jarrodldavis / probot-gpg Goto Github PK

Update README with guidance for users with email privacy enabled on their GitHub accounts.

saltstack/salt#43747 (comment)

Response from GitHub.

The commit will only show as verified on GitHub if the address used to commit it matches the address in the key

Sounds like can use users.noreply.github.com in the PGP Signature. Just need to make sure git is configured with users.noreply.github.com and github is configured to have your email address private.

Version 0.7.3 of probot just got published.

This version is covered by your current version range and after updating it in your project the build failed.

probot is a direct dependency of this project this is very likely breaking your project right now. If other packages depend on you it’s very likely also breaking them.
I recommend you give this issue a very high priority. I’m sure you can resolve this 💪

Your Greenkeeper Bot 🌴

Hey @jarrodldavis, I'd love to get this app listed on the probot website! Do you have an instance of it deployed anywhere? It's pretty easy to deploy Probot apps on several different free services.

Are you interested in getting it listed? Here are the docs for adding it.

Breaking part of out #45 into a separate issue.

There should also be some way for repo admins to view detailed reasons about why a certain status was applied to a particular commit.

Signing all commits isn't necessary and arguably problematic. Any thoughts on only requiring the last commit to be signed?

More Info: https://josh.blog/2016/11/gpg-git

Version 4.1.6 of sinon was just published.

This version is covered by your current version range and after updating it in your project the build failed.

sinon is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

If a temporarily orphaned tag is pushed for a branch that has Branch Protection enabled, it would be nice to have probot-gpg kick in and validate that commit (and perhaps also the tag itself) so that the branch can be updated with the tagged commit once other status checks (such as CI) are successful.

We're changing some of the terminology in Probot in probot/probot#210. If you add the probot-app topic to this repository, it will show up in the list of probot apps.

Thanks for using Probot, and let us know if you have any feedback!

Looks like the main Probot repos have moved from xo to standard, and I think probot-gpg should do the same.

Version 2.3.5 of assertive was just published.

This version is covered by your current version range and after updating it in your project the build failed.

assertive is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

For repository owners that want stricter control of GPG verification keys, allow them to configure a whitelist of approved GPG keys. Also consider ways of streamlining the whitelisting process such as email-based approval.

Resources:

• https://developer.github.com/v3/users/gpg_keys/#list-gpg-keys-for-a-user
• https://developer.github.com/v3/repos/commits/#get-a-single-commit
• https://developer.github.com/v3/git/commits/#commit-signature-verification

The app should log various details about what it's doing and what data it has encountered.

Consider adding a post-install setup page that can automatically add the required status check for the GPG status context used by probot-gpg.

First of all, thanks for building this GPG check for verified commits. This is going to be helpful for our team! ❤️

We've enabled the GPG Probot on the salt repo and have realized that the GPG check errors when merge commits are created from the GitHub web interface.

As an example, we have Require branches to be up to date before merging option enabled on our branches, which allows us to use the Update Branch option. The problem is that when you use this button to keep the PR up to date with the HEAD of the base branch, the merge commit can't be verified.

Here's an example PR: saltstack/salt#43707

We can't simultaneously keep the PR's branch up to date AND have all of the commits be in compliance with the GPG check.

Would it be possible to add some kind of flag to ignore merge commits from the web UI for the GPG check?

I am not sure why, but occasionally I see the GPG check fail, even though all of the individual commits are verified.

Here are some examples:

• saltstack/salt#44253
• saltstack/salt#44259
• saltstack/salt#43379

At first I thought it might have something to do with the shear number of commits in a PR because I thought i was seeing them fail only on PRs with many commits. However, that doesn't appear to be the case since I found a PR today that only had 2 commits in it.

Probot's authors have made it easier to write tests for plugins, so probot-gpg should update applicable tests to match. Here's an example of updated tests in the official autoresponder plugin.

Additionally, more cases (where some or all commits aren't verified) need to be tested in the full integration suite.

Furthermore, now that more options are being added to the app, the tests are getting annoyingly repetitive. A data-driven approach should be take to generate test cases instead of duplicating test code.

It appears that the expect library has been "donated" to Facebook's Jest team, which contains a potentially problematic license. Instead of upgrading to Jest, a new spy library needs to be found to replace expect@1.