Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: support signed commits for resource 'github_repository_file' #2102

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat: support signed commits for resource 'github_repository_file' #2102

wants to merge 3 commits into from

Conversation

wparr-circle
Copy link

@wparr-circle wparr-circle commented Jan 15, 2024
edited

Resolves #879

Before the change?

  • Currently github_repository_file modifies files via the github content API. Which means there is limited support for signed commits (ie. anything which supports automatic signing via API). However there is no support for signing using a custom PGP key this way.

After the change?

  • Adds support for sensitive variables 'pgp_signing_key' and 'pgp_signing_key_passphrase' which contains an armored PGP private key and an optional passphrase (if the key is locked). This can be used to sign commits when paired with 'use_contents_api = false', where we manipulate a commit and push it to the reference rather than using the contents API to provide a higher level interface.
image (note unverified due to github not having public key of the pgp key used in test and author/committer being mismatched).

Pull request checklist

  • Tests for the changes have been added (for bug fixes / features)
  • Docs have been reviewed and added / updated if needed (for bug fixes / features)

Does this introduce a breaking change?

Please see our docs on breaking changes to help!

  • Yes
  • No

@wparr-circle wparr-circle force-pushed the gpg-sign branch 3 times, most recently from e6ede50 to 65dbdd2 Compare January 16, 2024 11:03
@wparr-circle wparr-circle marked this pull request as ready for review January 16, 2024 11:03
@nickfloyd
Copy link
Contributor

Hey @wparr-circle Thanks for the contributions here. Please run lint when you get the chance! It looks like CI is getting hung up on that. Thanks.

@nickfloyd nickfloyd added the Type: Feature New feature or request label Jan 18, 2024
@wparr-circle
Copy link
Author

Ran against linters now @nickfloyd! Thanks :)

@kfcampbell
Copy link
Member

@wparr-circle do you mind explaining more about the below part of your writeup? I'm not sure I understand, sorry.

where we manipulate a commit and push it to the reference rather than using the contents API to provide a higher level interface.

@wparr-circle
Copy link
Author

@kfcampbell Sure no problem! Sorry if I wasn't clear.
Current implementation of this resource is utilising the GitHub Contents API.
We get some verified signature support using this like auto sign for bots/github actions.
However, for the use case of GPG based signing - we can't leverage the contents API. Rather we need to manipulate the git tree directly.

Does that help explain?

I left the old contents API way of working as the default behaviour, because of the size of change creeping up.

@marek-karwacki-rdx
Copy link

Hi, is there a timeline on this feature? Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Type: Feature New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

github_repository_file - commit signing support
4 participants
@wparr-circle @nickfloyd @kfcampbell @marek-karwacki-rdx