-
-
Notifications
You must be signed in to change notification settings - Fork 415
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support making github sided gpg signatures for pull request commits. #708
Comments
Correct me if I'm wrong, but I don't think this is possible because GitHub's GPG private key is not accessible and/or usable on the GitHub Actions runner. However, I might be able to enable this feature for use with your own GPG private key. This would be similar to the flow described here: https://docs.github.com/en/github/authenticating-to-github/about-commit-signature-verification#gpg-commit-signature-verification |
Well @peter-evans somehow the automerge action when using the github provided commit information somehow gpg signs the merged commits using github's key as far as I seen (and I used squash merging to merge on it's settings with update setting on their end to rebase). |
@AraHaan What GitHub action are you referring to? Please could you link the repository. |
The reason it works for merging in So I can probably find a way to enable this feature for use with your own GPG private key. It would still say "verified" next to the commit just like the GitHub signed commits. |
... |
Hi @peter-evans I'm not sure if this helps, but I can see dependabot is able to use the Github key so it's commits are verified. Perhaps it being available for apps and bots doesn't help this action. https://github.blog/2019-08-15-commit-signing-support-for-bots-and-other-github-apps/ |
I found some more information here about how you can achieve commit signing by GitHub's own key for GitHub Apps. However, it doesn't help for GitHub Actions, unfortunately. As I mentioned in an earlier comment, I'm fairly sure I can make this work for your own GPG key, but not GitHub's. If that's something you would be interested in using let me know. |
I think that could work as well, Even if it allows the "bot" that the action on my workflow uses an PAT with to sign it using the GPG key for that account. |
Ok, I'll look into adding a feature to use your own GPG key to sign commits then. |
Thanks for the link signing with a github app. I was chatting about that with a security researcher yesterday and it would be an answer, it's just a lot of work just to get a commit signed :) It's kind of you to follow through on the request to add GPG signing as part of your action. I can see that being useful. As I've looked more deeply into this it's become clear that it would be best to not include my GPG for the action to use because then that secret could be used by other things to sign work as me. I'm going to look at getting a GPG key for a machine account and using that. I need to find out if I can create the PR as the machine account instead of it being me. |
@davidboweninrupt you can, I do it on my submodule update workflow in https://github.com/Elskom/Sdk/ It basically hacks together a faster submodule update than what dependabot offers currently and all powered by this github action. 😃 |
@AraHaan thanks for the link to https://github.com/Elskom/Sdk/ , seeing that action helped inspire me to do the things I needed to do. @peter-evans thanks for the action, obviously, but also thanks for keeping the documentation up to date and clear. It took my brain a while to realise, but setting the right For reference, I found getting a machine account to do the work for me and having it's own GPG key as a good way to go. Having a way to tell this action about "my" GPG key would be nice, but I'm doing it using this importer at the moment. |
Everything I can see there looks good @peter-evans |
Released as See the documentation for usage details: https://github.com/peter-evans/create-pull-request/blob/master/docs/concepts-guidelines.md#gpg-commit-signature-verification |
Subject of the issue
I would like it where the commits generated by create-pull-request had an optional feature when can set to true (if they want it) to use github's gpg signature like you can when manually editing files on github itself.
Steps to reproduce
If this issue is describing a possible bug please provide (or link to) your GitHub Actions workflow.
N/A this is a feature request.
The text was updated successfully, but these errors were encountered: