Document how to get compliant updates

This commit is contained in:
Judson Lester 2022-10-28 17:29:10 -07:00
parent 1ee5a6cee5
commit 8e2a4ea6d8
No known key found for this signature in database
GPG Key ID: 12E21E4B9A3F82AA
1 changed files with 39 additions and 1 deletions

View File

@ -167,6 +167,44 @@ jobs:
token: ${{ secrets.GH_TOKEN_FOR_UPDATES }} token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
``` ```
### Authenticating via a Github App
A Github App can both produce verified commits _and_ create pull requests that will trigger further Github Actions.
Create a stub Github App in your organization. Disable webhooks, add Content write and Pull Request write permissions, and make it available only within your organization. Install the App in the Organization (possibly restricting only to relevant repos). Copy the App secret into an Actions secret, along with the App ID.
Set up your workflow like this:
```yaml
name: update-flake-lock
on:
workflow_dispatch: # allows manual triggering
schedule:
- cron: '0 0 * * 1,4' # Run twice a week
jobs:
lockfile:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Install Nix
uses: cachix/install-nix-action@v17
- name: Get Updater Token
uses: tibdex/github-app-token@v1
id: generate-token
with:
app_id: ${{ secrets.UPDATE_APP_ID}}
private_key: ${{secrets.UPDATE_APP_KEY}}
- name: Update flake.lock
uses: DeterminateSystems/update-flake-lock@vX
with:
token: ${{ steps.generate-token.outputs.token }}
commit-with-token: true
```
```
## With GPG commit signing ## With GPG commit signing
It's possible for the bot to produce GPG signed commits. Associating a GPG public key to a github user account is not required but it is necessary if you want the signed commits to appear as verified in Github. This can be a compliance requirement in some cases. It's possible for the bot to produce GPG signed commits. Associating a GPG public key to a github user account is not required but it is necessary if you want the signed commits to appear as verified in Github. This can be a compliance requirement in some cases.