You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Since so many users rely on the General registry, it would be nice to increase the level of security.
I don't think that it is feasible to ask all users that make manual PRs to General to GPG-sign their commits.
I do think, however, that is it reasonable for the two main bot users that generate automated PRs to General (@JuliaRegistrator and @jlbuild) to GPG-sign their automatically generated commits.
In the GitHub repo settings for this repo, disable the "merge" and "rebase and merge" options for merging. The only option for merging is squash-merge.
As a result, the commits on a General are now GPG-signed by GitHub's web flow GPG key. See for example the following screenshot:
Since so many users rely on the General registry, it would be nice to increase the level of security.
I don't think that it is feasible to ask all users that make manual PRs to General to GPG-sign their commits.
I do think, however, that is it reasonable for the two main bot users that generate automated PRs to General (@JuliaRegistrator and @jlbuild) to GPG-sign their automatically generated commits.
Related issues:
The text was updated successfully, but these errors were encountered: