fix: sign release-plz release PR commits #109

Merged

jwilger merged 1 commit from fix/release-plz-signed-commits into main

2026-06-11 19:36:08 -07:00

jwilger commented

2026-06-11 19:25:01 -07:00

Owner

Summary

Add a release-plz signing helper that accepts SSH or GPG private key material from RELEASE_SIGNING_KEY.
Configure global Git signing before release-plz creates release PR commits in its temporary git directory.
Require RELEASE_SIGNING_KEY for release PR creation and document the secret.

Rationale
Forgejo rejected the generated release-plz branch because the release commit was unverified. The release-plz commit is created outside the checked-out repository, so the workflow needs global Git signing configuration in the same shell that runs release-plz.

Verification

actionlint .forgejo/workflows/release-plz.yml
sh -n .forgejo/scripts/configure-release-plz-git-signing.sh
generated throwaway SSH key and verified git commit output contains a gpgsig SSH signature header
just copyright-headers
git diff --check

Summary - Add a release-plz signing helper that accepts SSH or GPG private key material from RELEASE_SIGNING_KEY. - Configure global Git signing before release-plz creates release PR commits in its temporary git directory. - Require RELEASE_SIGNING_KEY for release PR creation and document the secret. Rationale Forgejo rejected the generated release-plz branch because the release commit was unverified. The release-plz commit is created outside the checked-out repository, so the workflow needs global Git signing configuration in the same shell that runs release-plz. Verification - actionlint .forgejo/workflows/release-plz.yml - sh -n .forgejo/scripts/configure-release-plz-git-signing.sh - generated throwaway SSH key and verified git commit output contains a gpgsig SSH signature header - just copyright-headers - git diff --check

jwilger added 1 commit

2026-06-11 19:25:01 -07:00

fix: sign release-plz release PR commits

CI / Nix flake check (pull_request) Successful in 2m24s

Details

CI / Request auto_review semantic review (pull_request) Successful in 2s

Details

auto_review auto_review: 1 warning

CI / Rust CI (pull_request) Successful in 9m3s

Details

f037adad49

auto-review approved these changes

2026-06-11 19:27:37 -07:00

auto-review left a comment

Walkthrough

.forgejo/scripts/configure-release-plz-git-signing.sh:
- Introduces a script to configure Git signing using either SSH or GPG keys.
- Checks for the presence of RELEASE_SIGNING_KEY and configures signing accordingly.
- Handles both SSH and GPG key formats, setting up the environment for each.
.forgejo/workflows/release-plz.yml:
- Updates the workflow to require RELEASE_SIGNING_KEY in addition to RELEASE_PLZ_TOKEN.
- Ensures that the release process is skipped if either secret is missing.
README.md:
- Documents the new RELEASE_SIGNING_KEY requirement for creating signed release PRs.

LLM usage and cost

Reasoning (gpt-4o) in=2756 out=652 cost=$0.023560
Cheap (gpt-4o-mini) in=2627 out=69 cost=$0.000435
Estimated total USD: $0.023995 via https://api.openai.com and https://api.openai.com

This PR introduces a script to configure Git signing for release-plz using SSH or GPG keys, ensuring that release commits are verified. The changes appear safe to merge, but ensure that all environments have the necessary tools and secrets configured. ## Walkthrough - **.forgejo/scripts/configure-release-plz-git-signing.sh**: - Introduces a script to configure Git signing using either SSH or GPG keys. - Checks for the presence of `RELEASE_SIGNING_KEY` and configures signing accordingly. - Handles both SSH and GPG key formats, setting up the environment for each. - **.forgejo/workflows/release-plz.yml**: - Updates the workflow to require `RELEASE_SIGNING_KEY` in addition to `RELEASE_PLZ_TOKEN`. - Ensures that the release process is skipped if either secret is missing. - **README.md**: - Documents the new `RELEASE_SIGNING_KEY` requirement for creating signed release PRs. ## LLM usage and cost - Reasoning (gpt-4o) in=2756 out=652 cost=$0.023560 - Cheap (gpt-4o-mini) in=2627 out=69 cost=$0.000435 Estimated total USD: $0.023995 via https://api.openai.com and https://api.openai.com

.forgejo/workflows/release-plz.yml

🟡 Warning: The workflow now requires RELEASE_SIGNING_KEY to proceed. Ensure that this secret is set in all environments where the workflow runs to prevent unintended skips.

🟡 **Warning:** The workflow now requires `RELEASE_SIGNING_KEY` to proceed. Ensure that this secret is set in all environments where the workflow runs to prevent unintended skips.

jwilger commented

2026-06-11 19:29:15 -07:00

Author

Owner

Handled auto_review warning on RELEASE_SIGNING_KEY availability: this workflow is guarded to run only for Slipstream/emc, and RELEASE_SIGNING_KEY has been configured as an organization secret for this repository. The README now documents the required signing secret and the workflow skips release PR creation if it is absent.

jwilger merged commit 79bac4b5a4 into main

2026-06-11 19:36:08 -07:00

jwilger referenced this pull request from a commit

2026-06-11 19:36:09 -07:00

fix: sign release-plz release PR commits