For anyone looking to add commit signing (GPG)

[ericsizemore]

Hello all.

Wasn't sure if this was the correct category; my apologies if not. I did perform a search but didn't come up with anything related to this, other than issue #132

I was using another action to add and commit until recently, when it started experiencing issues with my branch protection rules. I came across this action and decided to give it a try. I wanted to share a recent workflow update that, thus far, appears to be working for signing commits with a GPG key. I would imagine it could be tweaked, as I am not that well versed with GitHub actions as I would like. There are few things to note:

1. I created a Personal Access Token to be used specifically with this workflow. (secrets.PAT)
2. This relies on you having your GPG key added to GitHub
3. I created two repository secrets for the GPG secret key and passphrase. (https://github.com/yourusername/yourrepo/settings/secrets/actions/new : secrets.GPG_PRIVATE_KEY, secrets.GPG_PASSPHRASE)
4. I had to enable Allow force-pushes under my branch protection rules. I also enabled Specify who can force push with myself listed.
5. steps.import-gpg.outputs.name and steps.import-gpg.outputs.email will use the information tied to the GPG key. Of course, the key you use should match the name and email address on your GitHub account.

name: "Update Mime Types"

on:
  schedule:
    - cron: "0 10 1 */3 *"
  workflow_dispatch:

jobs:
  update:
    name: "Update Mime Types"
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
           fetch-depth: 2
           token: ${{ secrets.PAT }}

      - name: "Install PHP"
        uses: shivammathur/setup-php@master
        with:
           php-version: 8.2
           extensions: mbstring, 
           coverage: xdebug,

      - name: "Validate composer.json and composer.lock"
        run: composer validate --strict

      - name: "Setup Composer, install dependencies"
        uses: ramsey/composer-install@v3
        with:
           composer-options: "--prefer-dist --optimize-autoloader"
           require-lock-file: "true"

      - name: "Run update"
        run: composer run-script update-types

      - name: "Run test suite"
        run: composer run-script test
   
      - name: "Coverage check"
        run: composer run-script coverage-check

      - name: "Import GPG key"
        id: import-gpg
        uses: crazy-max/ghaction-import-gpg@v6
        with:
          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.GPG_PASSPHRASE }}
          git_user_signingkey: true
          git_commit_gpgsign: true

      - name: "Commit and push changes"
        uses: stefanzweifel/git-auto-commit-action@v5
        with:
           commit_author: "${{ steps.import-gpg.outputs.name }} <${{ steps.import-gpg.outputs.email }}>"
           commit_user_name: ${{ steps.import-gpg.outputs.name }}
           commit_user_email: ${{ steps.import-gpg.outputs.email }}
           commit_message: 'chore: Update mime.types'
           commit_options: '-S --amend --no-edit'
           push_options: '--force'
           skip_fetch: true

You can see the workflow run for this here. You can see the resulting commit here which shows me as the author and that it is Verified.

Lastly, it is currently 8am and I'm running on little sleep :D If you notice any issues, or have suggestions, please let me know! I hope this helps someone that was struggling much like I was.

Regards,
Eric

[stefanzweifel]

Thanks for sharing @ericsizemore.
I will link to this discussion from the README, so others might find it a tad easier.

[hackel]

This worked great to get signed commits working, thanks! Does anyone have a clever solution to allow those signed commits to be considered "verified" by Github and pass the "Require signed commits" restriction? It looks like I will have to use an email address that we control and actually add it with the public key to someone's Github account, and that just doesn't feel right. Do you have to create a dedicated service account just for this purpose or is there an easier way?