No description
  • Rust 63.9%
  • Python 17.8%
  • Nix 13.2%
  • Shell 5.1%
Find a file
2026-06-22 14:34:58 -07:00
docs init 2026-06-21 22:11:27 -07:00
scripts wrapper: specify python version 2026-06-22 10:50:21 -07:00
src wrapper: rewrite in python 2026-06-22 10:48:44 -07:00
.envrc init 2026-06-21 22:11:27 -07:00
.gitignore init 2026-06-21 22:11:27 -07:00
action.yml wrapper: rewrite in python 2026-06-22 10:48:44 -07:00
Cargo.lock init 2026-06-21 22:11:27 -07:00
Cargo.toml init 2026-06-21 22:11:27 -07:00
flake.lock init 2026-06-21 22:11:27 -07:00
flake.nix wrapper: rewrite in python 2026-06-22 10:48:44 -07:00
README.md wrapper: rewrite in python 2026-06-22 10:48:44 -07:00
UNLICENSE license: correct file name 2026-06-22 14:34:58 -07:00

setup-git-ssh-signing

Composite Forgejo/GitHub-compatible action for checking out the caller repository and configuring Git SSH commit/tag signing.

Commit signing is delegated to a host-side daemon. The job container receives a Unix socket; the private key stays on the runner host.

The action checks out the caller repository, installs Nix, and writes job-local global Git config for later commit and tag commands. The Git-facing wrapper is a small Python script in this action; the host-side signer daemon remains a Rust binary.

Action Usage

jobs:
  build:
    runs-on: signed-git
    steps:
      - uses: actions/setup-git-ssh-signing@v1
      - run: |
          git commit --allow-empty -m "Signed commit"
          git tag -s v0.1.0 -m "Signed tag"

Optional inputs:

- uses: actions/setup-git-ssh-signing@v1
  with:
    git-user-name: actions
    git-user-email: actions@y941s.com

The action currently uses a fixed signer socket path:

/run/git-ssh-signerd/sign.sock

It also configures user.signingkey as actions@y941s.com, so the signer daemon should use the same expected signing key.

Signer Daemon

Run git-ssh-signerd on the runner host and mount its socket into the job container at:

/run/git-ssh-signerd/sign.sock

Example daemon command:

GIT_SIGNER_SOCKET=/run/git-ssh-signerd/sign.sock \
GIT_SIGNER_KEY=/run/secrets/git-ssh-signing-key \
GIT_SIGNER_ALLOWED_COMMITTER_EMAIL=actions@y941s.com \
GIT_SIGNER_EXPECTED_SIGNING_KEY=actions@y941s.com \
git-ssh-signerd

See docs/git-ssh-signerd.md for the full daemon configuration reference.

For Docker-backed Forgejo runner labels, mount the socket as follows:

settings:
  container:
    options: --mount type=bind,src=/run/git-ssh-signerd/sign.sock,dst=/run/git-ssh-signerd/sign.sock
    valid_volumes:
      - /run/git-ssh-signerd/sign.sock