Recommendation for signing changeset PR commits

[jacksonneal]

I want to be able to verify the commits made to the version PR. Right now, my commits are unverified. Is there a recommended strategy for signing and verifying commits? I was looking at the documentation from GitHub here. Should I be trying to use the GitHub API to commit?

Judging by this article, using the github API would be one option. It would be great if the action supported this.

[ryanbas21]

I happen to be looking into this as well - but specifically from an organization standpoint. I see changesets has thier commits signed so maybe @Andarist could weigh in.

I see this in the github docs: https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification#signature-verification-for-bots

Organizations and GitHub Apps that require commit signing can use bots to sign commits. If a commit or tag has a bot signature that is cryptographically verifiable, GitHub marks the commit or tag as verified.

Signature verification for bots will only work if the request is verified and authenticated as the GitHub App or bot and contains no custom author information, custom committer information, and no custom signature information, such as Commits API.

But currently my pipeline isn't signing the commits when setting up git via the setupGitUser option. My guess is maybe I'll have to add my github token to the checkout command, i'll have to see if i'm doing this.

Just commenting to follow along and say i'm also looking into this. Would love to see if theres something missing / could be documented

[jacksonneal]

I think the commits are unsigned on the PR's branch and then, on merge, the commit is signed because merge happened via the UI. This doesn't work for me because we are blocking merges to main unless the commits are signed.

In the meantime, I've created a utility script that checks out the PR's branch and rewrites the history, signing the commit when ran locally. This works, but is just another step when releasing.

[OjiCode]

I'm looking into this as well. @jacksonneal could you share your workaround script in the meantime?

[jacksonneal]

I'm looking into this as well. @jacksonneal could you share your workaround script in the meantime?

Just a series of git commands in a bash script:

git fetch
git switch changeset-release/main
git reset --soft origin/main
git commit -am "release"
git push -f
git switch -
git branch -D changeset-release/main

[adbutterfield]

This is also a problem for us at our organization. I just got something working though by hacking together changesets/action with a modified version of the graphql API approach of planetscale/ghcommit.

It's very rough at the moment. But when I have time I'll clean it up and make a PR 🙇

[Jac0xb]

This is also a problem for us at our organization. I just got something working though by hacking together changesets/action with a modified version of the graphql API approach of planetscale/ghcommit.

It's very rough at the moment. But when I have time I'll clean it up and make a PR 🙇

Down horrendous, pls share

[Andarist]

From what I understand, currently the easiest way to set this up is to configure the action with a custom user, token and gpg key.

It might get easier in the future if we land this: #391

[s0]

This issue looks like it's somewhat duplicating #392 (you can also see more options in there for manually configuring GPG until usage of the GitHub API is supported).

I just got something working though by hacking together changesets/action with a modified version of the graphql API approach of planetscale/ghcommit.

Ah yeah, that was my inspiration for the TypeScript library https://github.com/s0/ghcommit, and #391

It's very rough at the moment. But when I have time I'll clean it up and make a PR 🙇

Definitely take a look at #391 before you go down that road, don't want you to waste effort :)

[adbutterfield]

For how our security team wants us to manage things, GPG key isn't an option for us unfortunately...

[s0]

#391 has now been merged, allowing you to commit using GitHub API and have everything signed! =)