Proposal: a .github/authorized_keys file to verify commits

[NatoBoram]

Select Topic Area

Product Feedback

Body

Say I want to change the version number in a GitHub Workflow, similar to this:

    steps:
      - uses: actions/checkout@v4
        with:
          ssh-key: '${{ secrets.SIGNING_KEY_PRIVATE }}'
      - uses: pnpm/action-setup@v2
        with:
          version: latest
      - name: Configure Git, patch, release and push
        run: |
          git config user.name 'github-actions[bot]'
          git config user.email '41898282+github-actions[bot]@users.noreply.github.com'

          git config commit.gpgsign true
          git config gpg.format ssh
          git config user.signingkey 'key::${{ vars.SIGNING_KEY_PUBLIC }}'

          eval `ssh-agent -s`
          ssh-add - <<< '${{ secrets.SIGNING_KEY_PRIVATE }}'

          VERSION=$(pnpm version patch --no-git-tag-version)

          git commit --all --message "🔖 $VERSION"
          git tag $VERSION
          git push
          git push --tags

There's not really a good way to attribute this commit to an imaginary "GitHub Workflow" user. In any case, I'm using github-actions[bot] to be able to see its little profile picture in the list of commits and I'm signing this commit to be able to verify it later.

This works wonderfully, except that the signature doesn't actually belong to that account.

What if there was a way for repositories to mark these commits as verified? For example, GitHub signs commits I make with GitHub's signature, not mine, so there's already some switcheroo going on behind the scenes.

Proposal: .github/authorized_keys file.

Similar to CODEOWNERS, a file that would allow specifying that some commits can be signed by a specific signature.

41898282+github-actions[bot]@users.noreply.github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMkNA810FaHR9kOJmJthn1XAAqydaOQIwvJ2KfTWD2ti @natoboram/leanish

This file should be compatible with Git's ways of verifying signatures with this kind of files (AUTHORIZED_KEYS_FILE_FORMAT). Here's some docs on the subject:

• https://docs.gitlab.com/ee/user/project/repository/signed_commits/ssh.html#verify-commits-locally
• https://git-scm.com/docs/git-config#Documentation/git-config.txt-gpgsshallowedSignersFile
• https://man.openbsd.org/ssh-keygen.1#ALLOWED_SIGNERS
• https://man.openbsd.org/sshd.8#AUTHORIZED_KEYS_FILE_FORMAT