git icon indicating copy to clipboard operation
git copied to clipboard

Published 20 hours ago verified publisher icon semantic-release

Update GPG documentation

Open sheerlox opened this issue 2 years ago • 3 comments

As the GPG documentation on this plugin's README is getting a bit old, does not mention a good GitHub Actions solution, and is a bit confusing, it would benefit from being refreshed.

Worth mentioning that if we progress towards getting https://github.com/semantic-release/semantic-release/pull/1871 merged, it would be worth moving the GPG instructions directly into the web documentation (maybe even preemptively).

Things that could/should be included in the future documentation:

  • crazy-max/ghaction-import-gpg as discussed in #438.
  • to meet the "require verified commits" branch protection requirement, the documentation suggests adding the generated GPG key to the account owning the GitHub token used for release, which is hazardous, given a user with push access to the repository could then retrieve it and use it to impersonate you. That approach would be secure only if using a dedicated bot account (ideally per repository).
  • the issue above would not apply to signing tags, because the branch protection rule does not apply to them

sheerlox avatar Nov 22 '23 21:11 sheerlox

I'd be happy to send a pull request for updated documentation. I've experimented with this before and was blocked because of the infinite hang issue.

Can you please clarify what you mean about using a dedicated bot account? Would the action itself be performed by a bot-account, using their GPG credentials as opposed to using a regular user?

AliSajid avatar Dec 31 '23 22:12 AliSajid

Can you please clarify what you mean about using a dedicated bot account? Would the action itself be performed by a bot-account, using their GPG credentials as opposed to using a regular user?

"bot account" in this context refers to a regular GitHub account used only by the semantic-release CI. It increases the security of the maintainer's account by not adding a GPG key used in a CI process to their own GitHub account because, in case that key ever gets compromised, it cannot be used to impersonate the maintainer.

sheerlox avatar Jan 14 '24 13:01 sheerlox

Thank you. For my own purpose, I already have a dedicated github account for bot-actions so this will be easy. I'll work on the docs and send a PR soon.

AliSajid avatar Jan 14 '24 18:01 AliSajid