Context
`supply-chain-promote-core.yml`'s `update-lock` job commits the approved-lock
entry using an unsigned `github-actions[bot]` identity on a per-run branch. This
is currently safe because the branch is unprotected and the eventual squash-merge
into `main` is web-flow-signed by GitHub, satisfying main's `required_signatures`
rule.
This was explicitly deferred in #238 (which replaced the prior direct-push design
with the current branch+PR+auto-merge flow) and again noted as still-deferred in
the job's own header comment.
Follow-up
GPG-sign (or otherwise cryptographically sign) the bot commit itself, so the
signature guarantee does not depend entirely on squash-merge remaining the only
configured merge method for `main`. If branch protection ever also allowed
merge-commit or rebase merges, or a human manually merged via a different method,
the current signature guarantee would not automatically hold.
Scope
- `.github/workflows/supply-chain-promote-core.yml`, `update-lock` job
Tracked separately per pr-review's Suggested-tier finding on #238 (missing tracking
reference for this deferred work).
Context
`supply-chain-promote-core.yml`'s `update-lock` job commits the approved-lock
entry using an unsigned `github-actions[bot]` identity on a per-run branch. This
is currently safe because the branch is unprotected and the eventual squash-merge
into `main` is web-flow-signed by GitHub, satisfying main's `required_signatures`
rule.
This was explicitly deferred in #238 (which replaced the prior direct-push design
with the current branch+PR+auto-merge flow) and again noted as still-deferred in
the job's own header comment.
Follow-up
GPG-sign (or otherwise cryptographically sign) the bot commit itself, so the
signature guarantee does not depend entirely on squash-merge remaining the only
configured merge method for `main`. If branch protection ever also allowed
merge-commit or rebase merges, or a human manually merged via a different method,
the current signature guarantee would not automatically hold.
Scope
Tracked separately per pr-review's Suggested-tier finding on #238 (missing tracking
reference for this deferred work).