{"id":22297498,"url":"https://github.com/rustonaut/git-gpg-verify-prototype","last_synced_at":"2025-03-25T22:43:49.873Z","repository":{"id":84690008,"uuid":"328254134","full_name":"rustonaut/git-gpg-verify-prototype","owner":"rustonaut","description":"A (prototype) of a typescript github action to handler various patterns of verifing git comit\u0026tag signatures.","archived":false,"fork":false,"pushed_at":"2021-01-09T22:02:22.000Z","size":150,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"nightly","last_synced_at":"2025-01-30T20:14:52.342Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rustonaut.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE-PIPELINE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-01-09T21:59:48.000Z","updated_at":"2021-01-09T22:02:27.000Z","dependencies_parsed_at":null,"dependency_job_id":"55c68acd-b693-4662-8eef-8d229b43a5a1","html_url":"https://github.com/rustonaut/git-gpg-verify-prototype","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rustonaut%2Fgit-gpg-verify-prototype","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rustonaut%2Fgit-gpg-verify-prototype/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rustonaut%2Fgit-gpg-verify-prototype/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rustonaut%2Fgit-gpg-verify-prototype/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rustonaut","download_url":"https://codeload.github.com/rustonaut/git-gpg-verify-prototype/tar.gz/refs/heads/nightly","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245556960,"owners_count":20634889,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-03T17:49:58.127Z","updated_at":"2025-03-25T22:43:49.850Z","avatar_url":"https://github.com/rustonaut.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# rustonaut/git-gpg-verify\n\n[![.github/workflows/integration.yml](https://github.com/actions/github-script/workflows/Integration/badge.svg?event=push\u0026branch=main)](https://github.com/actions/github-script/actions?query=workflow%3AIntegration+branch%3Amain+event%3Apush)\n[![.github/workflows/ci.yml](https://github.com/actions/github-script/workflows/CI/badge.svg?event=push\u0026branch=main)](https://github.com/actions/github-script/actions?query=workflow%3ACI+branch%3Amain+event%3Apush)\n[![.github/workflows/licensed.yml](https://github.com/actions/github-script/workflows/Licensed/badge.svg?event=push\u0026branch=main)](https://github.com/actions/github-script/actions?query=workflow%3ALicensed+branch%3Amain+event%3Apush)\n\nWhen this action is run it mainly verifies signed git commits and tags.\nWhich commits and tags are signed is determined by the input. This can\nbe used to for example verify the signature of all commits in a Pull Request.\n\nGpg public keys can be added through a folder so that a new contributor can\ndirectly add their gpg public key BUT trust levels of such keys are configured\nusing github secrets.\n\nThis allows to easy onboard new contributors without giving them any trust\nbesides that they signed their own commits.\n\nEnforcement of trust levels and requirement of a commit/tag to be signed can\nbe configured separately.\n\nBesides handling PR's this can also be used as a middle step checking tags/commits\nprovided by a previously run step/job and e.g. erroring if they are not signed\nwith a key you gave full trust to.\n\n\n## Development\n\nSee [development.md](/docs/development.md).\n\n## Examples\n\n```yaml\n\n```\n\n## License\n\nThis library on itself is MIT licensed, the license of dependencies might\ndiffer but is checked to be MIT compatible.\n\nLarge parts of the pipline have been copied over from the\n[action/github-script action](https://github.com/actions/github-script) (which\nis also MIT licensed). This include:\n\n- All of .github/\n    - including the badges in this README file (but adapted to changed repo name)\n- tsconfig.json\n- the commands/pipelines in package.json\n- .gitignore\n- .vscode\n- .eslintrc.yml\n\nThrough they might have been modified since then to adapt\nto this action (see the github history for details).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frustonaut%2Fgit-gpg-verify-prototype","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frustonaut%2Fgit-gpg-verify-prototype","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frustonaut%2Fgit-gpg-verify-prototype/lists"}