RoyalOughtness - one suggestion for repos acros...

one suggestion for repos across the ublue github org: requiring signed commits in branch policies
No description
23 Replies
RoyalOughtness
RoyalOughtnessOP•6mo ago
most commits are verified/signed already, but mandating this for all primary branches is a good defense against supply chain attacks
j0rge
j0rge•6mo ago
RoyalOughtness
RoyalOughtnessOP•6mo ago
even better 👌
j0rge
j0rge•6mo ago
yeah that'll cover everything and will autocorrect missettings too
RoyalOughtness
RoyalOughtnessOP•6mo ago
it integrates with github apis to set stuff like mandating signed commits?
j0rge
j0rge•6mo ago
we can enforce any github setting
RoyalOughtness
RoyalOughtnessOP•6mo ago
that's great
j0rge
j0rge•6mo ago
like right now if we set up a new repo we gotta go and set up all the shit
RoyalOughtness
RoyalOughtnessOP•6mo ago
i'll be looking into this for my projects
j0rge
j0rge•6mo ago
they run a service, fully OSS
j0rge
j0rge•6mo ago
GitHub
GitHub - stacklok/minder: Software Supply Chain Security Platform
Software Supply Chain Security Platform. Contribute to stacklok/minder development by creating an account on GitHub.
j0rge
j0rge•6mo ago
or run it yourself
RoyalOughtness
RoyalOughtnessOP•6mo ago
im assuming they don't require standing access? since that would be 😬 i'll look into it more later
j0rge
j0rge•6mo ago
I haven't had a chance to dig into it, hence the placeholder ticket, heh
RoyalOughtness
RoyalOughtnessOP•6mo ago
ideally they'd be using OBO tokens or something like that where all authn/z is handled by github itself
HikariKnight
HikariKnight•6mo ago
I have noticed signing commits is unreliable for me on GitHub. Seems like some get signed others don't 🙃 (obviously web edits always get signed)
M2
M2•6mo ago
webedit is the only thing that get verified sign commits for me
RoyalOughtness
RoyalOughtnessOP•6mo ago
there's a config you have to set locally for git to make it so that git commit automatically signs them
RoyalOughtness
RoyalOughtnessOP•6mo ago
@M2 @HikariKnight assuming you already have a GPG key
HikariKnight
HikariKnight•6mo ago
Yup but also I think my gpg key expires soon as I made it many many years ago
M2
M2•6mo ago
It works on my work code base...
HikariKnight
HikariKnight•6mo ago
For me the signing is a DND dice roll
Want results from more Discord servers?
Add your server