jarrodldavis / probot-gpg Goto Github PK
View Code? Open in Web Editor NEWA GitHub App that enforces GPG signatures on pull requests (no longer maintained)
Home Page: https://github.com/apps/gpg
License: MIT License
A GitHub App that enforces GPG signatures on pull requests (no longer maintained)
Home Page: https://github.com/apps/gpg
License: MIT License
Breaking part of out #45 into a separate issue.
There should also be some way for repo admins to view detailed reasons about why a certain status was applied to a particular commit.
Signing all commits isn't necessary and arguably problematic. Any thoughts on only requiring the last commit to be signed?
More Info: https://josh.blog/2016/11/gpg-git
Update README with guidance for users with email privacy enabled on their GitHub accounts.
saltstack/salt#43747 (comment)
Response from GitHub.
The commit will only show as verified on GitHub if the address used to commit it matches the address in the key
Sounds like can use
users.noreply.github.com
in the PGP Signature. Just need to make sure git is configured withusers.noreply.github.com
and github is configured to have your email address private.
It appears that the expect
library has been "donated" to Facebook's Jest team, which contains a potentially problematic license. Instead of upgrading to Jest, a new spy library needs to be found to replace expect@1
.
For repository owners that want stricter control of GPG verification keys, allow them to configure a whitelist of approved GPG keys. Also consider ways of streamlining the whitelisting process such as email-based approval.
Resources:
Branch | Build failing π¨ |
---|---|
Dependency | assertive |
Current Version | 2.3.4 |
Type | devDependency |
This version is covered by your current version range and after updating it in your project the build failed.
assertive is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.
The new version differs by 3 commits.
b7f4031
v2.3.5
ac8bf87
Merge pull request #39 from groupon/dbushong/feature/master/upgrade
edafdef
chore: apply latest generator & lint rules
See the full diff
There is a collection of frequently asked questions. If those donβt help, you can always ask the humans behind Greenkeeper.
Your Greenkeeper Bot π΄
Branch | Build failing π¨ |
---|---|
Dependency | sinon |
Current Version | 4.1.5 |
Type | devDependency |
This version is covered by your current version range and after updating it in your project the build failed.
sinon is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.
The new version differs by 10 commits.
68c37ed
Update docs/changelog.md and set new release id in docs/_config.yml
cd8ae51
Add release documentation for v4.1.6
29e80be
4.1.6
a5c59a5
Update History.md and AUTHORS for new release
0ae60b6
Merge pull request #1653 from mroderick/upgrade-dependencies
dcd4191
Upgrade browserify to latest
a316f02
Upgrade markdownlint-cli to latest
78ebdb3
Upgrade lint-staged to latest
fcf967b
Upgrade dependency supports-color
7c3cb4f
Enable StaleBot with default configuration (#1649)
See the full diff
There is a collection of frequently asked questions. If those donβt help, you can always ask the humans behind Greenkeeper.
Your Greenkeeper Bot π΄
Hey @jarrodldavis, I'd love to get this app listed on the probot website! Do you have an instance of it deployed anywhere? It's pretty easy to deploy Probot apps on several different free services.
Are you interested in getting it listed? Here are the docs for adding it.
I am not sure why, but occasionally I see the GPG check fail, even though all of the individual commits are verified.
Here are some examples:
At first I thought it might have something to do with the shear number of commits in a PR because I thought i was seeing them fail only on PRs with many commits. However, that doesn't appear to be the case since I found a PR today that only had 2 commits in it.
If a temporarily orphaned tag is pushed for a branch that has Branch Protection enabled, it would be nice to have probot-gpg
kick in and validate that commit (and perhaps also the tag itself) so that the branch can be updated with the tagged commit once other status checks (such as CI) are successful.
Branch | Build failing π¨ |
---|---|
Dependency | probot |
Current Version | 0.7.2 |
Type | dependency |
This version is covered by your current version range and after updating it in your project the build failed.
probot is a direct dependency of this project this is very likely breaking your project right now. If other packages depend on you itβs very likely also breaking them.
I recommend you give this issue a very high priority. Iβm sure you can resolve this πͺ
The new version differs by 16 commits.
0191325
0.7.3
a0467f6
Update changelog
6d574de
Raise errors by default
1cc4505
Raise errors in tests
b4d946f
Wait for async events to resolve before returning
98f1241
Fix lint errors
78b7d49
Expose method to create robot
61be74e
Test with taking an argument and not
fe876d8
Ensure * event still works
0e38027
Make Robot self-sustaining
aa3146b
Allow creating robot without a logger
0078c31
Move default secret so it works for programatic uses
9dd1afd
Test for manually delivering events
2f6a520
Define receive method for manually delivering events
0da2ede
Merge branch 'apps'
There are 16 commits in total.
See the full diff
There is a collection of frequently asked questions and of course you may always ask my humans.
Your Greenkeeper Bot π΄
Probot's authors have made it easier to write tests for plugins, so probot-gpg
should update applicable tests to match. Here's an example of updated tests in the official autoresponder plugin.
Additionally, more cases (where some or all commits aren't verified) need to be tested in the full integration suite.
Furthermore, now that more options are being added to the app, the tests are getting annoyingly repetitive. A data-driven approach should be take to generate test cases instead of duplicating test code.
Consider adding a post-install setup page that can automatically add the required status check for the GPG
status context used by probot-gpg
.
Looks like the main Probot repos have moved from xo
to standard
, and I think probot-gpg
should do the same.
The app should log various details about what it's doing and what data it has encountered.
We're changing some of the terminology in Probot in probot/probot#210. If you add the probot-app
topic to this repository, it will show up in the list of probot apps.
Thanks for using Probot, and let us know if you have any feedback!
First of all, thanks for building this GPG check for verified commits. This is going to be helpful for our team! β€οΈ
We've enabled the GPG Probot on the salt repo and have realized that the GPG check errors when merge commits are created from the GitHub web interface.
As an example, we have Require branches to be up to date before merging
option enabled on our branches, which allows us to use the Update Branch
option. The problem is that when you use this button to keep the PR up to date with the HEAD of the base branch, the merge commit can't be verified.
Here's an example PR: saltstack/salt#43707
We can't simultaneously keep the PR's branch up to date AND have all of the commits be in compliance with the GPG check.
Would it be possible to add some kind of flag to ignore merge commits from the web UI for the GPG check?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. πππ
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google β€οΈ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.