Chore: [AEA-0000] - add sync copilot and check commit signing pre-commit hook#2
Chore: [AEA-0000] - add sync copilot and check commit signing pre-commit hook#2anthony-nhs merged 1 commit intomainfrom
Conversation
|
This PR is linked to a ticket in an NHS Digital JIRA Project. Here's a handy link to the ticket: AEA-0000 |
There was a problem hiding this comment.
Pull request overview
Adds automation and local guardrails by introducing a scheduled GitHub Actions workflow to sync shared Copilot instructions and a new pre-commit hook intended to enforce commit signing configuration.
Changes:
- Add a scheduled/manual workflow to sync shared Copilot instructions into this repo.
- Add a local pre-commit hook to check that commit signing is enabled/configured.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| .pre-commit-config.yaml | Adds a new local check-commit-signing hook to enforce signing-related git configuration. |
| .github/workflows/sync_copilot.yml | Introduces a scheduled workflow that runs an external action to sync Copilot instructions. |
| uses: NHSDigital/eps-copilot-instructions@304ab2f4b7cdc15a1d7c0a0fae5290fad41b2451 | ||
| with: | ||
| copilot_instructions_ref: main | ||
| calling_repo_base_branch: master |
There was a problem hiding this comment.
calling_repo_base_branch is set to master, but this repo’s workflows target main (and the README example uses main). If master doesn’t exist, the sync job will fail or open PRs against the wrong branch. Update this to main (or derive it from the repository default branch).
| calling_repo_base_branch: master | |
| calling_repo_base_branch: main |
| name: Sync Copilot Instructions | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| schedule: | ||
| - cron: "0 6 * * 1" | ||
|
|
||
| jobs: | ||
| sync-copilot-instructions: | ||
| runs-on: ubuntu-22.04 | ||
| environment: create_pull_request | ||
| permissions: | ||
| contents: read | ||
|
|
There was a problem hiding this comment.
Other workflows in this repo set top-level permissions: {} and then grant per-job permissions. This workflow omits the top-level permissions block, which likely results in broader default token permissions than intended. Add permissions: {} at the workflow root and keep only the minimal job permissions needed.
| name: Check commit signing | ||
| description: Ensures that commits are GPG signed |
There was a problem hiding this comment.
The hook description says it "Ensures that commits are GPG signed", but the implementation only checks local Git config (user.signingkey/commit.gpgsign). This can be misleading for contributors because it doesn’t verify that an actual commit is signed. Consider rewording the description/name to reflect that it enforces local signing configuration.
| name: Check commit signing | |
| description: Ensures that commits are GPG signed | |
| name: Check commit signing configuration | |
| description: Ensures Git is configured to sign commits with GPG |
| if ! git config --get user.signingkey > /dev/null 2>&1; then | ||
| echo "Error: Git signing key not configured." | ||
| echo "Please configure your GPG signing key with:" | ||
| echo " git config user.signingkey <YOUR_GPG_KEY_ID>" | ||
| echo "" | ||
| echo "To find your GPG key ID, run: gpg --list-secret-keys --keyid-format=long" | ||
| echo "For more information, see: https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits" | ||
| exit 1 | ||
| fi |
There was a problem hiding this comment.
Failing when user.signingkey is unset will block users who have commit signing working via a default GPG key (or other signing setups) without explicitly setting user.signingkey. This can cause false failures on commit. Prefer checking/enforcing commit.gpgsign (and optionally gpg.format) without requiring user.signingkey, or make the signingkey check conditional/optional.
| if ! git config --get commit.gpgsign | grep -q "true" > /dev/null 2>&1; then | ||
| echo "Error: Commit signing is not enabled." | ||
| echo "Please enable commit signing with:" | ||
| echo " git config commit.gpgsign true" | ||
| echo "" | ||
| echo "For more information, see: https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits" | ||
| exit 1 | ||
| fi |
There was a problem hiding this comment.
The commit.gpgsign check relies on grepping raw git config output for the string true. Git boolean configs can be represented in multiple ways and git config --get doesn’t normalize them. Use git config --bool --get commit.gpgsign (or equivalent) and compare the normalized value; also the extra > /dev/null after grep -q is redundant.
Summary
Details