ci(submodule): remove bot user git configurations

[tthvo]

Welcome to Cryostat! 👋

Before contributing, make sure you have:

• Read the contributing guidelines
• Linked a relevant issue which this PR resolves
• Linked any other relevant issues, PR's, or documentation, if any
• Resolved all conflicts, if any
• Rebased your branch PR on top of the latest upstream main branch
• Attached at least one of the following labels to the PR: [chore, ci, docs, feat, fix, test]
• Signed all commits using a GPG signature

To recreate commits with GPG signature git fetch upstream && git rebase --force --gpg-sign upstream/main

---

Related to #1113

Description of the change:

Remove bot user git configurations to allow the signed commits to be verified.

Motivation for the change:

#1113 (comment)

[andrewazores]

https://github.com/cryostatio/cryostat-web/actions/runs/6380683359

[andrewazores]

https://github.com/cryostatio/cryostat/commits/main

Not verified, but the new bot name is nice at least.

[tthvo]

Hmm, I wonder if its because of the this action:

https://github.com/crazy-max/ghaction-import-gpg#inputs

git_committer_name	String	Set commit author's name (defaults to the name associated with the GPG key)
git_committer_email	String	Set commit author's email (defaults to the email address associated with the GPG key)

Seems like we automatically add the author info from there:

cryostat-web/.github/workflows/submodule.yaml

Line 37 in a019a0c

git_user_signingkey: true

[tthvo]

Configuring Git committer (Cryostat CI rhjavamonitoring@gmail.com)

[tthvo]

@andrewazores Might not be the issue if github see the same thing. Tho, I have 2 questions:

• Since this is a cross-repo action, does cryostat repo need to know about this key? We should add this key to cryostatio organization?
• Perhaps, the email could be one used for cryostatio? This way, github can recognize it. Otherwise, rhjavamonitoring@gmail.com is unknown.

[andrewazores]

I'm not aware of a way to add the key or an email address to the org itself like that, but when I have some more free time to look into this I'll see if I can find anything. Normally those are things that are added to individual users' profiles, not orgs...

[tthvo]

Ah ur right! How about this?

https://github.com/Nautilus-Cyberneering/pygithub/blob/main/docs/how_to_sign_automatic_commits_in_github_actions.md#solution-02-using-your-own-pgp-key-as-a-secret

Basically,we need to create a bot account (new GitHub account) with name Cryostat CI and the rhjavamonitoring@gmail.com. Then, add the public gpg key to that account.

[tthvo]

Otherwise, following above pattern, I think you can add the gpg public key to your github account and manually set git configurations in this submodule workflow to point to https://github.com/andrewazores.

The commit will show up as you, I believe.

[andrewazores]

I was thinking we might need a separate GitHub bot account for this, but I've been trying to avoid having to deal with that. It might just have to be though, if we do want those commits to show up as Verified.

If we're going to bother with signature verification I would rather it's a generic bot account rather than showing up as any particular one of our own accounts.

[tthvo]

Yehh sounds good! at least until actions/runner#667 is done, a new bot account is the way then.