-
Notifications
You must be signed in to change notification settings - Fork 980
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support Signed Commits by [email protected] #667
Comments
Yes, agreed. This is needed. |
+1 |
Does anyone have a workaround for this? |
I have been using the following action. Once the action runs any git commands in following steps will use the signature. It does require storing secrets with GPG info though.
|
@timharris777 Even if you use the above GitHub action, it doesn't work with |
@atreya2011 , yes you are correct. But we created a service account just for github actions that we then use to sign commits. It's the best thing we could do until github supports this. |
Thank you for the confirmation @timharris777! By a |
That's correct. It is just a new user account that unfortunately takes up a license. |
Very unfortunate that this seems to be the only way now. Hope GitHub supports signed commits by |
We created a centralized process with terraform to manage our github repos - it was working great until we enforced signed commits as part of this. Now we're stuck with either removing the security feature entirely or using a workaround. Please support verified commits with github actions! |
Hey all, I hope you are doing well. |
Is there any traction at all from github? This is crucial for us as signed commits have been made mandatory for our repositories and creating and managing non-human accounts is not really trivial. In my eyes signed commits need to be supported by github actions directly rather than us having to jump through hoops. |
Any response from GitHub enterprise customers? |
What's the cryptographic purpose for this? The actual feature we should propose is to recognize |
+1 This would be really helpful. Compromising on security by disabling the branch protection rule isn't a good workaround but in order for people to use Actions with various automation scenarios, this is really needed. |
I'm collecting all the information I found about this topic on this repo/article: https://github.com/josecelano/pygithub/blob/main/docs/how_to_sign_automatic_commits_in_github_actions.md |
@josecelano An excellent write-up summarizing the current state of things. I am bookmarking this 🙇🏼♂️ |
Signing a commit is not only meant to tell you that someone is the author of that commit, it's also meant to tell you about the integrity of the commit and that it hasn't been tampered with. I would be ok with having an official action that takes a GPG key and sets it up to sign commits automatically, I'm doing the same thing in my repositories but manually, your idea of having a The easiest solution would be to just have an option to allow unsigned commits (or unverified keys) coming from GH Actions to go around the signed-commits setting for the branch. |
The main purpose of |
It would be great to see this feature included, we're running into this at the moment. |
FYI there's a workaround that worked for me https://gist.github.com/swinton/03e84635b45c78353b1f71e41007fc7c I replaced DESTINATION_BRANCH with ${{ github.ref }} to commit to the current branch. |
FWIW this is the solution we've implemented. |
I did kinda the same, but I needed to create a PR, so the usage of the GPG key is a bit different: if that can help others, check https://github.com/kubefirst/docs/blob/main/.github/workflows/release.yml . |
Commits generated through the GraphQL API's |
@joemiller Thanks so much for pointing that out. That works beautifully for us! 👏🏼 |
@joemiller, thanks for ghcommit-action. Work flawlessly |
I have an example of using the script/ci_commit_with_signature.sh
#!/bin/bash
TOKEN=$1
repoNwo=$2
branch=$3
# The SHA of the last commit on the remote target branch
expectedHeadOid=$4
file_path=$5
encoded_file_content=$(base64 < "$file_path")
message_headline=$6
message_body=$7
curl "$GITHUB_GRAPHQL_URL" --silent \
--write-out '%{stderr}HTTP status: %{response_code}\n\n' \
-H "Authorization: bearer $TOKEN" \
--data @- <<GRAPHQL | jq
{
"query": "mutation (\$input: CreateCommitOnBranchInput!) {
createCommitOnBranch(input: \$input) {
commit {
url
}
}
}",
"variables": {
"input": {
"branch": {
"repositoryNameWithOwner": "$repoNwo",
"branchName": "$branch"
},
"message": {
"headline": "$message_headline",
"body": "$message_body"
},
"fileChanges": {
"additions": [
{
"path": "$file_path",
"contents": "$encoded_file_content"
}
]
},
"expectedHeadOid": "$expectedHeadOid"
}
}
}
GRAPHQL GitHub action section
- name: Commit file KeepAlive.txt
run: |
bash script/ci_commit_with_signature.sh \
${{ secrets.GITHUB_TOKEN }} \
${{ github.repository }} \
${{ github.ref_name }} \
${{ github.sha }} \
"KeepAlive.txt" \
"KeepAlive.txt Update to version $(TZ='Asia/Shanghai' date +'%Y-%m-%d')" \
"Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>"
If you use PAT or fine-grained PAT, you can also bypass the branch protection rule. (#25305) |
I'm not sure where I found this awesome solution using GitSign, but I think it should be noted here! |
Thank you for pointing that out, @mogul, because it helps with signing. Unfortunately, I use that solution, but it doesn't show as verified. |
Maybe because the certificate is only around for ten minutes...? I don't know. But if it's verifiable long enough to help pass branch protection rules requiring signed commits, that seems worth it. |
@gmeligio It's documented on their README: |
Thank you @josecelano and @mogul for your comments. I'm not sure if I read it before there or just stopped at |
Especially since https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/ it would be nice for gitsign verification support for commits. |
Proposal: a Say I want to change the version number in a GitHub Workflow, similar to this: steps:
- uses: actions/checkout@v4
with:
ssh-key: ${{ secrets.SIGNING_KEY_PRIVATE }}
- uses: pnpm/action-setup@v2
with:
version: latest
- name: Configure Git, patch, release and push
run: |
git config user.name 'github-actions[bot]'
git config user.email '41898282+github-actions[bot]@users.noreply.github.com'
git config commit.gpgsign true
git config gpg.format ssh
git config user.signingkey 'key::${{ vars.SIGNING_KEY_PUBLIC }}'
eval `ssh-agent -s`
ssh-add - <<< '${{ secrets.SIGNING_KEY_PRIVATE }}'
VERSION=$(pnpm version patch --no-git-tag-version)
git commit --all --message "🔖 $VERSION"
git tag --annotate --message "🔖 $VERSION" --sign $VERSION
git push
git push --tags There's not really a good way to attribute this commit to an imaginary "GitHub Workflow" user. In any case, I'm using This works wonderfully, except that the signature doesn't actually belong to that account. What if there was a way for repositories to mark these commits as verified? For example, GitHub signs commits I make with GitHub's signature, not mine, so there's already some switcheroo going on behind the scenes. Proposal: Similar to
This file should be compatible with Git's ways of verifying signatures with this kind of files (AUTHORIZED_KEYS_FILE_FORMAT). Here's some docs on the subject: |
I created an action to create signed commits the beauty of this action it's just an drop-in replacement of |
I've updated create-pull-request to support commit signing with bot-generated tokens ( |
Currently if "signed commits" are required in branch protection there is no good way to have actions update code using the token provided for use with github actions and the current repository. Seems like github actions should provide a way for changes made by
[email protected]
to be signed and show as verified through the interface.The text was updated successfully, but these errors were encountered: