Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/rogeruiz/repasar

A GitHub Action to run git-verify-commit on latest SHA on push
https://github.com/rogeruiz/repasar

github-actions github-actions-ci gpg-signatures security

Last synced: about 1 month ago
JSON representation

A GitHub Action to run git-verify-commit on latest SHA on push

Host: GitHub
URL: https://github.com/rogeruiz/repasar
Owner: rogeruiz
License: agpl-3.0
Created: 2022-12-10T23:07:06.000Z (about 2 years ago)
Default Branch: main
Last Pushed: 2023-01-10T23:38:49.000Z (almost 2 years ago)
Last Synced: 2024-10-18T00:42:00.037Z (3 months ago)
Topics: github-actions, github-actions-ci, gpg-signatures, security
Language: Shell
Homepage:
Size: 108 KB
Stars: 1
Watchers: 2
Forks: 0
Open Issues: 2
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        ![The Repasar GitHub repository social image](./.github/repo-social.jpg)

# Repasar

The Repasar GitHub Action (GHA) checks the current SHA that triggered the GHA

and check to make sure that it is signed properly using subcommands supported by

Git.

## Setup

Copy the text below into a file in your repository called

`.github/workflows/verified_commits_check.yml` then just commit and push it to

your default branch.

```sh

# .github/workflows/verify-commits.yml

name: Verifying the latest commit

run-name: ${{ github.actor }} is verifying the validity of current commit

on: [push]

jobs:

  check-sha:

    runs-on: ubuntu-latest

    name: Check the SHA of the latest commit

    steps:

      - name: Checkout the code

        uses: actions/checkout@v3

      - name: Run repasar on the latest SHA

        uses: rogeruiz/[email protected]

        with:

          allowed-signers-file-path: ./.github/allowed_signers

          fail-on-unverified: true

```

## Required inputs

The only required input is the `allowed-signers-file-path` which is recommended

to be resolved to `./.github/allowed_signers`. This file contains the public SSH

keys in the following format per-line.

```sh

[,...]  

```

These public keys are safe to check into your repository. To generate this file

based on the public keys available on GitHub for committers to the repository,

you can generate them using the `allowedSignersFile` project by @frankywahl.

This file can also be maintained manually and checked in by each individual

committer for your projects.

[=> frankywahl/allowedSignersFile project](https://github.com/frankywahl/allowedSignersFile)

## Optional inputs

By default, this Action does not fail the run if the verification of the commit

is unsuccessful. If you would like to have the Action fail, then set the `fail-on-unverified` to `true` in the `workflows/` YAML file.

## Environment variables the action uses

This action uses the `${GITHUB_SHA}` variable to pull the current commit.