.ssh/id_ed25519.pub
+   \`\`\`
+
+2. **Re-sign your commits:**
+   \`\`\`bash
+   git rebase -i origin/main --exec "git commit --amend --no-edit -S"
+   git push --force-with-lease
+   \`\`\`
+
+📚 [GitHub documentation on signing commits](https://docs.github.com/en/authentication/managing-commit-signature-verification)
+`;
+
+            // Check if we already commented on this PR to avoid spam
+            const { data: comments } = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: prNumber
+            });
+
+            const botComment = comments.find(comment =>
+              comment.user.type === 'Bot' &&
+              comment.body.includes('Commit Signature Check Failed')
+            );
+
+            if (botComment) {
+              // Update existing comment
+              await github.rest.issues.updateComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: botComment.id,
+                body: commentBody
+              });
+              console.log(`Updated existing comment on PR #${prNumber}`);
+            } else {
+              // Create new comment
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: prNumber,
+                body: commentBody
+              });
+              console.log(`Created comment on PR #${prNumber}`);
+            }

.github/workflows/test-links.yml

@@ -34,7 +34,83 @@ jobs:
           done
 
       - name: Check links with Lychee
+        id: lychee-check
         uses: lycheeverse/lychee-action@v2
         with:
           args: --verbose --no-progress --config brev/lychee.toml --exclude-file brev/.lycheeignore '.'
           fail: true
+
+      - name: Comment on PR if check failed
+        if: failure() && steps.lychee-check.outcome == 'failure'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            // Find PR associated with this branch
+            const { data: pulls } = await github.rest.pulls.list({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              head: `${context.repo.owner}:${process.env.GITHUB_REF_NAME}`,
+              state: 'open'
+            });
+
+            if (pulls.length === 0) {
+              console.log('No open PR found for this branch, skipping comment.');
+              return;
+            }
+
+            const prNumber = pulls[0].number;
+            const runUrl = `${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}/actions/runs/${process.env.GITHUB_RUN_ID}`;
+
+            const commentBody = `## ❌ Link Check Failed
+
+**Broken links were detected in this PR.**
+
+Please check the [workflow run logs](${runUrl}) for details on which links are broken.
+
+### Common fixes:
+
+1. **Typo in URL** - Check for spelling mistakes in the link
+2. **Outdated link** - The page may have moved or been deleted
+3. **Relative path issue** - Ensure relative links use the correct path
+4. **External site down** - If the external site is temporarily down, you can add it to \`brev/.lycheeignore\`
+
+### To test links locally:
+
+\`\`\`bash
+./brev/test-links.bash .
+\`\`\`
+
+📚 [Lychee documentation](https://github.com/lycheeverse/lychee)
+`;
+
+            // Check if we already commented on this PR to avoid spam
+            const { data: comments } = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: prNumber
+            });
+
+            const botComment = comments.find(comment =>
+              comment.user.type === 'Bot' &&
+              comment.body.includes('Link Check Failed')
+            );
+
+            if (botComment) {
+              // Update existing comment
+              await github.rest.issues.updateComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: botComment.id,
+                body: commentBody
+              });
+              console.log(`Updated existing comment on PR #${prNumber}`);
+            } else {
+              // Create new comment
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: prNumber,
+                body: commentBody
+              });
+              console.log(`Created comment on PR #${prNumber}`);
+            }