Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Support Signed Commits by actions@github.com

See original GitHub issue

Currently if “signed commits” are required in branch protection there is no good way to have actions update code using the token provided for use with github actions and the current repository. Seems like github actions should provide a way for changes made by actions@github.com to be signed and show as verified through the interface.

Issue Analytics

State:
Created 3 years ago
Reactions:240
Comments:24

Top GitHub Comments

29reactions

instinct-vfxcommented, Oct 1, 2021

Is there any traction at all from github? This is crucial for us as signed commits have been made mandatory for our repositories and creating and managing non-human accounts is not really trivial. In my eyes signed commits need to be supported by github actions directly rather than us having to jump through hoops.

24reactions

liyishuaicommented, Oct 11, 2021

What’s the cryptographic purpose for this? If any action can create signed commits under actions@github.com, then what does the signature indicate, that the commit was made on GitHub Actions rather than on humans’ local machine?

The actual feature we should propose is to recognize myname+actions@github.com as a non-human account associated with me, and can be verified by my GPG keys. All I need is to store a private key as actions secret and use it for signing the commits.