Configure Signed Commits

[paulosgf]

Suggestion

The commits aren't signed with a trusted key

Enforce only signed commits

Implement this via GitHub Actions

Code of Conduct

• I agree to follow this project's Code of Conduct

[paulosgf]

@Abdur-rahmaanJ, So, about the signed releases, we've to create a release branch and enforce signed commits policy on this.

First, create an admin GPG key pair:
gpg --full-gen-key
gpg --list-secret-keys --keyid-format long
gpg --armor --export YOUR_HEXKEY_AFTER_sec_rsa4096/ > file.asc
Paste in your GitHub profile -> Settings -> SSH and GPG keys -> New GPG Key
git config --global user.signingkey my_hex_key
git config --global tag.gpgSign true (automate signed tags)
Vide https://withblue.ink/2020/05/17/how-and-why-to-sign-git-commits.html
On GitHub, create the release repository and enforce sign use as:
https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/managing-a-branch-protection-rule

Create a Branch protection rule = release
with constraints:

• Require a pull request before merging
• Require signed commits
  To release, commit on localhost:
  git commit -S -m "Honeybot Release 6.0.2"
  git tag -s release-6.0.2 -m "Honeybot Release 6.0.2" $(git rev-parse HEAD | cut -c1-7)
  git push origin my_branch

Then, in GitHub branches, create a "new pull request" as:
base:release <- compare:main

when merge, if this exits with non signed commit constraint, try this on localhost:
git checkout main
git pull origin release
git checkout release
git merge main
git push -u origin release
At end, to create a new release go to GitHub releases and create a new release with a tag from release branch.
*** the signed commits appear as verified on GitHub

[Abdur-rahmaanJ]

@paulosgf I tried before but i cannot make it work

[paulosgf]

@paulosgf I tried before but i cannot make it work

What happened?

[Abdur-rahmaanJ]

@paulosgf Idk it was just hanging.

[paulosgf]

@paulosgf Idk it was just hanging.
At which stage?