Feature: GPG signing with action commits

[glexiasvc]

https://github.com/aormsby/Fork-Sync-With-Upstream-action/wiki/Scenarios-for-Advanced-Input

git_pull_args: is not valid anymore. I would submit a correction but unsure which of the _args is the current one and don't want to create more work.

Also, is there a way to specify a secret that contains a PGP key for checking to show the commit as verified?

[aormsby]

Good catch on the input var in the wiki. That's been updated.

The only way I can think of right now to verify a commit would be using git verify-commit <hash> just to check for any signing at all, so functionality would have to be added to the action to loop through all incoming commits and verify them before merging. And I guess also to stop the process if you don't want unverified commits.

But I don't understand why you'd want to include a PGP key in the action to match against the commits. On a project with multiple users, you wouldn't be able to match them all to the same key (unless you share the same one, I guess). Unless I'm misunderstanding your goals, that doesn't seem helpful.

[glexiasvc]

Hi -

I am specifying the git_config_user. git_config_email, and git_config_pull_rebase fields to a service account in our github project (known github user).

When the merge action goes in it's showing as unverified. I suppose what I am looking for is a git_config_gpg_key (private key to sign the commits automatically) field much like the above three you have so that the merge commit is able to be "verified" (see screenshot below, the latest marge is automatically using your script)

I think I'd also need a way to save the GPG key itself and the fingerprint to pass to the git config.

Does this make a bit more sense? The secret is locked down to these repos that are controlled automatically.

[aormsby]

Ooohhh yeah, that makes a hell of a lot more sense than what I had originally interpreted. 🤣

Currently, there is no functionality for that, but it should be pretty easy to add. I think all we'd have to do is:

• make a new input for merge_gpg_signing_key
• Add a git option to the pull command --gpg-sign[=<keyid>] git
• Add a condition to either use it or not
• Maybe add a test if possible, not sure

You're welcome to try it out and make PR, shouldn't be too bad. Otherwise, I might have time to get to it in about a week.

[aormsby]

Ha! Not as simple as I thought. I didn't realize GPG signing in Actions was such a challenge for so many devs, but I've learned a few things today.

Right now, I don't think that supporting GPG setup during the sync makes a whole lot of sense because the requirements there are sort of beyond the scope of the action. Instead, I think adding a GPG config step to the workflow before the sync would work better overall.

There's an action called Import GPG that other users find effective for this task, and I'm going to try it out with my sync action. Maybe some minor adjustments are needed to avoid git config conflicts. If it works, this will be what I recommend for you as well.

[aormsby]

Yep, this is working for me with very small changes. @glexiasvc I'd love if you would try it out - instructions in PR #35

[mbwmbw1337]

Confirmed fixed. Thank you! The issue is able to be resolved.

[glexiasvc]

Thank you again, @aormsby

[aormsby]

Merged and release as v3.1 👍