ci: check last git commit signature against trusted keys

[kristapsk]

Resolves #10.

Summary by CodeRabbit

• Chores
  • Enhanced CI workflow to fetch full git history and run an additional verification step during builds.
• Tests
  • Added a verification that the most recent commit is GPG-signed and that the signer matches a trusted key, failing the run if unsigned or unknown.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Warning

Rate limit exceeded

@kristapsk has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 16 minutes and 58 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 264acc5 and 5f2e8b7.

📒 Files selected for processing (2)

• .github/workflows/ci.yml (1 hunks)
• test/check-last-commit-signature-key.sh (1 hunks)

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Adds a CI step and helper script that ensure the most recent git commit is signed and that the signing key matches one of the public keys stored in keys/ before allowing the build to proceed.

Changes

Cohort / File(s)	Summary
CI workflow configuration \.github/workflows/ci.yml``	Sets fetch-depth: 0 on checkout and appends a step "Check last git commit signature against trusted keys" that runs bash -x ./test/check-last-commit-signature-key.sh.
Signature verification script \test/check-last-commit-signature-key.sh``	Adds a new shell script that checks the latest commit is signed, extracts the signer key ID from the commit, compares it against keys/*.asc via gpg --with-colons, exits 0 on a known key match and 1 on unsigned/unknown key.

Sequence Diagram

sequenceDiagram
    participant CI as GitHub Actions
    participant Repo as Repository
    participant Script as check-last-commit-signature-key.sh
    participant GPG as gpg
    participant KeyDir as keys/ (public .asc files)

    CI->>Repo: Checkout (fetch-depth: 0)
    CI->>Script: Run signature check step
    Script->>Repo: Read latest commit and signatures
    alt Commit unsigned
        Script->>CI: Exit 1 — "unsigned"
    else Commit signed
        Script->>Script: Extract signer key ID
        Script->>KeyDir: Iterate known key files
        loop For each key file
            Script->>GPG: gpg --with-colons to extract key ID
            alt Key ID matches
                Script->>CI: Exit 0 — "known key"
            end
        end
        alt No match found
            Script->>CI: Exit 1 — "unknown key"
        end
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Check correctness of git signature parsing and edge cases (merge commits, multiple signatures).
• Verify gpg invocation and key ID normalization (short vs long IDs).
• Confirm CI step runs with sufficient git history (fetch-depth: 0) and appropriate failure messaging.

Possibly related PRs

• Add GitHub CI (ShellCheck) #13 — Introduced the CI workflow and ShellCheck step that this change extends by adding fetch-depth: 0 and the signature verification step.

Poem

🐇 I hopped through commits both near and far,
Sniffed the signatures beneath each star,
With trusted keys in my cosy lair,
I guard each commit with tender care,
Hop, check, and seal — the repo’s fair. ✨

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding a CI check to verify the last git commit signature against trusted keys, which directly aligns with the pull request's primary objective.
Linked Issues check	✅ Passed	The pull request fulfils the requirement from issue #10 by implementing a CI check that verifies the current signing key is present in the keys/ directory before key-removal operations.
Out of Scope Changes check	✅ Passed	All changes are directly related to implementing the CI check for validating git commit signatures against trusted keys, with no extraneous modifications detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR adds a CI check to verify that the last git commit is signed with a key present in the trusted keys directory, addressing issue #10. This enhances security by ensuring only commits from authorized contributors are accepted.

• Adds a new shell script to validate commit signatures against trusted GPG keys
• Integrates the signature check into the GitHub Actions CI workflow

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
test/check-last-commit-signature-key.sh	New script that extracts the signing key from the last commit and verifies it against keys in the ../keys/ directory
.github/workflows/ci.yml	Adds a new CI step to run the commit signature verification script

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.