Add section about SSH signing keys to developer docs. (NVIDIA#1755)

alliepiper · miscco · web-flow · commit e0fa5a7774b5 · 2024-05-21T11:12:13.000-05:00
* Add section about SSH signing keys to developer docs.

[skip-tests]

* Update CONTRIBUTING.md

[skip-tests]

Co-authored-by: Michael Schellenberger Costa &lt;miscco@nvidia.com&gt;

* Moved, reworded. [skip-tests]

* Address review feedback.

[skip-tests]

---------

Co-authored-by: Michael Schellenberger Costa &lt;miscco@nvidia.com&gt;
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -33,6 +33,7 @@ Thank you for your interest in contributing to the CUDA C++ Core Libraries (CCCL
    For more details on building and testing, refer to the [Building and Testing](#building-and-testing) section below.
 
 4. **Commit Changes**:
+
    ```bash
    git commit -m "Brief description of the change"
    ```
diff --git a/ci-overview.md b/ci-overview.md
@@ -95,6 +95,35 @@ CCCL uses [NVIDIA's self-hosted action runners](https://docs.gha-runners.nvidia.
 
 The CI pipeline will not start automatically for external contributors. A repository member will first review the changes and initiate the CI pipeline with an `/ok to test` comment.
 
+### SSH Signing Keys
+
+[Signed commits](https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits) are required for any internal NVIDIA contributors who want the convenience of CI running automatically whenever a commit is pushed to a branch (i.e., doesn't require using `/ok to test`).
+
+This is not required for external contributions, which will always require an explicit `/ok to test` comment from an approved account for each CI run.
+
+To enable commit signing using your existing ssh key, set the following git options:
+
+```bash
+git config --global gpg.format ssh
+git config --global user.signingKey ~/.ssh/YOUR_PUBLIC_KEY_FILE_HERE.pub
+
+# These settings are optional. They tell git to automatically sign all new commits and tags.
+# If these are set to false, use `git commit -S` to manually sign each commit.
+git config --global commit.gpgsign true
+git config --global tag.gpgsign true
+```
+
+Git is now configured to sign commits with your ssh key.
+
+To complete the process, upload the public key to your [Github Signing Keys](https://github.com/settings/keys) in your browser or using the `gh` CLI tool:
+
+```
+gh ssh-key add ~/.ssh/YOUR_PUBLIC_KEY_FILE_HERE.pub --type signing
+```
+
+Make sure that the key is uploaded to 'Signing Keys', not just 'Authentication Keys'.
+The same key may be used for both.
+
 ## Troubleshooting CI Failures
 
 1. **Review CI logs**: Examine CI logs for specific error messages (see [Viewing CI Workflow Results](#viewing-ci-workflow-results))
