Skip to content

doc: prefer to sign commits under nodejs repository #57311

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Mar 17, 2025
Merged

doc: prefer to sign commits under nodejs repository #57311

merged 3 commits into from
Mar 17, 2025
+3 −0

Conversation

RafaelGSS
Copy link
Member

Although not required, I think adding this as a "recommended" is a good thing.

cc: @aduh95

@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/tsc

@nodejs-github-bot nodejs-github-bot added the doc Issues and PRs related to the documentations. label Mar 4, 2025
@RafaelGSS
Copy link
Member Author

RafaelGSS commented Mar 4, 2025
edited
Loading

IIRC commit-queue does sign commits by default. But, in terms of creating releases, sometimes we forget to enforce this policy in backports, leading to some inconsistencies (as Antoine seen when we paired 😄)

@legendecas
Copy link
Member

commit-queue does not sign if it is commit-queue-rebase, e.g. #57121

tniessen
tniessen reviewed Mar 4, 2025
View reviewed changes
@RafaelGSS @tniessen
Update onboarding.md
c54e9e6 
Co-authored-by: Tobias Nießen <tniessen@tnie.de>
@RafaelGSS RafaelGSS added the commit-queue-squash Add this label to instruct the Commit Queue to squash all the PR commits into the first one. label Mar 4, 2025
@tniessen
Copy link
Member

tniessen commented Mar 4, 2025

FWIW, there have been multiple discussions about this in the past, and the benefit was generally considered marginal (see, for example, #15457, which would have made signing mandatory). That being said, I am not strictly opposed to this idea (and for a while I did sign my commits in this repository).

@joyeecheung
Copy link
Member

I think this is only relevant for those who push directly to branches in the repository? For people who will probably never push directly to the repository (I guess most collaborators don't these days) it's not as relevant.

jasnell
jasnell approved these changes Mar 4, 2025
View reviewed changes
Copy link
Member

@jasnell jasnell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If there isn't one already in this document, including a link to documentation on how to use commit.gpgsign would be helpful to newcomers.

@eror123r

This comment was marked as off-topic.

Sign in to view
@aduh95
Copy link
Contributor

aduh95 commented Mar 4, 2025

Recommending signatures is certainly fine, but I don't think it would be relevant to most contributors. Signatures are only really useful for things that require trust (e.g. unreviewed backports, release promotion), and are nice-to-have everywhere else on nodejs/node, and IMO barely relevant for PRs (which is what most contributors will ever do).

@RafaelGSS RafaelGSS added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Mar 5, 2025
@RafaelGSS
Copy link
Member Author

RafaelGSS commented Mar 5, 2025
edited
Loading

Yes, this is non-relevant for most of the contributors but Node.js releasers or anyone that attempts to backport a commit manually. Still, it's an optional recommendation, I'm fine either way.

UlisesGascon
UlisesGascon approved these changes Mar 5, 2025
View reviewed changes
Copy link
Member

@UlisesGascon UlisesGascon left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think is a great recommendation, specially for releasers as we do some changed in the git history and our signatures can be verified (see)

Also worth mention that signature verification requires an extra step on GitHub commiter's side if we want to achieve the visual verification (ref):

image

aduh95
aduh95 reviewed Mar 5, 2025
View reviewed changes
onboarding.md Outdated
Comment on lines 37 to 38
* It is recommended to sign all commits under the Node.js repository.
Run: `git config commit.gpgsign true` inside the `node` folder.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should consider making this recommendation on the ONBOARDING.md of nodejs/Release, and maybe reword it to ensure we're not setting a bar too high for newcomers:

Suggested change
* It is recommended to sign all commits under the Node.js repository.
Run: `git config commit.gpgsign true` inside the `node` folder.
* Consider configuring git to sign all commits when working on the Node.js repository.
Run: `git config commit.gpgsign true` inside the `node` folder.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I fear that whatever the wording, people are going to run the command, and later they will be confused as their git commit fail because of the missing signing key.

Copy link
Member

@joyeecheung joyeecheung Mar 6, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can it start with "if you have a GPG key set up locally that matches the email you use to contribute to Node.js" so that people who do not know what it is will skip it?

Copy link
Member

@richardlau richardlau Mar 6, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FWIW there are multiple methods of signing commits with git. GitHub supports (i.e. can displayed "Verified") GPG, SSH, or S/MIME signatures.

For the release team we've recommend GPG keys, but this documentation is aimed at a broader audience (collaborators).

@RafaelGSS
Copy link
Member Author

Based on discussions on this PR, I think it would be more assertive if we suggest this comment in the Release onboarding section, although we don't have one. I can update https://github.com/nodejs/node/blob/main/doc/contributing/releases.md.

@aduh95
Copy link
Contributor

aduh95 commented Mar 11, 2025

Based on discussions on this PR, I think it would be more assertive if we suggest this comment in the Release onboarding section, although we don't have one. I can update https://github.com/nodejs/node/blob/main/doc/contributing/releases.md.

We do have a list that onboardees have to follow in https://github.com/nodejs/Release/blob/main/GOVERNANCE.md#adding-new-releasers

@marco-ippolito marco-ippolito added the commit-queue Add this label to land a pull request using GitHub Actions. label Mar 17, 2025
@nodejs-github-bot nodejs-github-bot added commit-queue-failed An error occurred while landing this pull request using GitHub Actions. and removed commit-queue Add this label to land a pull request using GitHub Actions. labels Mar 17, 2025
@nodejs-github-bot
Copy link
Collaborator

Commit Queue failed
- Loading data for nodejs/node/pull/57311
✔  Done loading data for nodejs/node/pull/57311
----------------------------------- PR info ------------------------------------
Title      doc: prefer to sign commits under nodejs repository (#57311)
Author     Rafael Gonzaga <rafael.nunu@hotmail.com> (@RafaelGSS)
Branch     RafaelGSS:suggest-sign-commits -> nodejs:main
Labels     doc, author ready, commit-queue-squash
Commits    3
 - doc: prefer to sign commits under nodejs repository
 - Update onboarding.md
 - fixup! doc: prefer to sign commits under nodejs repository
Committers 2
 - RafaelGSS <rafael.nunu@hotmail.com>
 - GitHub <noreply@github.com>
PR-URL: https://github.com/nodejs/node/pull/57311
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
------------------------------ Generated metadata ------------------------------
PR-URL: https://github.com/nodejs/node/pull/57311
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
--------------------------------------------------------------------------------
   ⚠  Commits were pushed since the last approving review:
   ⚠  - fixup! doc: prefer to sign commits under nodejs repository
   ℹ  This PR was created on Tue, 04 Mar 2025 12:55:46 GMT
   ✔  Approvals: 5
   ✔  - Marco Ippolito (@marco-ippolito) (TSC): https://github.com/nodejs/node/pull/57311#pullrequestreview-2657348527
   ✔  - James M Snell (@jasnell) (TSC): https://github.com/nodejs/node/pull/57311#pullrequestreview-2658025939
   ✔  - Moshe Atlow (@MoLow): https://github.com/nodejs/node/pull/57311#pullrequestreview-2662015193
   ✔  - Ulises Gascón (@UlisesGascon): https://github.com/nodejs/node/pull/57311#pullrequestreview-2662286144
   ✔  - Ruben Bridgewater (@BridgeAR) (TSC): https://github.com/nodejs/node/pull/57311#pullrequestreview-2674699055
   ✔  Last GitHub CI successful
   ℹ  Green GitHub CI is sufficient
--------------------------------------------------------------------------------
   ✔  Aborted `git node land` session in /home/runner/work/node/node/.ncu
https://github.com/nodejs/node/actions/runs/13895355131

@marco-ippolito marco-ippolito added commit-queue Add this label to land a pull request using GitHub Actions. and removed commit-queue-failed An error occurred while landing this pull request using GitHub Actions. labels Mar 17, 2025
@nodejs-github-bot nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Mar 17, 2025
@nodejs-github-bot nodejs-github-bot merged commit bd8f2ba into nodejs:main Mar 17, 2025
26 checks passed
@nodejs-github-bot
Copy link
Collaborator

Landed in bd8f2ba

RafaelGSS added a commit to nodejs/Release that referenced this pull request Mar 18, 2025
@RafaelGSS
Update GOVERNANCE.md
1a65d12 
Follow up nodejs/node#57311 (comment)
@RafaelGSS RafaelGSS mentioned this pull request Mar 18, 2025
Merged
RafaelGSS added a commit to nodejs/Release that referenced this pull request Mar 18, 2025
@RafaelGSS @aduh95
Update GOVERNANCE.md (#1082)
f782da1 
* Update GOVERNANCE.md

Follow up nodejs/node#57311 (comment)

* Update GOVERNANCE.md

Co-authored-by: Antoine du Hamel <duhamelantoine1995@gmail.com>

---------

Co-authored-by: Antoine du Hamel <duhamelantoine1995@gmail.com>
aduh95 pushed a commit that referenced this pull request Mar 23, 2025
@RafaelGSS @aduh95
doc: prefer to sign commits under nodejs repository
db9c37f 
PR-URL: #57311
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
@github-actions github-actions bot mentioned this pull request Mar 30, 2025
Merged
RafaelGSS added a commit that referenced this pull request Apr 1, 2025
@RafaelGSS
doc: prefer to sign commits under nodejs repository
14d5861 
PR-URL: #57311
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
RafaelGSS added a commit that referenced this pull request Apr 1, 2025
@RafaelGSS
doc: prefer to sign commits under nodejs repository
22aa9b4 
PR-URL: #57311
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
@RafaelGSS RafaelGSS mentioned this pull request Apr 8, 2025
Open
RafaelGSS added a commit to RafaelGSS/node that referenced this pull request Apr 8, 2025
@RafaelGSS
doc: prefer to sign commits under nodejs repository
0a6e78d 
PR-URL: nodejs#57311
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
@aduh95 aduh95 mentioned this pull request Apr 11, 2025
Open
RafaelGSS added a commit that referenced this pull request Apr 14, 2025
@RafaelGSS
doc: prefer to sign commits under nodejs repository
9793892 
PR-URL: #57311
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
RafaelGSS added a commit that referenced this pull request Apr 14, 2025
@RafaelGSS
doc: prefer to sign commits under nodejs repository
8fa6638 
PR-URL: #57311
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
aduh95 pushed a commit that referenced this pull request Apr 14, 2025
@RafaelGSS @aduh95
doc: prefer to sign commits under nodejs repository
3aa44e3 
PR-URL: #57311
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
aduh95 pushed a commit that referenced this pull request Apr 14, 2025
@RafaelGSS @aduh95
doc: prefer to sign commits under nodejs repository
5ad6a9b 
PR-URL: #57311
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
aduh95 pushed a commit that referenced this pull request Apr 15, 2025
@RafaelGSS @aduh95
doc: prefer to sign commits under nodejs repository
30a43ed 
PR-URL: #57311
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
RafaelGSS added a commit that referenced this pull request Apr 16, 2025
@RafaelGSS
doc: prefer to sign commits under nodejs repository
15b8419 
PR-URL: #57311
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@targos targos targos left review comments

@tniessen tniessen tniessen left review comments

@joyeecheung joyeecheung joyeecheung left review comments

@richardlau richardlau richardlau left review comments

@aduh95 aduh95 aduh95 left review comments

@jasnell jasnell jasnell approved these changes

@UlisesGascon UlisesGascon UlisesGascon approved these changes

@MoLow MoLow MoLow approved these changes

@BridgeAR BridgeAR BridgeAR approved these changes

@marco-ippolito marco-ippolito marco-ippolito approved these changes

Assignees
No one assigned
Labels
author ready PRs that have at least one approval, no pending requests for changes, and a CI started. commit-queue-squash Add this label to instruct the Commit Queue to squash all the PR commits into the first one. doc Issues and PRs related to the documentations.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.