- Rust 63.9%
- Python 17.8%
- Nix 13.2%
- Shell 5.1%
| docs | ||
| scripts | ||
| src | ||
| .envrc | ||
| .gitignore | ||
| action.yml | ||
| Cargo.lock | ||
| Cargo.toml | ||
| flake.lock | ||
| flake.nix | ||
| README.md | ||
| UNLICENSE | ||
setup-git-ssh-signing
Composite Forgejo/GitHub-compatible action for checking out the caller repository and configuring Git SSH commit/tag signing.
Commit signing is delegated to a host-side daemon. The job container receives a Unix socket; the private key stays on the runner host.
The action checks out the caller repository, installs Nix, and writes job-local global Git config for later commit and tag commands. The Git-facing wrapper is a small Python script in this action; the host-side signer daemon remains a Rust binary.
Action Usage
jobs:
build:
runs-on: signed-git
steps:
- uses: actions/setup-git-ssh-signing@v1
- run: |
git commit --allow-empty -m "Signed commit"
git tag -s v0.1.0 -m "Signed tag"
Optional inputs:
- uses: actions/setup-git-ssh-signing@v1
with:
git-user-name: actions
git-user-email: actions@y941s.com
The action currently uses a fixed signer socket path:
/run/git-ssh-signerd/sign.sock
It also configures user.signingkey as actions@y941s.com, so the signer
daemon should use the same expected signing key.
Signer Daemon
Run git-ssh-signerd on the runner host and mount its socket into the job
container at:
/run/git-ssh-signerd/sign.sock
Example daemon command:
GIT_SIGNER_SOCKET=/run/git-ssh-signerd/sign.sock \
GIT_SIGNER_KEY=/run/secrets/git-ssh-signing-key \
GIT_SIGNER_ALLOWED_COMMITTER_EMAIL=actions@y941s.com \
GIT_SIGNER_EXPECTED_SIGNING_KEY=actions@y941s.com \
git-ssh-signerd
See docs/git-ssh-signerd.md for the full daemon configuration reference.
For Docker-backed Forgejo runner labels, mount the socket as follows:
settings:
container:
options: --mount type=bind,src=/run/git-ssh-signerd/sign.sock,dst=/run/git-ssh-signerd/sign.sock
valid_volumes:
- /run/git-ssh-signerd/sign.sock