It is possible to configure the TagBot GitHub Actions workflow to sign its commits using a GPG key. This makes the release commits show as "Verified" in GitHub, which helps lend a little bit of credibility to the project by indicating that the release commits are legitimate (especially since they will be generated by a bot once the package is registered with the General registry).
Aside. If we individually set up GPG keys, then I believe our individual commits to the repository would also appear as "Verified". I have not tried this out, so I'm not sure how to set this up yet.
It is possible to configure the TagBot GitHub Actions workflow to sign its commits using a GPG key. This makes the release commits show as "Verified" in GitHub, which helps lend a little bit of credibility to the project by indicating that the release commits are legitimate (especially since they will be generated by a bot once the package is registered with the General registry).
Aside. If we individually set up GPG keys, then I believe our individual commits to the repository would also appear as "Verified". I have not tried this out, so I'm not sure how to set this up yet.