Skip to content

rogeruiz/repasar

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace
BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

23 Commits
.github
.github
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
action.yml
action.yml
 
 
entrypoint.sh
entrypoint.sh
 
 

Repository files navigation

The Repasar GitHub repository social image

Repasar

The Repasar GitHub Action (GHA) checks the commit signatures for security. It now supports verifying all commits in a pull request (PR), not just the latest commit. For push events, it continues to verify the latest commit as before.

  • For PRs: All commits in the PR are checked for verified signatures.
  • For pushes: Only the latest commit is checked.

Setup

Copy the text below into a file in your repository called .github/workflows/verified_commits_check.yml then just commit and push it to your default branch.

# .github/workflows/verify-commits.yml
name: Verifying the latest commit
run-name: ${{ github.actor }} is verifying the validity of current commit
on: [push]
jobs:
  check-sha:
    runs-on: ubuntu-latest
    name: Check the SHA of the latest commit
    steps:
      - name: Checkout the code
        uses: actions/checkout@v5
      - name: Run repasar on the latest SHA
        uses: rogeruiz/[email protected]
        with:
          allowed-signers-file-path: ./.github/allowed_signers
          fail-on-unverified: true
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Required inputs

The only required input is the allowed-signers-file-path which is recommended to be resolved to ./.github/allowed_signers. This file contains the public SSH keys in the following format per-line.

<email>[,<email>...] <key type> <public key>

Important

This file can be created manually by taking the public key file you have locally and rearranging the comment email at the end to the beginning. Remember to add only the emails you'd like to allow for verification purposes.

Optional inputs

By default, this Action does not fail the run if the verification of the commit is unsuccessful. If you would like to have the Action fail, then set the fail-on-unverified to true in the workflows/ Yaml file.

Environment variables the action uses

  • ${GITHUB_SHA}: Used for single commit verification (push events).
  • ${GITHUB_EVENT_NAME} and ${GITHUB_EVENT_PATH}: Used to detect PR context and extract PR number.
  • ${GITHUB_TOKEN}: Required for PR verification to fetch all commits in the PR using the GitHub API.

Note: For PRs, ensure the workflow has access to GITHUB_TOKEN (default in GitHub Actions) and that the token has repo scope for private repositories.

About

A GitHub Action to run git-verify-commit on latest SHA on push

Topics

security gpg-signatures github-actions github-actions-ci

Resources

Readme

License

AGPL-3.0 license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases 5

v1.1.3 Latest
Nov 12, 2025
+ 4 releases

Languages