mergify icon indicating copy to clipboard operation
mergify copied to clipboard
verified publisher icon Mergifyio

backport automation: to cherry-pick the signed commits

Open v1v opened this issue 2 years ago • 3 comments

CleanShot 2024-03-05 at 11.50.52.png

Technical issue

https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification#signature-verification-for-bots

Requested-By

v1v avatar Mar 24 '23 08:03 v1v

Not sure we could have anything verified even by cherry-picking the original commits, since the sha1 are going to change anyway and Mergify can't re-sign the commits using the original author key. Or do I miss something?

jd avatar Mar 29 '23 09:03 jd

Gotcha, I understand there is a limitation with the git flow itself, so nothing we can do about it.

For now, since mergify can override the branch protection behaviour, we enabled to auto-approve those backported PRs with mergify itself, so it works smooth and nice in our end.

Thanks Julien, I guess we can close this issue now

v1v avatar Apr 03 '23 07:04 v1v

@v1v we spent time digging into that features, but it's not really clear the value of the whole signature system, especially with things like https://blog.mergify.com/un-signed-commits-how-we-found-a-non-security-bug-in-github/

Would it be possible to have more context about what's expected from the GitHub setting? Happy to schedule a chat with you or your (security) team.

jd avatar Mar 18 '24 13:03 jd