Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

backport automation: to cherry-pick the signed commits #5077

Open
v1v opened this issue Mar 24, 2023 · 3 comments
Open

backport automation: to cherry-pick the signed commits #5077

v1v opened this issue Mar 24, 2023 · 3 comments

Comments

@v1v
Copy link
Contributor

v1v commented Mar 24, 2023

CleanShot 2024-03-05 at 11.50.52.png

Technical issue

https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification#signature-verification-for-bots

Requested-By

@jd
Copy link
Member

jd commented Mar 29, 2023

Not sure we could have anything verified even by cherry-picking the original commits, since the sha1 are going to change anyway and Mergify can't re-sign the commits using the original author key. Or do I miss something?

@v1v
Copy link
Contributor Author

v1v commented Apr 3, 2023

Gotcha, I understand there is a limitation with the git flow itself, so nothing we can do about it.

For now, since mergify can override the branch protection behaviour, we enabled to auto-approve those backported PRs with mergify itself, so it works smooth and nice in our end.

Thanks Julien, I guess we can close this issue now

@Mergifyio Mergifyio deleted a comment from linear bot Mar 8, 2024
@Greesb Greesb assigned Greesb and unassigned Greesb Mar 13, 2024
@jd
Copy link
Member

jd commented Mar 18, 2024

@v1v we spent time digging into that features, but it's not really clear the value of the whole signature system, especially with things like https://blog.mergify.com/un-signed-commits-how-we-found-a-non-security-bug-in-github/

Would it be possible to have more context about what's expected from the GitHub setting? Happy to schedule a chat with you or your (security) team.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

3 participants