Add automated GPG signing for modified files on PRs

[Copilot]

Adds cryptographic GPG signing infrastructure so that .sh, .py, .yml/.yaml, and .tf files are automatically signed whenever they are modified in a pull request.

New files

• .github/workflows/gpg-sign-files.yml — Triggers on PR opened/synchronize/reopened; diffs base..head to identify modified target files; signs each with a detached ASCII-armored GPG signature; commits *.gpg.sig files back to the PR branch ([skip ci]); posts a signed-files summary comment.
• .github/scripts/sign-files.sh — Signs a single file via gpg --detach-sign --armor, respects .gpg-ignore exclusions, passes the passphrase through --passphrase-fd 0, and verifies the produced signature before exiting.
• .github/scripts/setup-gpg.sh — Local helper: imports a key, configures git commit/tag signing, and exports the public key to gpg-public-key.asc.
• .github/SECURITY_KEYS.md — Documents key generation, GitHub Secrets setup, and single-file / bulk verification.
• .gpg-ignore — Glob exclusion list (vendored deps, compiled output, .terraform/, .tfstate, secrets files).

Required secrets

Two repository secrets must be added under Settings → Secrets and variables → Actions before the workflow can run:

Secret	Value
GPG_PRIVATE_KEY	gpg --armor --export-secret-keys <KEY_ID>
GPG_PASSPHRASE	Passphrase protecting the key

Verification

# Verify a single signed file
gpg --verify path/to/file.sh.gpg.sig path/to/file.sh

# Verify all signatures in the repo
find . -name '*.gpg.sig' | while read -r sig; do
  gpg --verify "$sig" "${sig%.gpg.sig}"
done

Original prompt

Overview

Implement cryptographic GPG signing for code files across the repository with automated signing workflows for pull requests.

Requirements

1. GitHub Actions Workflow - Automatically sign modified files (.sh, .py, .yml, .tf) on PR creation/update
2. GPG Setup Scripts - Helper scripts to configure GPG signing locally
3. Signature Verification - Add documentation for verifying signatures
4. File Signing Logic - Sign only modified files, not all repository files

Implementation Details

Files to Create:

1. .github/workflows/gpg-sign-files.yml - Main workflow that:

   • Triggers on pull_request (opened, synchronize, reopened)
   • Identifies modified files with target extensions
   • Signs each file with cryptographic GPG signature
   • Commits signatures back to PR branch
   • Uses GPG_PRIVATE_KEY secret for signing

2. .github/scripts/sign-files.sh - Script that:

   • Takes a list of modified files
   • Signs each file using gpg command
   • Stores signatures in .gpg.sig format
   • Verifies signature integrity

3. .github/scripts/setup-gpg.sh - Local setup script:

   • Configures user's local GPG environment
   • Imports GPG keys
   • Sets up git commit signing

4. .github/SECURITY_KEYS.md - Documentation:

   • How to set up GPG keys
   • How to verify signatures
   • GitHub Secrets configuration guide

5. .gpg-ignore - Configuration file:

   • Lists files/directories to skip signing
   • Patterns for exclusion

GitHub Secrets Required

• GPG_PRIVATE_KEY - Exported private GPG key
• GPG_PASSPHRASE - GPG key passphrase

Workflow Behavior

• Runs on PR: opened, synchronize, reopened
• Gets list of modified files
• Filters for .sh, .py, .yml, .tf extensions
• Signs each file cryptographically
• Creates/updates commit with signatures
• Provides signature report in PR comments

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: go through each of my repos and for each file add the gpg signature + add logic to each repo that updates the gpg signature for each file in a PR

Assistant: I need to clarify your request before proceeding. You want me to:

1. Go through each of your repositories
2. Add GPG signatures to files
3. Add logic that updates GPG signatures for each file in a PR

I have a few questions to help me understand the scope and implementation:

1. Which repositories? Should I:

   • Only work with abooker30126/devops-intro-project?
   • Search for all repositories in your account and work with all of them?

2. GPG signature implementation details:

   • Do you want actual cryptographic GPG signatures on files (using your GPG key)?
   • Or do you want metadata/comments added to files indicating they're GPG-signed?
   • Should signatures be added to every file, or specific file types (e.g., .sh, .py, .yml)?

3. PR logic for updating signatures:

   • When a PR is created/updated, should a workflow automatically sign files?
   • Should it sign only modified files or all files?
   • Should this be a GitHub Actions workflow?

4. Scope of files:

   • All files in each repo, or specific patterns/directories?

Could you provide more details on these points so I can create the right solution for you?

User: all repositories in account and specific file types (e.g., .sh, .py, .yml, .tf) + actual cryptographic GPG signatures + When a PR is created/updated, a GitHub Actions workflow automatically signs only modified files

Assistant: I'll help you set this up. Let me start by discovering all your repositories and then create a solution for adding GPG signatures and automating the process with GitHub Actions.

Assistant: I found 7 repositories in your account. Now I'll create a comprehensive solution that:

1. Adds a GitHub Actions workflow to each repo that signs modified files (.sh, .py, .yml, .tf) with GPG when a PR is created/updated
2. Stores your GPG public key as a GitHub Secret for signature verification
3. Creates initialization scripts to help set up GPG signing

Let me create the PR with these components for your primary repository (devops-intro-project), which you can then replicate to the others:

Assistant: I've started creating the GPG signing workflow for your first repository. Now I'll create the same setup across all your other repositories. Let me continue with the remaining repositories:

Assistant: Perfect! I'm waiting for your confirmation to proceed with creating the GPG signing implementation across all your repositories. Please approve the pull requests that will be generated, or let me know if you'd like to adjust the approach.

User: tonybooker@iMac  ~  gpg --list-secret-keys --keyid-format=long
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 3 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 3u
/Users/tonybooker/.gnupg/pubring.kbx
----------------------...

This pull request was created from Copilot chat.