Skip to content

feat(gh-action): add GPG signing support with SSH/GPG mutual exclusivity #1390

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Copilot wants to merge 2 commits into
base: master
Choose a base branch
from
Open

feat(gh-action): add GPG signing support with SSH/GPG mutual exclusivity #1390

Copilot wants to merge 2 commits into from

Conversation

Copy link
Contributor

Copilot AI commented Dec 12, 2025
edited
Loading

Purpose

Extend GitHub Action to support GPG signing for commits and tags as an alternative to SSH signing. Enforce mutual exclusivity between signing methods.

Rationale

Users need GPG signing capability for organizational compliance or personal preference. GPG and SSH signing configurations conflict at the git level—enabling both creates ambiguous signing behavior. Solution enforces exclusive use of one method with clear error messaging.

Implementation approach:

  • Early validation - Check for conflicting keys before any git configuration
  • Machine-readable parsing - Use gpg --with-colons format to avoid fragile output parsing
  • Non-interactive operation - Configure loopback pinentry and batch mode for Docker environment
  • Optional passphrase support - Handle both encrypted and unencrypted keys via gpg-agent preset

How did you test?

Validation logic:

  • Created test suite with 3 mutual exclusivity scenarios (both SSH keys + GPG, SSH public + GPG, SSH private + GPG)
  • Verified error messages appear correctly for each conflict case
  • Validated bash syntax and POSIX compliance of shell scripts
  • Fixed test runner issue where helper function was being detected as a test case (renamed test_mutual_exclusivity to verify_mutual_exclusivity)

GPG implementation:

  • Confirmed machine-readable GPG output parsing handles both uppercase and lowercase hex
  • Verified key ID extraction and validation regex patterns
  • Ensured proper error handling when GPG operations fail

Edge cases covered:

  • Missing keygrip extraction (falls back to loopback pinentry only)
  • Malformed key IDs (warning issued but continues)
  • Missing gpg-preset-passphrase utility (graceful degradation)
  • Helper function naming collision with test runner pattern matching

How to Verify

Test mutual exclusivity:

- uses: python-semantic-release/python-semantic-release@branch
  with:
    github_token: ${{ secrets.GITHUB_TOKEN }}
    ssh_public_signing_key: ${{ secrets.SSH_PUBLIC }}
    gpg_private_signing_key: ${{ secrets.GPG_PRIVATE }}  # Should fail

Test GPG signing:

- uses: python-semantic-release/python-semantic-release@branch
  with:
    github_token: ${{ secrets.GITHUB_TOKEN }}
    git_committer_name: "Release Bot"
    git_committer_email: "bot@example.com"
    gpg_private_signing_key: ${{ secrets.GPG_PRIVATE }}
    gpg_passphrase: ${{ secrets.GPG_PASSPHRASE }}  # Optional

Verify signed commit: git verify-commit HEAD and git verify-tag v1.0.0

PR Completion Checklist

  • Reviewed & followed the Contributor Guidelines

  • Changes Implemented & Validation pipeline succeeds

  • Commits follow the Conventional Commits standard
    and are separated into the proper commit type and scope (recommended order: test, build, feat/fix, docs)

  • Appropriate Unit tests added/updated

  • Appropriate End-to-End tests added/updated

  • Appropriate Documentation added/updated and syntax validated for sphinx build (see Contributor Guidelines)

Original prompt

Can you extend the GitHub action configuration, implementation, and documentation to support a GPG signing key process for tags and commits as opposed to only SSH process. Either SSH action parameters are set or the GPG ones are set. Throw an error if they both are set.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI changed the title [WIP] Extend GitHub action to support GPG signing for tags and commits feat(gh-action): add GPG signing support with SSH/GPG mutual exclusivity Dec 12, 2025
Copilot AI requested a review from codejedi365 December 12, 2025 08:24
@codejedi365 codejedi365 marked this pull request as ready for review December 14, 2025 05:49
@codejedi365
feat(github-actions): add GPG signing support
726cf74 
Add support for GPG signing in GitHub Action with the following changes:
- Add gpg_private_signing_key and gpg_passphrase inputs to action.yml
- Implement GPG signing configuration in action.sh
- Add validation to prevent both SSH and GPG keys from being set
- Install gnupg package in Dockerfile for GPG support
- Document new GPG signing inputs and usage examples
- Add test case for mutual exclusivity validation

NOTICE: This release adds the ability to sign semantic-release commits and tags
with a GPG key instead of an SSH key pair. The two configurations are not
compatible with each other so you can either have GPG configured or SSH configured,
NOT BOTH! The GitHub Action will fail at runtime if you attempt to provide both
sets of options
@codejedi365 codejedi365 force-pushed the copilot/extend-github-action-gpg-support branch from e7e18b7 to 726cf74 Compare December 14, 2025 21:47
@codejedi365
Copy link
Contributor

codejedi365 commented Dec 14, 2025

@copilot, looks like the pipeline is failing the tests can you take a look and create a solution?

@codejedi365
fix(tests): rename helper function to avoid test runner detection
444ca49 
The test_mutual_exclusivity helper function was being detected as a test
by the test runner's pattern matching (grep "^test_"), causing it to be
executed with insufficient parameters and failing with "Test name not provided".

Renamed to verify_mutual_exclusivity to exclude it from automatic test
discovery while maintaining clear naming convention for helper functions.

Co-authored-by: codejedi365 <17354856+codejedi365@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Dec 14, 2025

@copilot, looks like the pipeline is failing the tests can you take a look and create a solution?

Fixed in commit 444ca49. The issue was that the helper function test_mutual_exclusivity was being detected as a test function by the test runner's pattern matching (grep "^test_"), causing it to run with insufficient parameters. Renamed to verify_mutual_exclusivity to exclude it from automatic test discovery.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@codejedi365 codejedi365 Awaiting requested review from codejedi365

Assignees

@codejedi365 codejedi365

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@codejedi365