From b74c332080c5b55377b2c173db9157f8b54b3a70 Mon Sep 17 00:00:00 2001
From: Andrew Gable <andrew@expensify.com>
Date: Tue, 7 Dec 2021 13:37:07 -0700
Subject: [PATCH 1/3] Sign commits for @OSBotify

---
 .../workflows/OSBotify-private-key.asc.gpg    | Bin 0 -> 5119 bytes
 .github/workflows/cherryPick.yml              |  22 ++++++++++++++++--
 .github/workflows/createNewVersion.yml        |  11 +++++++++
 .github/workflows/deploy.yml                  |  21 ++++++++++++++++-
 .github/workflows/updateProtectedBranch.yml   |  15 ++++++++++++
 5 files changed, 66 insertions(+), 3 deletions(-)
 create mode 100644 .github/workflows/OSBotify-private-key.asc.gpg

diff --git a/.github/workflows/OSBotify-private-key.asc.gpg b/.github/workflows/OSBotify-private-key.asc.gpg
new file mode 100644
index 0000000000000000000000000000000000000000..165debeece1cdbce17b5354c4363ea44aa763dd3
GIT binary patch
literal 5119
zcmV<b69DXt4Fm}T0wH}c<FMRC5%1FM0WP3);>u`RlaazN`-lVDiQsz@@PQ|4nK`)P
zL=&@qiPf69yX;aThnI}CykTa$4FV-9Fw783-Ce~I5Ci};53;;s!37%f4bQNU-v6A&
z7P~UTPJV4YIIzIw`QgI=0#S$8m_)l#7&m0r9BlT+H;r1`mGS^pQf%E{3=Mk4ejy0l
z-cnFbF7vX)^-vk7%?sH2Uia}hn>Mrjimx_(zDqhK%Dx>8Y6{l!2xW;^)IwHD{$LY$
zCMwI)h%9*tdBYtbv;Y%4$#$Z|hYO_DYnA;B;)cqzjmdpLzf`>)nZYbPueW^0gWyOW
zXDCl!w<;u^C(T)M;q!>QC>SO0^+f9^TzsB&qNo6vt!GX`w1Nz^E8xb9rKlh<*7pz%
zWAO;{naP^_xePMxa|L_WdMR)$sMc7vQpAO9EmL!RH|UQ&H}sw`4s3Oy^#OXqOPj20
z(C~sNE*mZ@O|Aj!(gWEXOMa7-;_)hxIaeme`P*%aKM}JT6Tmz!o?A~Ch*GV_r-b-W
zQ91icfoTKR#pAB%?yWin#f+2EF2G&hn9y>F30tUpWlW73nZU$M2o&lp^Krtw6=hHZ
zi>C1xL7e&$!m8Pvk_A9PGX55DCGY;2UQ|k1hg9xRiJ@?X$asehQ}0<L=ywUa#P@$|
z4_WNjri=onND!Pko!Z5Wj6-Da>g=O|GwyN5hywAW1HLf(D|VJVxk%xOq>uDI=diA{
zr?vTla0exftu@tMoOuWZ5P?-YblvmvOOl<+5o*8hizi)AR-Mj@mf9%Z>KL0ICdEct
zmSb7(+-ohX*nxdO6_?FOk5&`nCVYNTpcUyO5#3{Swa&9W*pFR}UhT8`3d#|2Fo!i^
zel8r0Onfepp@);%x!Zo_%s>=0Uf@@gOSLJ+c!Je{T!6}UlwdX;Yk-9#0BsyBR?2S(
z`!~bFDN=X3)A80qFn)!jDFf~1TmAyTcaGQ~yPm^c$=puzPDNGhB*k8B8d*9PE*M)v
z1!f7Vxqlu1N(hCE(P>9t$60hlT~pN+>UyA%wtEn@{rtNfo$n+qPWw3=KCQ{vLqgtU
zJaZdZ<C|Q|*M-tXx2MNQ{S0MpH23`A9fR!(L=iQD4RvDxQdp9WF&dM01*J<&^^Pjb
zY=C4R*pvznOZ#lJNQz;XK6~av(c%jBcxr&S!dsH{=?Vy!H9s1bBA`gBc29jvxA(IA
zWs_RE@rjuVf1B~`);5Y0q_l>eGOw`2tKUYFkE@t*+Oey|N5sp3!iWVRFovVX(BsCu
z`$H=^$tjX9B1buKDfGva{Jean2Yrg-5$$_WADl5t4T!jR1rMBsW1UYJJ(0mkrVz9$
zt62!yU}pOB9d6kg*dN651CW~@nOEVpCsBRP&)8WUErtzf<4UvaJeyvEjm=NO#waNz
z%u{rc+Kpw?KFy0sEadJ!uT<N7leLGqo;V;GgkI$6;$?GWp7T{td|X3NX(>SHe5(n?
zK0gLmI1&O~QCfb~uF1DX;iXL?(-ttpf{+r4l8)I+U|_d1KAwR>5Q?#ZoFs>F=}U#~
zH<IYW((9=3^8M-xB@jHc_dc-K=LXU{p6fWsFaDtn&UbiQq7hW<L6r^92rJZ+&7tdo
z@lt<=LWg;7zW%Bl36wy3!Y+Ug6jM3baVnd1q=LPSREX2E++bGZV@*c{O~jjBJ3l-1
z0dqV}z3)P6HIp;e4JQ*ZOCCQ7p8%QB=nuM<fH528iKY7QUyRS4ER<l^EbIWJNH#n+
z#-YDMT%9Z{2PWBya3116KHE>QeN0I!mvs>z+yJbxWoz{jTCDlxDl4(A8YCTliF6&&
zBPWa&+`{b1kIeqv5RqvF@iOXGE(9yT$=p6rN_y2A)!UI=rX_t^T^I<`>YQSH2p>kh
z7=&!dUA;a_3R%A68N!eckd85))@>!9dFp7b914&Jc0#;L1LVkGI9(Uj;Z0V~iyY^Q
zxb_uzKVN0Oa3%<A0OY%iCUkW!XLoq~ms1sw+E4^uVR)o;@+*9qT{YE3N*nI))-y-u
z39k`maY|dyy=jv=8K@--oh{cbkcj;yK^tm2zU4eEO{lJ3WBgQ4xtz?(gv<G+j|!qd
zc8v7*Hah$Cp+f6ac!+y^7aP?jbQzD8pUN^r-NL$haC82ZtUyawR`SEm40*#S_vq&s
zh*GHChbq(5uCUM~*h$|qfdxed!iEuPCf2e*w0-zCakWt$9q)Y%Fx@@=I+VsOg)mUw
zW2QjH@OXyuQ~dSLjNNuYSrRUGFJAk^4SuCLJ=QSEP|^@Nl7_2z53ncq0yx1qd%P7(
zyJnwT;&ms4K&rtP6nOi`-pv0Kiz{bAc2I@E<>5}KLL>lmj~uf@L(@h7v75Va1Tly^
zkhStJ8RtZYX^cc{lrzh2n(+~BCNZ1$7{J=fT)h29ag;j_8ySQbQ12L7vrcJa)=K1>
zzfKj$PN^c;8q+M^fTB$RLf@MGoa?2I>7&rP1yfP`p4eUrtL-_feNu`==?mB!oaW>!
zHN`Xix?b}Sfi254u}^l%xaYw?fA3wH!fq1Kpxzv}gJLU+iwxbc2h1(y_QpLJDWH#H
zWGo6$q<9Pd=$2<UUmG@(>C<~9pB^^hK1g8Kp1D?wox#CBMkM?3AO}c3R5%f>x}%8<
zs_)8&gUMDtO!qj^F8QM?o4+SK{hGwblwZ~TYf}GaXZr#8-H-IeRN;floXfI+pbl%@
zdn^nV?RMw(YF89-L|t<vmb>+4C#THcl%fxCXJkZ!!3y@$>A#plLoj$lO>zjPft*V*
zveZa-u(MzSaY4x8IZ6RsA~@%w2Ajj>GM=*E$$4=?jPYWI^0zi;G}eH+lcaIFmF!w9
zU?#M26h<I9pZy((JNXMWq)5G-U*akLo5k7Mm30@U&6OX|@0q%hApPFl)1vbCR-H7d
zex0Olg2n7_#K?bWuI(IFWfHx9*{<zHVR_?MY|@`H%v3qkZ%~W|8pg;?d7+>y{I74@
zeU@ji3LiNWR+Gkokc0=NfhLVv&0Yyd$22dJm~WK4j+Rl~{SmPQ^_|Y-9$c_eMKAHe
zZrCU{d&*$HN!e{HSMV|5n`Ti(`%6Eq=SD;926c7hKQ0IwXUmUd;Wel)O;bQTtDND6
zk@Af=i+H{)K6CX5^0+7BtSo=3$rr_AHVq9K{s>f+&h3R=<t~dnaqPT7yN+itlnz`)
z4BX9f&;IZ;W$I}nFhuaA0o_R8*9``N(D`cL`AScS`W@#>M;Qg-S_0FKgGpiyW&)nq
z_4~S2!6HLGDnsrQ#dN6fV~?a*=y0kRNy9Q2j9ZCiuF8a0sxAXXn+N^zPJDYx;kfR@
z7RQ>qZ2TlZk2srOZMME-O|F4P(8)3j&P#*6Lz38({;TX$HEg;>|5;T6-M_hezgdgY
zhwy^Vf_vxK3NW!Aw+E3<12y=@JK-<)CI2>M1+;=*@a2Jj{_>w-WZz?M%PGACBdT~r
z7dO3SGDqu<y8B4DhE1yRi=-VAyzW-VMW#i!{e`MAJ21!rIj6TDSU<6X?zzQcy;$yF
z@?KV|=cBu@<5AEQ_L-~=yMNKtBL*wMSx)3nl7Wd1NK+bJxsCg?P*4aoQ&(tq$!aZt
zd)*=OlHQjqJY;j2Okay9HE4~ImMRT0m{CwhLcRN!DsRQemNq9SO8_PnN95!}6QC4!
z?6`6|^%Vs-?`43UjVX6vs%xKsZ-&a*-)L2Tkgz_$4Upmd7F4D94h#^Q{8$#_0Ddl%
z%m!Z1r0<{I(yBcBx$X3V>nd<#^Rqm&u1Rcd>$pAs2+tOhhg75GT+!aLn9;n!j-_Ss
zG1%=^9i^930cNS>!w_2c@DSy$kFp^?11=E)?45o^2JcI%`oOkjDz1tAsS<Q@^uiAW
znw)|1=I;VnYxT$^)nE*^W-%-Bstk`E{%6ro`h#L1j-8&sbWzAbdunmqgPd)AF&@ro
zGO;va1$<=DD$^Yw#0W^Dne3?gM<+!7l>2}m^^%v({wMK|aPq0_JSO-#HX6lX4yQI*
zeJD6Y!SE>mL;C;~;D%tCF*p@ohdLGUudAVs{v>LVspUl6x@%&)|2r@tuQ!1VSvskX
zMrjcprDm3om?>T&haLG1R4`Ucq70eJcA1ao6v!>dA@b)97@T6Q<E*CvVl~;>x4*MQ
z(MffKf7t>BCkDa4?xV@+$tQl6O^Z>zuY&PY{F0)#<18o66#Q7T>ZgO-4dnb{iF6kT
z^!jXU?>e@iUq1c0m(^BP`hoOV+B7Wq_y(Z_B~zf?5WrdMK1_qayW}ixLHOa3!?E|p
zjg8>jj#P}_IXsJcK+0*y#D6@XSC_tc1Qe-OfX8&XNYqtDTsDEG9p0Bw+Bn4~Zbm;?
z%=^oO&onkRC#Qn2J$iqhW!QseQx<rxc1X^BPhW5dsEVaJfX0%Od4OyvbW6rZ@W!bi
z|E)*wBCFr~*1Gi+x6?xSB>0d>X&VQXmW`XUOvg(&GsF{=sYkwrpdx#!O<;pe?w;BY
z(y5sH%7%VQcFdcYl3*-!Hh0PdSq#ak3Xs143iw~*MPj*<c$%<hm($NRez*FjYb#L5
z;4HADggVoWUA!$>Un)=B*8*YgGoi!c^Z2!$<uhS2doPB4Yh`B3Vu+oVA$(lk6?XI`
z1kE)mSw9M~Hv8JjYco_49I<e!ZY}O^>GO2DUp0i$9%Lr??PCuYr5}?bd)KsHqfnX!
zb&bT{Em0hIs$L`k0%9!^Iqlnpkp(S2)iHyG7lE8J`OAp6hRS%ag)=voLBRlYD6c@(
z8<0Sa+!bR>^7`@C=ATk+(4GLDX#6w4`A=>(>@_Q$6Xp@j>E;uoy-}tk%)0H1e`J#+
zB6^4t7EEos(B^NbB+Jto5`5hQ#+z%5v+vB%3HjY}?XMx&b>%9Q1&uTDZ>U;NX#yF<
zP^f=34ZYXt&W3x0pI@FmN|Hk&zfm_rRa<vo?O6*7nE`DWy}L~ccI6gqcw;tztB`5F
zq91_92q(qyg2MDd-pwW2eyc9+3vOi2)Cxm_oI}UQ`~ON{-Z~iG*Oas#*|MqD1*$V!
z7(JWMn$L|Ba4+LZ+onCL(oq2`#wQ&epM0$R0e>eviI_ZvkUISE65lfW#@WYtNi)(0
zVS!-B_zE>ON0N~@)>{lDgQ9o++z(ljG{{Ci6Z(HhjfN=@5dIL=-{A^XWiOkq_BT)z
z_5?(^5<WPgfMo<AHm5tnT2;_0th+T0^on)tnAG(%zd)Hz_f!(SYWISaXHVYqcZFYf
z2JMqf4{p-&+_D15qPla#+`5V(7V{uWOGmD=T8U>Mh9g!ZyUu>fw+Uyjy`)=lK8nb2
z1sft0u>FLT>Ac3EWPMqV_Z`^v>`XHd(HPxErCM11<-#85%h3cpP{{9AfBZkT2tza+
zw%kJIU+CSVjz!fB=?QPy*dR1!VF~=N>Vq;F@W-t2nW}-MC_h9j&ibGway1J~g$-N@
zX-3$ZHQzZ@@(ml`4=938(e1Ed5)hx-yos44+Fyyv{uV#1*FKaasP<NEw30PA+~zVx
zU;(!=862OXG`SXNXCHKgJdW5c2z;EwccSebH-53bXNQa!8&3x!+eQ`IhQNiGCygd+
z>A$RO>Dg&>O28AHY_~1WI_4o7SXWW13!eqU+E2^X?GJR)GJ(JQu84jN4##Pl(TpW0
zuQOYG&!=zwm@emGl{jSb5yHMwF6CsXD}X~r%xI^@<)vHf4^%6c^)wtmuwMO>#j1#I
zVxR1bb7^R(MYAhW5+lLQW~2`aYfWItl;`cX+n?l6XqdPn<WY*@VfWlG=*dskt*{hE
zGpkEQ?q~!pK$Cv_%fC51I9<T+P14(pI7wa#skU_KX4D~Ib`p4|(*}TRPOe_?bxyp2
zw)Mh$1~fs1cZ-5Gl*SJU0U`*llE-OO>j8ak8}S5f9~_wu@19PTzYv}<5OIQK6{4hW
z9O6EW8pctPS6l_wJ8kpHfvt-tv{BrQOkaR(g2=rRdF2~Ihvk9``^M_*pN_@Jw7w^a
zib_yb%N4oQp=eMrkaa$xvfy0<R`X5nlgR@3DI4sdZHG}!4@OGg93rwFlv85c?$l|k
zl+s_+i@_@x+mxwnUNknN4S>1=wt_JPfTE#?Z$BOYmrE3*3q(55jH|X&sbxEs>!;^a
zW|r8zrqmdF&bd~n=?rOEucr8QrW<_Uyu2mRNfkHbg8?3t1wC*pyM@~I;)i>tP(>fP
z2<!`GOwh>qG%03^=<H~WsS%5Ewc9SR{X4&xgPvJAK<IG2JIt{e@~vH9?VY)Tmd5Ib
zDau(sp`n~`?-|i!hhQ#POac0`2TT>bofH&PJF;rXWZCulPYZl6`KSS$w@P{9SPX*y
z2mGk2*|U2?fw?#a4j5E&(iLUd@<((~A=Wt4epHnN%pPa?kG9lHChaaPV4`V1q-Fkn
zJ?jiKt;5c(puj!0MI)lRP9=C61Y>KpfJ9P07j64TIkJxk1$C|WV3<>`5s!Z{+_skt
zmAsb!Bsc_hWn3gmT-d3+mv|rLfxxAL=+Q_W)<JMqy%~cbYX^!8&l@|Q8C9~E%F_x2
zW>=RMe3QUd#}mYTmqUB|SQBu)5!ed?-F=kz4IIK6Sb;|BswxFQ`yf461W8;5V^5;4
zW+XNEQwzYj-Qsuy&M9e^bs7A-f7&anXa;ul;@&qJmsHx@54_Y}oiPTc&)*C@a+*(x
h;lq+T5r}l|wP44T7d+AK;i)%t#M&%>2E1f`y21t--y#42

literal 0
HcmV?d00001

diff --git a/.github/workflows/cherryPick.yml b/.github/workflows/cherryPick.yml
index 712d3304eb5a..8b9f604fca33 100644
--- a/.github/workflows/cherryPick.yml
+++ b/.github/workflows/cherryPick.yml
@@ -35,7 +35,7 @@ jobs:
         uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
         with:
           ref: main
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.OS_BOTIFY_TOKEN }}
 
       - uses: softprops/turnstyle@8db075d65b19bf94e6e8687b504db69938dc3c65
         with:
@@ -67,7 +67,25 @@ jobs:
         uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
         with:
           ref: staging
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.OS_BOTIFY_TOKEN }}
+
+      - name: Decrypt Botify GPG key
+        if: github.actor == 'OSBotify'
+        run: cd .github/workflows && gpg --quiet --batch --yes --decrypt --passphrase="$LARGE_SECRET_PASSPHRASE" --output OSBotify-private-key.asc OSBotify-private-key.asc.gpg
+        env:
+          LARGE_SECRET_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
+
+      - name: Import Botify GPG Key
+        if: github.actor == 'OSBotify'
+        run: cd .github/workflows && gpg --import OSBotify-private-key.asc
+
+      - name: Set up git for Botify
+        if: github.actor == 'OSBotify'
+        run: |
+          git config user.signingkey DBF63700F60F5530
+          git config commit.gpgsign true
+          git config user.name OSBotify
+          git config user.email infra+osbotify@expensify.com
 
       - name: Create branch for new pull request
         run: |
diff --git a/.github/workflows/createNewVersion.yml b/.github/workflows/createNewVersion.yml
index eaaafc56998c..1a5c979e990e 100644
--- a/.github/workflows/createNewVersion.yml
+++ b/.github/workflows/createNewVersion.yml
@@ -24,12 +24,23 @@ jobs:
           poll-interval-seconds: 10
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      
+      - name: Decrypt GPG key
+        run: cd .github/workflows && gpg --quiet --batch --yes --decrypt --passphrase="$LARGE_SECRET_PASSPHRASE" --output OSBotify-private-key.asc OSBotify-private-key.asc.gpg
+        env:
+          LARGE_SECRET_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
+
+      - name: Import the GPG Key
+        run: cd .github/workflows && gpg --import OSBotify-private-key.asc
 
       - name: Set up git
         run: |
           git fetch
           git checkout main
+          git config user.signingkey DBF63700F60F5530
+          git config commit.gpgsign true
           git config user.name OSBotify
+          git config user.email infra+osbotify@expensify.com
 
       - name: Create new branch
         run: |
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 60165609e7e8..5663024fa9ae 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -21,10 +21,29 @@ jobs:
       - name: Check if merged pull request was an automatic version bump PR
         id: isAutomatedPullRequest
         run: echo "::set-output name=IS_AUTOMERGE_PR::${{ steps.getMergedPullRequest.outputs.author == 'OSBotify' }}"
+  
+    setupGit:
+    runs-on: ubuntu-latest
+    needs: validate
+    steps:
+      - name: Decrypt Botify GPG key
+        run: cd .github/workflows && gpg --quiet --batch --yes --decrypt --passphrase="$LARGE_SECRET_PASSPHRASE" --output OSBotify-private-key.asc OSBotify-private-key.asc.gpg
+        env:
+          LARGE_SECRET_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
+
+      - name: Import Botify GPG Key
+        run: cd .github/workflows && gpg --import OSBotify-private-key.asc
+
+      - name: Set up git for Botify
+        run: |
+          git config user.signingkey DBF63700F60F5530
+          git config commit.gpgsign true
+          git config user.name OSBotify
+          git config user.email infra+osbotify@expensify.com
 
   deployStaging:
     runs-on: ubuntu-latest
-    needs: validate
+    needs: [validate, setupGit]
     if: ${{ fromJSON(needs.validate.outputs.isAutomatedPullRequest) && github.ref == 'refs/heads/staging' }}
 
     steps:
diff --git a/.github/workflows/updateProtectedBranch.yml b/.github/workflows/updateProtectedBranch.yml
index fe4eb154855e..ca925478b44e 100644
--- a/.github/workflows/updateProtectedBranch.yml
+++ b/.github/workflows/updateProtectedBranch.yml
@@ -53,6 +53,21 @@ jobs:
 
       - name: Set New Version
         run: echo "NEW_VERSION=$(npm run print-version --silent)" >> $GITHUB_ENV
+      
+      - name: Decrypt Botify GPG key
+        run: cd .github/workflows && gpg --quiet --batch --yes --decrypt --passphrase="$LARGE_SECRET_PASSPHRASE" --output OSBotify-private-key.asc OSBotify-private-key.asc.gpg
+        env:
+          LARGE_SECRET_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
+
+      - name: Import Botify GPG Key
+        run: cd .github/workflows && gpg --import OSBotify-private-key.asc
+
+      - name: Set up git for Botify
+        run: |
+          git config user.signingkey DBF63700F60F5530
+          git config commit.gpgsign true
+          git config user.name OSBotify
+          git config user.email infra+osbotify@expensify.com
 
       - name: Create temporary branch to resolve conflicts
         if: ${{ contains(fromJSON('["staging", "production"]'), github.event.inputs.TARGET_BRANCH) }}

From b8916ae36805bcb6c22428eaa2a5cdcfcdc05619 Mon Sep 17 00:00:00 2001
From: Andrew Gable <andrew@expensify.com>
Date: Tue, 7 Dec 2021 14:58:31 -0700
Subject: [PATCH 2/3] Fix spacing

---
 .github/workflows/deploy.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 5663024fa9ae..41cebceef21c 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -22,7 +22,7 @@ jobs:
         id: isAutomatedPullRequest
         run: echo "::set-output name=IS_AUTOMERGE_PR::${{ steps.getMergedPullRequest.outputs.author == 'OSBotify' }}"
   
-    setupGit:
+  setupGit:
     runs-on: ubuntu-latest
     needs: validate
     steps:
@@ -61,7 +61,7 @@ jobs:
 
   deployProduction:
     runs-on: ubuntu-latest
-    needs: validate
+    needs: [validate, setupGit]
     if: ${{ fromJSON(needs.validate.outputs.isAutomatedPullRequest) && github.ref == 'refs/heads/production' }}
 
     steps:

From da402c5bea88a9310b47d5ce86392bb573cc32e7 Mon Sep 17 00:00:00 2001
From: Andrew Gable <andrew@expensify.com>
Date: Tue, 7 Dec 2021 17:11:19 -0700
Subject: [PATCH 3/3] Remove setupGit needs

---
 .github/workflows/deploy.yml | 41 ++++++++++++++++++++++++------------
 1 file changed, 27 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 41cebceef21c..35f4107fa840 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -21,11 +21,19 @@ jobs:
       - name: Check if merged pull request was an automatic version bump PR
         id: isAutomatedPullRequest
         run: echo "::set-output name=IS_AUTOMERGE_PR::${{ steps.getMergedPullRequest.outputs.author == 'OSBotify' }}"
-  
-  setupGit:
+
+  deployStaging:
     runs-on: ubuntu-latest
     needs: validate
+    if: ${{ fromJSON(needs.validate.outputs.isAutomatedPullRequest) && github.ref == 'refs/heads/staging' }}
+
     steps:
+      - name: Checkout staging branch
+        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
+        with:
+          ref: staging
+          token: ${{ secrets.OS_BOTIFY_TOKEN }}
+      
       - name: Decrypt Botify GPG key
         run: cd .github/workflows && gpg --quiet --batch --yes --decrypt --passphrase="$LARGE_SECRET_PASSPHRASE" --output OSBotify-private-key.asc OSBotify-private-key.asc.gpg
         env:
@@ -41,17 +49,6 @@ jobs:
           git config user.name OSBotify
           git config user.email infra+osbotify@expensify.com
 
-  deployStaging:
-    runs-on: ubuntu-latest
-    needs: [validate, setupGit]
-    if: ${{ fromJSON(needs.validate.outputs.isAutomatedPullRequest) && github.ref == 'refs/heads/staging' }}
-
-    steps:
-      - name: Checkout staging branch
-        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
-        with:
-          ref: staging
-          token: ${{ secrets.OS_BOTIFY_TOKEN }}
 
       - name: Tag version
         run: git tag $(npm run print-version --silent)
@@ -61,7 +58,7 @@ jobs:
 
   deployProduction:
     runs-on: ubuntu-latest
-    needs: [validate, setupGit]
+    needs: validate
     if: ${{ fromJSON(needs.validate.outputs.isAutomatedPullRequest) && github.ref == 'refs/heads/production' }}
 
     steps:
@@ -69,6 +66,22 @@ jobs:
         with:
           fetch-depth: 0
           token: ${{ secrets.OS_BOTIFY_TOKEN }}
+      
+      - name: Decrypt Botify GPG key
+        run: cd .github/workflows && gpg --quiet --batch --yes --decrypt --passphrase="$LARGE_SECRET_PASSPHRASE" --output OSBotify-private-key.asc OSBotify-private-key.asc.gpg
+        env:
+          LARGE_SECRET_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
+
+      - name: Import Botify GPG Key
+        run: cd .github/workflows && gpg --import OSBotify-private-key.asc
+
+      - name: Set up git for Botify
+        run: |
+          git config user.signingkey DBF63700F60F5530
+          git config commit.gpgsign true
+          git config user.name OSBotify
+          git config user.email infra+osbotify@expensify.com
+
 
       - name: Checkout production branch
         run: git checkout production