Skip to content

release: verify commits through GitHub#20

Merged
juan-fernandez merged 1 commit into
mainfrom
juan-fernandez/verify-release-signature-via-github
Jul 16, 2026
Merged

release: verify commits through GitHub#20
juan-fernandez merged 1 commit into
mainfrom
juan-fernandez/verify-release-signature-via-github

Conversation

@juan-fernandez

Copy link
Copy Markdown
Collaborator

What does this PR do?

Verifies the release commit using GitHub's commit verification API instead of the maintainer's local GPG keyring.

Motivation

The squash merge commit from #19 is signed by GitHub and reported as verified on GitHub, but git verify-commit fails when the maintainer's local GPG keyring does not contain GitHub's web-flow public key. This blocked scripts/release-orb.sh --dry-run before the planned v2 release.

This matches the release verification approach introduced in DataDog/test-visibility-github-action#70.

Additional Notes

The release helper already requires an authenticated gh session for PR label discovery, so this does not introduce another tool or authentication requirement.

Possible Drawbacks / Trade-offs

Signature validation now trusts GitHub's verification result and requires the GitHub API to be available. This avoids machine-specific GPG keyring setup and is consistent with the equivalent GitHub Action release helper.

Describe how to test/QA your changes

bash -n scripts/release-orb.sh
git diff --check origin/main...HEAD
git verify-commit HEAD
scripts/release-orb.sh --dry-run

The dry run completes successfully and proposes v2.0.0 from PR #19 without creating or pushing a tag.

@juan-fernandez juan-fernandez added the semver-patch Requests a patch test-optimization-circleci-orb release after merge label Jul 16, 2026
@juan-fernandez juan-fernandez changed the title [WIP] release: verify commits through GitHub release: verify commits through GitHub Jul 16, 2026
@juan-fernandez juan-fernandez marked this pull request as ready for review July 16, 2026 09:57
@juan-fernandez juan-fernandez requested a review from a team as a code owner July 16, 2026 09:57

@datadog-prod-us1-6 datadog-prod-us1-6 Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Datadog Autotest: PASS

More details

The PR correctly replaces local GPG keyring verification with GitHub's API-based verification for release commits. The implementation properly handles all response cases (verified true/false/null), correctly rejects non-verified commits, and fails safely when the GitHub API is unavailable. No behavioral regressions detected — core security semantics remain unchanged while eliminating machine-specific GPG setup.

Was this helpful? React 👍 or 👎

📊 Validated against 12 scenarios · Open Bits AI session

🤖 Datadog Autotest · Commit c392ea0 · What is Autotest? · Any feedback? Reach out in #autotest

@juan-fernandez juan-fernandez merged commit d96ff7d into main Jul 16, 2026
7 checks passed
@juan-fernandez juan-fernandez deleted the juan-fernandez/verify-release-signature-via-github branch July 16, 2026 10:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

semver-patch Requests a patch test-optimization-circleci-orb release after merge

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants