A GitHub Action to check commits pushed to a repository to ensure they are verified (aka signed).
I've archived this repo because I no longer intend on maintaining the code, but it should still work fine if you want to use it.
Copy the text below into a file in your repository called .github/workflows/verified_commits_check.yml, then just commit and push it!
# .github/workflows/verified_commits_check.yml
name: Run verified commits check
on: push
jobs:
verified_commit_check:
name: Check for unverified commits
runs-on: ubuntu-latest
steps:
- uses: nadock/verified_commits_check@v1push event types. Using pull_request or any other will cause the
action to fail.
You can see this example in action in this repository here.
verified_commits_check can send the notification messages for unverified commits to one of a few places. By default, if you do not specify MESSAGE_BACKEND, it will be printed to the GitHub Actions build log. If you would prefer to have the messages sent to one of the other supported backend, follow the additional setup instructions for that backend below.
To have verified_commits_check send notification messages to a Slack Webhook, follow the steps below.
- Setup a Slack Webhook to receive the notification message by following Slack's guide here.
- Add the Webhook URL setup in the previous step to your repositories secrets by following GitHub's guide here.
- Update your workflow file tin in include the
MESSAGE_BACKENDandSLACK_WEBHOOK_URLenvironment variables like the example below.
name: Run verified commits check
on: push
jobs:
verified_commit_check:
name: Check for unverified commits
runs-on: ubuntu-latest
env:
MESSAGE_BACKEND: slack
# Assuming you named the secret from step 2 "slack_webhook_url"
SLACK_WEBHOOK_URL: ${{ secrets.slack_webhook_url }}
steps:
- uses: nadock/verified_commits_check@v1Note: Anyone who has your Slack Webhook URL can send you messages, so store it securely!
What are verified commits?
Verified commits are commits that have been GPG signed by their author, ensuring they truly do come from a trusted source. GitHub has more details in their documentation here, including how to setup commit signing if you haven't already.
When you commits are verified, you should see the "Verified" badge on your commits like this:
Why not just use the branch protection rule?
GitHub provides a branch protection rule to prevent unverified commits from being merged into protected branches. However, you usually get little or no warning you've mistakenly pushed unsigned commits until you try to merge your PR. This action will warn you whenever you push unverified commits, allowing you to notice and fix the issue sooner.
I wish it sent messages to X...
Okay technically not a question, but if you want to add support for sending a message to some other service when unverified commits are detected (other than the default failed action email) I welcome pull requests to add support. Please check the CONTRIBUTING.md file for more details.