terraform-provider-github icon indicating copy to clipboard operation
terraform-provider-github copied to clipboard

Published 20 hours ago verified publisher icon integrations

feat: support signed commits for resource 'github_repository_file'

Open wparr-circle opened this issue 1 year ago • 10 comments
trafficstars

Resolves #879

Before the change?

  • Currently github_repository_file modifies files via the github content API. Which means there is limited support for signed commits (ie. anything which supports automatic signing via API). However there is no support for signing using a custom PGP key this way.

After the change?

  • Adds support for sensitive variables 'pgp_signing_key' and 'pgp_signing_key_passphrase' which contains an armored PGP private key and an optional passphrase (if the key is locked). This can be used to sign commits when paired with 'use_contents_api = false', where we manipulate a commit and push it to the reference rather than using the contents API to provide a higher level interface.
image (note unverified due to github not having public key of the pgp key used in test and author/committer being mismatched).

Pull request checklist

  • [x] Tests for the changes have been added (for bug fixes / features)
  • [x] Docs have been reviewed and added / updated if needed (for bug fixes / features)

Does this introduce a breaking change?

Please see our docs on breaking changes to help!

  • [ ] Yes
  • [x] No

wparr-circle avatar Jan 15 '24 16:01 wparr-circle

Hey @wparr-circle Thanks for the contributions here. Please run lint when you get the chance! It looks like CI is getting hung up on that. Thanks.

nickfloyd avatar Jan 18 '24 21:01 nickfloyd

Ran against linters now @nickfloyd! Thanks :)

wparr-circle avatar Jan 22 '24 17:01 wparr-circle

@wparr-circle do you mind explaining more about the below part of your writeup? I'm not sure I understand, sorry.

where we manipulate a commit and push it to the reference rather than using the contents API to provide a higher level interface.

kfcampbell avatar Feb 05 '24 21:02 kfcampbell

@kfcampbell Sure no problem! Sorry if I wasn't clear. Current implementation of this resource is utilising the GitHub Contents API. We get some verified signature support using this like auto sign for bots/github actions. However, for the use case of GPG based signing - we can't leverage the contents API. Rather we need to manipulate the git tree directly.

Does that help explain?

I left the old contents API way of working as the default behaviour, because of the size of change creeping up.

wparr-circle avatar Feb 07 '24 09:02 wparr-circle

Hi, is there a timeline on this feature? Thanks

marek-xrd avatar Apr 10 '24 07:04 marek-xrd

Hello, is something missing @kfcampbell to get this merged ?

M0NsTeRRR avatar Jul 04 '24 23:07 M0NsTeRRR

Landed at this PR after realizing the resource doesn't support signing. @kfcampbell do you have any direction or feedback on this PR to get it completed? Trying to get an idea on whether this feature is planned for this resource or if its not achievable?

ahanafy avatar Jul 24 '24 14:07 ahanafy

@wparr-circle we just merged #2100 and we're ready to go with this before we cut a release with your new features in it. I didn't anticipate that there might be a merge conflict between your two PRs though, and I'm wondering if you'd feel comfortable resolving the conflict. If you'd prefer that Nick and I do it, please let me know and we'll get to it!

Thanks for the contributions, and I'm looking forward to seeing commit signing in the wild.

kfcampbell avatar Aug 06 '24 18:08 kfcampbell

Hey @kfcampbell @nickfloyd thanks for getting around to looking at these 👀 Let me quickly fix the conflicts

wparr-circle avatar Aug 12 '24 14:08 wparr-circle