Support Signed Commits by actions@github.com

[timharris777]

Currently if "signed commits" are required in branch protection there is no good way to have actions update code using the token provided for use with github actions and the current repository. Seems like github actions should provide a way for changes made by actions@github.com to be signed and show as verified through the interface.

[lanecm]

Yes, agreed. This is needed.

[lceni]

+1

[nathanbirrell]

Does anyone have a workaround for this?

[timharris777]

I have been using the following action. Once the action runs any git commands in following steps will use the signature. It does require storing secrets with GPG info though.

- name: Import GPG key
        id: import_gpg
        uses: crazy-max/ghaction-import-gpg@v2
        with:
          git_user_signingkey: true
          git_commit_gpgsign: true
        env:
          GPG_PRIVATE_KEY: ${{ secrets.GITHUB_ACTIONS_GPG_KEY }}
          PASSPHRASE: ${{ secrets.GITHUB_ACTIONS_GPG_PASS }}

[atreya2011]

@timharris777 Even if you use the above GitHub action, it doesn't work with actions@github.com right? I can confirm it works with my personal email address. If I export a secret using actions@github.com it still shows as unverified in the GitHub web UI.

[timharris777]

@timharris777 Even if you use the above GitHub action, it doesn't work with actions@github.com right? I can confirm it works with my personal email address. If I export a secret using actions@github.com it still shows as unverified in the GitHub web UI.

@atreya2011 , yes you are correct. But we created a service account just for github actions that we then use to sign commits. It's the best thing we could do until github supports this.

[atreya2011]

@atreya2011 , yes you are correct. But we created a service account just for github actions that we then use to sign commits. It's the best thing we could do until github supports this.

Thank you for the confirmation @timharris777! By a service account do you mean that you created a new user account? That would be adding a seat and getting charged 4 USD a month.

[timharris777]

@atreya2011 , yes you are correct. But we created a service account just for github actions that we then use to sign commits. It's the best thing we could do until github supports this.

Thank you for the confirmation @timharris777! By a service account do you mean that you created a new user account? That would be adding a seat and getting charged 4 USD a month.

That's correct. It is just a new user account that unfortunately takes up a license.

[atreya2011]

That's correct. It is just a new user account that unfortunately takes up a license.

Very unfortunate that this seems to be the only way now. Hope GitHub supports signed commits by actions@github.com soon 🙏🏼

[ndobbs]

We created a centralized process with terraform to manage our github repos - it was working great until we enforced signed commits as part of this. Now we're stuck with either removing the security feature entirely or using a workaround.

Please support verified commits with github actions!

[dgteixeira]

Hey all, I hope you are doing well.
@timharris777, thanks for sharing your experience, it actually enabled us to follow in your footsteps and deploy the same strategy!