RoyalOughtness - one suggestion for repos acros...
one suggestion for repos across the ublue github org: requiring signed commits in branch policies
23 Replies
most commits are verified/signed already, but mandating this for all primary branches is a good defense against supply chain attacks
https://github.com/orgs/ublue-os/projects/1?pane=issue&itemId=61240671
this'll be covered under the minder stuff
even better 👌
yeah that'll cover everything and will autocorrect missettings too
it integrates with github apis to set stuff like mandating signed commits?
we can enforce any github setting
that's great
like right now if we set up a new repo we gotta go and set up all the shit
i'll be looking into this for my projects
they run a service, fully OSS
GitHub
GitHub - stacklok/minder: Software Supply Chain Security Platform
Software Supply Chain Security Platform. Contribute to stacklok/minder development by creating an account on GitHub.
or run it yourself
im assuming they don't require standing access?
since that would be 😬
i'll look into it more later
I haven't had a chance to dig into it, hence the placeholder ticket, heh
ideally they'd be using OBO tokens or something like that
where all authn/z is handled by github itself
I have noticed signing commits is unreliable for me on GitHub. Seems like some get signed others don't 🙃 (obviously web edits always get signed)
webedit is the only thing that get verified sign commits for me
there's a config you have to set locally for git to make it so that
git commit automatically signs them@M2 @HikariKnight
assuming you already have a GPG key
Yup but also I think my gpg key expires soon as I made it many many years ago
It works on my work code base...
For me the signing is a DND dice roll