GitHub Action
Verified commits check
A GitHub Action to check commits pushed to a repositiory to ensure they are verified (aka signed).
Copy the text below into a file in your repository called .github/workflows/verified_commits_check.yml, then just commit and push it!
# .github/workflows/verified_commits_check.yml
name: Run verified commits check
on: push
jobs:
verified_commit_check:
name: Check for unverified commits
runs-on: ubuntu-latest
steps:
- uses: nadock/verified_commits_check@v1You can see this example in action in this repository here.
What are verified commits?
Verified commits are commits that have been GPG signed by their author, ensuring they truely do come from a trusted source. GitHub has more details in their documentation here, including how to setup commit signing if you haven't already.
When you commits are verified, you should see the "Verified" badge on your commits like this:
Why not just use the branch protection rule?
GitHub provides a branch protection rule to prevent unverified commits from being merged into protected branches. However, you usually get little or no warning you've mistakenly pushed unsiged commits until you try to merge your PR. This action will warn you whenever you push unverified commits, allowing you to notice and fix the issue sooner.
I wish it sent messages to X...
Okay technically not a question, but if you want to add support for sending a message to some other service when unverified commits are detected (other than the default failed action email) I welcome pull requests to add support. Please check the CONTRIBUTING.md file for more detials.