Skip to content

doc: prefer to sign commits under nodejs repository #57311

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nodejs-github-bot merged 3 commits into from
Mar 17, 2025
Merged

doc: prefer to sign commits under nodejs repository #57311

Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
1277397
doc: prefer to sign commits under nodejs repository
RafaelGSS Mar 4, 2025
c54e9e6
Update onboarding.md
RafaelGSS Mar 4, 2025
f0787fd
fixup! doc: prefer to sign commits under nodejs repository
RafaelGSS Mar 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions onboarding.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,8 @@ onboarding session.
* git:
* Make sure you have whitespace=fix: `git config --global --add
apply.whitespace fix`
* It is recommended to sign all commits under the Node.js repository.
Run: `git config commit.gpgsign true` inside the `node` folder.
Copy link
Copy Markdown
Contributor

@aduh95 aduh95 Mar 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should consider making this recommendation on the ONBOARDING.md of nodejs/Release, and maybe reword it to ensure we're not setting a bar too high for newcomers:

Suggested change
* It is recommended to sign all commits under the Node.js repository.
Run: `git config commit.gpgsign true` inside the `node` folder.
* Consider configuring git to sign all commits when working on the Node.js repository.
Run: `git config commit.gpgsign true` inside the `node` folder.

Copy link
Copy Markdown
Member

@targos targos Mar 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I fear that whatever the wording, people are going to run the command, and later they will be confused as their git commit fail because of the missing signing key.

Copy link
Copy Markdown
Member

@joyeecheung joyeecheung Mar 6, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can it start with "if you have a GPG key set up locally that matches the email you use to contribute to Node.js" so that people who do not know what it is will skip it?

Copy link
Copy Markdown
Member

@richardlau richardlau Mar 6, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FWIW there are multiple methods of signing commits with git. GitHub supports (i.e. can displayed "Verified") GPG, SSH, or S/MIME signatures.

For the release team we've recommend GPG keys, but this documentation is aimed at a broader audience (collaborators).

* Always create a branch in your own GitHub fork for pull requests
* Branches in the `nodejs/node` repository are only for release lines
* Add the canonical nodejs repository as `upstream` remote:
Expand Down