Question 1

How to automatically sign Git commits in GitHub Actions?

Accepted Answer

Use ghaction-import-gpg with the git_commit_gpgsign input set to true. It imports the GPG key and configures Git to sign all commits, as shown in the README's sign commits example, ensuring verifiable automated changes.

Question 2

ghaction-import-gpg vs manual GPG setup in workflows

Accepted Answer

This action automates key import, agent caching, and Git configuration, reducing shell script boilerplate. Manual setup requires writing custom gpg and git commands, which can be error-prone and less maintainable across different platforms.

Question 3

Can I use a subkey for signing with this action?

Accepted Answer

Yes, specify the subkey fingerprint in the fingerprint input to use a signing-only subkey. This enhances security by limiting key capabilities, as explained in the subkey support section with a detailed example.

Question 4

How to clean up GPG keys after a workflow run?

Accepted Answer

The action includes built-in cleanup to purge keys and kill gpg-agent, but ensure you don't persist keys in runner caches. Use the cleanup features as described, and consider additional steps like secret rotation for best practices.

Question 5

What happens if the passphrase is wrong or missing?

Accepted Answer

The action may fail or not cache the agent properly, leading to signing errors. The README recommends storing the passphrase as a secret, but troubleshooting requires manual gpg checks or workflow debugging.

Question 6

Does this work with GitHub's new SSH commit signing?

Accepted Answer

No, ghaction-import-gpg is specifically for GPG signing. For SSH signing, you'd need alternative methods or actions, as GitHub supports both, but this tool doesn't integrate SSH key management.

Import a GPG Key

What is Import a GPG Key?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions