backport automation: to cherry-pick the signed commits #5077
Comments
|
Not sure we could have anything verified even by cherry-picking the original commits, since the sha1 are going to change anyway and Mergify can't re-sign the commits using the original author key. Or do I miss something? |
|
Gotcha, I understand there is a limitation with the git flow itself, so nothing we can do about it. For now, since Thanks Julien, I guess we can close this issue now |
|
@v1v we spent time digging into that features, but it's not really clear the value of the whole signature system, especially with things like https://blog.mergify.com/un-signed-commits-how-we-found-a-non-security-bug-in-github/ Would it be possible to have more context about what's expected from the GitHub setting? Happy to schedule a chat with you or your (security) team. |
Expected Behavior
When backporting with https://docs.mergify.com/actions/backport/ the new PR contains the signed commits from the original author.
Actual Behavior
Mergify seems to be cherry-picking the squashed commit hence no verified badge
Steps to Reproduce the Problem
Create a PR with signed commits
@Mergifyio backport
Specifications
Pull Request URL: elastic/apm-server#10227 is the original PR request and https://github.com/elastic/apm-server/pull/10521/commits is the automated backport happened with mergify
Mergify Config URL: https://github.com/elastic/apm-server/blob/main/.mergify.yml
Probably I messed up with some configuration and hence that's the expected behaviour, please bear with me and thanks so much for your great product!!
The text was updated successfully, but these errors were encountered: