Feat: validate gpg releasers signatures#760
Draft
UlisesGascon wants to merge 3 commits intonodejs:mainfrom
Draft
Feat: validate gpg releasers signatures#760UlisesGascon wants to merge 3 commits intonodejs:mainfrom
UlisesGascon wants to merge 3 commits intonodejs:mainfrom
Conversation
RafaelGSS
reviewed
Dec 4, 2023
Member
RafaelGSS
left a comment
RafaelGSS
left a comment
There was a problem hiding this comment.
Can we run it through a workflow monthly to guarantee we are pinging the ones without a proper signature?
Contributor
|
I wonder if this is still needed after nodejs/release-keys#36 and its follow up PRs |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Notes
This is currently under a draft version. They main objetive is to collect early feedback before creating the final PR (proper linting, tests, etc...)
This is my first time doing changes on NCU so I might be using wrongly the API or breaking any expected convention, please let me know 👍
What is this feature about?
While working on nodejs/Release#966, @RafaelGSS suggested to extend the NCU to review the signatures.
This PR introduce a new command
ncu-team check-gpg. This command will check the current releasers team members and the available information in the README.md and make some checks on the status of the individuals keys and if the keys/releasers are properly listed on theREADME.mdCurrently checks included
README.mdPotential additional checks
hkps://keys.openpgp.orgas expected?Current output
