Closed joao-paulo-parity closed 3 years ago
This blocks the CLA bot and it's not trivial to solve.
There might be bigger security-related concerns either way, so I'll tag this as "blocked" (for unactionable) until we have discussed what to do about bot commits' verification.
After discussion, implementing GPG signature for the bot, while not the most trustable option, still will be the solution to pursue in the short-term. Therefore we'll need to work on this to unblock the CLA signatures.
From the commits list page in the API: https://api.github.com/repos/paritytech/polkadot/commits?sha=pull/2854/head, an example commit by the benchmark bot is:
Noticeably
The bot needs to commit as a recognizable user. We can not trust the following
because anyone can set those values for their own commit.