This is a github integration for checking if all your commits are signed There is a limitation in that it can with with only 250 commits between master and the branch, anything beyond that and it 'may' (according to github) throw an error.
git checkout
Set a environment variable of GITHUB_PRIVATEKEY
to your installation private key
GITHUB_PRIVATEKEY=`cat private.key` npm start
or
docker build -t signed-checker .
docker run -e GITHUB_PRIVATEKEY=`cat private.key` -p 4000:4000 signed-checker
You then need to make an installation that'll point at https://yourexternaladdress/github
I'll presume you can figure out a https endpoint above this service, which you really should.
This is deployed via: https://github.com/UKHomeOffice/kube-signed-commit-check
- verify request is from github see req.headers['x-hub-signature'] and https://developer.github.com/webhooks/securing/#validating-payloads-from-github
- verify request is from a known github ip address
- authenticate to github with integration JWT https://developer.github.com/early-access/integrations/authentication/
- set status of head commit to 'pending' https://developer.github.com/v3/repos/statuses/#create-a-status
- get difference between head commit and master^HEAD https://developer.github.com/v3/repos/commits/#compare-two-commits
- check all commits in difference are signed commit.verification.verified === true
- set status of head commit to success/failure https://developer.github.com/v3/repos/statuses/#create-a-status
- reproduce everything for gitlab
- reproduce everything for bitbucket