Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(release): sign commits created by release actor #16

Merged
merged 1 commit into from
Aug 2, 2024
Merged

feat(release): sign commits created by release actor #16

merged 1 commit into from
Aug 2, 2024

Conversation

wparr-circle
Copy link
Contributor

@wparr-circle wparr-circle commented Aug 2, 2024
edited
Loading

Summary

To ensure that commits aren't unsigned, or unverified when vigilant mode is enabled - we need to ensure that the commit associated with a release is signed by a GPG key associated with the release actor.
ie.
image

Release please unfortunately still does not support signing commits with a gpg key directly - per issue googleapis/release-please#1314
However, we can checking the branch and use this to ensure the commits are signed.

After signing introducing this change - we get verified commits
image

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Aug 2, 2024
edited
Loading

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
actions/actions/checkout 4.1.1 🟢 7.2
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained🟢 79 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 7
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Signed-Releases⚠️ -1no releases found
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Fuzzing⚠️ 0project is not fuzzed
Security-Policy🟢 9security policy file detected
Pinned-Dependencies🟢 4dependency not pinned by hash detected -- score normalized to 4
Packaging🟢 10packaging workflow detected
SAST🟢 10SAST tool is run on all commits
Vulnerabilities🟢 91 existing vulnerabilities detected
actions/crazy-max/ghaction-import-gpg 6.1.0 🟢 3.9
Details
CheckScoreReason
Code-Review⚠️ 0Found 0/4 approved changesets -- score normalized to 0
Maintained🟢 34 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 3
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Signed-Releases⚠️ -1no releases found
Packaging⚠️ -1packaging workflow not detected
Binary-Artifacts🟢 10no binaries found in the repo
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Fuzzing⚠️ 0project is not fuzzed
Security-Policy⚠️ 0security policy file not detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Vulnerabilities🟢 82 existing vulnerabilities detected

Scanned Manifest Files

.github/workflows/conventional-commit-release.yaml

@wparr-circle wparr-circle force-pushed the wparr-circle-patch-1 branch from b655626 to 9413d52 Compare August 2, 2024 10:27
@wparr-circle wparr-circle force-pushed the wparr-circle-patch-1 branch from 2886d1f to 70d5c84 Compare August 2, 2024 11:10
@wparr-circle wparr-circle merged commit dfadf96 into master Aug 2, 2024
5 checks passed
@wparr-circle wparr-circle deleted the wparr-circle-patch-1 branch August 2, 2024 16:10
@wparr-circle wparr-circle mentioned this pull request Aug 2, 2024
Merged
wparr-circle added a commit that referenced this pull request Aug 7, 2024
@wparr-circle
fix: conventional commit release secrets (#17)
7c49cea 
## Summary

Updating the conventional commit release secrets which are used, due to
recent disabling of organization setting used to allow pull request
creation (and approval) via the automatic GITHUB_ACTIONS tokens.

This follows on from the setup in
#16
which adds some extra support for gpg signing the release branch
commits.

This will setup @circle-bot-releases as the actor for creating release
prs and publishing releases.
@circle-bot-releases circle-bot-releases mentioned this pull request Aug 7, 2024
Merged
wparr-circle pushed a commit that referenced this pull request Aug 7, 2024
@circle-bot-releases
chore(master): release 1.3.0 (auto-release) (#18)
2b7e0d7 
🤖 I have created a release *beep* *boop*
---


##
[1.3.0](v1.2.0...v1.3.0)
(2024-08-07)


### Features

* **release:** sign commits created by release actor
([#16](#16))
([dfadf96](dfadf96))


### Bug Fixes

* conventional commit release secrets
([#17](#17))
([7c49cea](7c49cea))


### Miscellaneous Chores

* **deps:** upgrade action versions to use node 20
([#15](#15))
([a82bc74](a82bc74))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jscaltreto jscaltreto jscaltreto approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@wparr-circle @jscaltreto