Recommendation for signing changeset PR commits #427
Comments
jacksonneal
changed the title
|
I happen to be looking into this as well - but specifically from an organization standpoint. I see changesets has thier commits signed so maybe @Andarist could weigh in. I see this in the github docs: https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification#signature-verification-for-bots But currently my pipeline isn't signing the commits when setting up git via the setupGitUser option. My guess is maybe I'll have to add my github token to the Just commenting to follow along and say i'm also looking into this. Would love to see if theres something missing / could be documented |
|
I think the commits are unsigned on the PR's branch and then, on merge, the commit is signed because merge happened via the UI. This doesn't work for me because we are blocking merges to main unless the commits are signed. In the meantime, I've created a utility script that checks out the PR's branch and rewrites the history, signing the commit when ran locally. This works, but is just another step when releasing. |
I want to be able to verify the commits made to the version PR. Right now, my commits are unverified. Is there a recommended strategy for signing and verifying commits? I was looking at the documentation from GitHub here. Should I be trying to use the GitHub API to commit?
Judging by this article, using the github API would be one option. It would be great if the action supported this.
The text was updated successfully, but these errors were encountered: