Overview
From Monday 16th March we will be requiring Git signed commits for all repos under github.com/ansible/.
Red Hat is continually looking at improving the supply chain, so expect further improvements as Ansible adopts more of the Cyber Resilience Act (CRA), updates will be shared in the Ansible Forum under the infra-and-security tag.
FAQ
How do I setup Git Signed Commits?
You can use either GPG or your existing SSH key to sign commits:
At a high level:
- Instruct git to sign commits (you can use GPG or your existing SSH key)
- Add your signing key to GitHub
- Ensure your GitHub Settings lists your “Signing keys”
How do I update an existing open PR?
Note that all commits must be signed, not just the most recent commit in a branch.
To sign all commits in your feature branch, which was created from devel:
git rebase --exec 'git commit --amend --no-edit -S' -i devel
git push -f origin my-feature-branch1
Or if the default branch is main use:
git rebase --exec 'git commit --amend --no-edit -S' -i main
git push -f origin my-feature-branch1
What about the other GitHub organisations, such as ansible-collections and ansible-community?
We will roll this improvement to the other Ansible related GitHub organizations soon, so please make the time to setup signed commits to avoid needing to rebase existing PRs in the future.
What other improvements are likely?
The Cyber Resilience Act (CRA) is giving us a chance to review our existing processes. Expect improvements to:
- GitHub Rulesets to protect branches and require PR reviews
- Improved documentation, such as SECURITY.md
- etc
Updates will be posted to infra-and-security