Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update GPG documentation #498

Open
sheerlox opened this issue Nov 22, 2023 · 3 comments
Open

Update GPG documentation #498

sheerlox opened this issue Nov 22, 2023 · 3 comments
Labels
docs

Comments

@sheerlox
Copy link
Member

sheerlox commented Nov 22, 2023
edited

As the GPG documentation on this plugin's README is getting a bit old, does not mention a good GitHub Actions solution, and is a bit confusing, it would benefit from being refreshed.

Worth mentioning that if we progress towards getting semantic-release/semantic-release#1871 merged, it would be worth moving the GPG instructions directly into the web documentation (maybe even preemptively).

Things that could/should be included in the future documentation:

  • crazy-max/ghaction-import-gpg as discussed in GPG Signatures Configuration #438.
  • to meet the "require verified commits" branch protection requirement, the documentation suggests adding the generated GPG key to the account owning the GitHub token used for release, which is hazardous, given a user with push access to the repository could then retrieve it and use it to impersonate you. That approach would be secure only if using a dedicated bot account (ideally per repository).
  • the issue above would not apply to signing tags, because the branch protection rule does not apply to them
@sheerlox sheerlox added the docs label Nov 22, 2023
@sheerlox sheerlox mentioned this issue Nov 22, 2023
Closed
@AliSajid
Copy link

I'd be happy to send a pull request for updated documentation. I've experimented with this before and was blocked because of the infinite hang issue.

Can you please clarify what you mean about using a dedicated bot account? Would the action itself be performed by a bot-account, using their GPG credentials as opposed to using a regular user?

@sheerlox
Copy link
Member Author

Can you please clarify what you mean about using a dedicated bot account? Would the action itself be performed by a bot-account, using their GPG credentials as opposed to using a regular user?

"bot account" in this context refers to a regular GitHub account used only by the semantic-release CI. It increases the security of the maintainer's account by not adding a GPG key used in a CI process to their own GitHub account because, in case that key ever gets compromised, it cannot be used to impersonate the maintainer.

@AliSajid
Copy link

Thank you. For my own purpose, I already have a dedicated github account for bot-actions so this will be easy. I'll work on the docs and send a PR soon.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
docs
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AliSajid @sheerlox