Skip to content

supply-chain-promote-core: sign the update-lock bot commit (deferred from #238) #239

Description

@williaby

Context

`supply-chain-promote-core.yml`'s `update-lock` job commits the approved-lock
entry using an unsigned `github-actions[bot]` identity on a per-run branch. This
is currently safe because the branch is unprotected and the eventual squash-merge
into `main` is web-flow-signed by GitHub, satisfying main's `required_signatures`
rule.

This was explicitly deferred in #238 (which replaced the prior direct-push design
with the current branch+PR+auto-merge flow) and again noted as still-deferred in
the job's own header comment.

Follow-up

GPG-sign (or otherwise cryptographically sign) the bot commit itself, so the
signature guarantee does not depend entirely on squash-merge remaining the only
configured merge method for `main`. If branch protection ever also allowed
merge-commit or rebase merges, or a human manually merged via a different method,
the current signature guarantee would not automatically hold.

Scope

  • `.github/workflows/supply-chain-promote-core.yml`, `update-lock` job

Tracked separately per pr-review's Suggested-tier finding on #238 (missing tracking
reference for this deferred work).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions