Sign bot commit in actions

Hello,

I have a GitHub action that commits and pushes files on a branch. Is the GitHub bot able to sign this commit before pushing it? I tried to add the usual -S flag on commit but gpg isn’t configured so no way to get it working.

git config --local user.email "action@github.com"
  git config --local user.name "GitHub Action"
  git commit -S -m "Update CHANGELOG" -a
  shell: /bin/bash -e {0}
error: gpg failed to sign the data
fatal: failed to write commit object
##[error]Process completed with exit code 128.

Thanks!

Hi @devatoria ,

Did you create the GPG keys before you sign the commit? Please confirm with below command:

gpg --list-secret-keys --keyid-format LONG

And did you add the singkey into your git config? Please follow the official doc for a check. Thanks.

Hi @weide-zhou,

No I didn’t since those lignes are executed by a GitHub action. I expected the bot to be able to have it’s own GPG configuration to push signed commits (as it has its own token). For more context, here’s the related part of the action:

myaction:
    runs-on: ubuntu-latest
    steps:
      - name: Commit changes
        run: |
          git config --local user.email "action@github.com"
          git config --local user.name "GitHub Action"
          git commit -S -m "Commit stuff" -a

Hi @devatoria ,

Thanks for your reply! The github actions are executed on github runner, and work same as local user sign/push, if you don’t configure the GPG keys and associate with the email firstly, the commit cannot be signed.

Thanks.

Hi @weide-zhou 

Does it mean I have to share a GPG key with the action using a secret? Because generating it in the runner directly is a non-sense right? Since it won’t be linked to a GitHub user/email.

Hi @devatoria ,

The commit from github web page will be automatically signed.  However for other commits, you need configure GPG key in ‘https://github.com/settings/keys’. But since email ‘action@github.com’ cannot be verified, you will find the commit is not verified from webpage. 

Checked on my side, after i configure the gpg setting in workflow, the sign is still failed, i will raise an internal ticket for confirmation. 

Thanks.

@devatoria,

I know exactly what you are talking about. I opened an issue against the actions/runner repo. Feel free to chime in and share your views as well. The more activity we get on the issue the better.