paulosgf
commented
1 year ago @Abdur-RahmaanJ, So, about the signed releases, we've to create a release branch and enforce signed commits policy on this.
First, create an admin GPG key pair: gpg --full-gen-key gpg --list-secret-keys --keyid-format long gpg --armor --export YOUR_HEXKEY_AFTER_sec_rsa4096/ > file.asc Paste in your GitHub profile -> Settings -> SSH and GPG keys -> New GPG Key git config --global user.signingkey my_hex_key git config --global tag.gpgSign true (automate signed tags) Vide https://withblue.ink/2020/05/17/how-and-why-to-sign-git-commits.html On GitHub, create the release repository and enforce sign use as: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/managing-a-branch-protection-rule
Create a Branch protection rule = release with constraints:
- Require a pull request before merging
- Require signed commits To release, commit on localhost: git commit -S -m "Honeybot Release 6.0.2" git tag -s release-6.0.2 -m "Honeybot Release 6.0.2" $(git rev-parse HEAD | cut -c1-7) git push origin my_branch
Then, in GitHub branches, create a "new pull request" as: base:release <- compare:main
when merge, if this exits with non signed commit constraint, try this on localhost: git checkout main git pull origin release git checkout release git merge main git push -u origin release At end, to create a new release go to GitHub releases and create a new release with a tag from release branch. *** the signed commits appear as verified on GitHub
Abdur-rahmaanJ
Suggestion
The commits aren't signed with a trusted key
Enforce only signed commits
Implement this via GitHub Actions
Code of Conduct