Merge #234: ci: check commits are GPG signed

5fc139b ci: add workflow to check signed commits (Byron Hambly)

Pull request description:

  Adds a new workflow to check that commits are GPG signed as required for merging


ACKs for top commit:
  apoelstra:
    ACK 5fc139b; successfully ran local tests


Tree-SHA512: 8ec3bef11f55db7d2937430092f9127506b371fccce73d6e6570d7e3ed3454b85fd550ac83514580b54c1382a81f6aff19bfc8229292775a8304bb83f9b40c60

Author: apoelstra

.github/workflows/signed-commits.yml

@@ -0,0 +1,35 @@
+on:   # yamllint disable-line rule:truthy
+  pull_request:
+
+name: Verify signed commits
+
+jobs:
+  Check-Signatures:
+    name: Check GPG signatures
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Checkout repo"
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: "Verify all PR commits are signed"
+        run: |
+          set -euo pipefail
+          base="${{ github.event.pull_request.base.sha }}"
+          head="${{ github.event.pull_request.head.sha }}"
+          unsigned=""
+          for sha in $(git rev-list "$base".."$head"); do
+            sig=$(git log --format='%G?' -1 "$sha")
+            if [ "$sig" != "G" ] && [ "$sig" != "U" ] && [ "$sig" != "E" ]; then
+              unsigned="$unsigned $sha"
+              echo "::error::Commit $sha is not GPG signed (signature status: $sig)"
+            fi
+          done
+          if [ -n "$unsigned" ]; then
+            echo ""
+            echo "The following commits are not signed:$unsigned"
+            echo "Please sign your commits with a GPG key."
+            exit 1
+          fi
+          echo "All commits are GPG signed."