codeql-action icon indicating copy to clipboard operation
codeql-action copied to clipboard
verified publisher icon github

Please consider using verified commits

Open gilescope opened this issue 5 months ago • 1 comments

Given that this action is widely used and can read other security events (arguably a github flaw), it's probably worth making sure all commits are signed for added peace of mind.

gilescope avatar Jul 16 '25 20:07 gilescope

Hi @gilescope 👋🏻

Thanks for this reasonable suggestion! We are currently working on security-hardening this action, particularly for releases and tags. I am not yet sure whether we will require all commits to be signed, but we will consider it in the context of this ongoing work.

mbg avatar Jul 18 '25 15:07 mbg