1

I have a GitHub Actions workflow that automatically creates PRs for an access review. The commits are made by:

      - name: Configure Git
        run: |
          git config user.name "ur-access-bot"
          git config user.email "[email protected]"

which is set in one of the steps.

But my org forces all commits to be signed and I don't know how to sign it with GPG in this case. So far I cannot see that this is possible, but that I should rather use a GitHub App since then commits made by apps don't have to be explicitly signed.

If it's possible to sign the commit in a similar way to when a normal user does it, I would rather do that. Is it possible?

Improve this question

1 Answer 1

Reset to default
2

It is possible - you need to import you GPG keys and configure commits to use it.

The easiest will be to use one of the existing actions, for example:

- name: Configure GPG
  uses: crazy-max/ghaction-import-gpg@v2
  with:
     git_user_signingkey: true
     git_commit_gpgsign: true
  env:
     GPG_PRIVATE_KEY: ${{ secrets.GPG_KEY }}
     PASSPHRASE: ${{ secrets.GPG_PASS }}
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I tried this but the workflow gives an error saying: remote: - Commits must have verified signatures. I asked chatGPT and it says that the public key associated with the private key has to be linked to a real GitHub account. The one I create has no real account behind it, it's just created on the fly. So I assume in my case that it's not possible to sign commits.
Create a bot account for such operations and use that as your main actor for things like that

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.