The Repasar GitHub Action (GHA) checks the commit signatures for security. It now supports verifying all commits in a pull request (PR), not just the latest commit. For push events, it continues to verify the latest commit as before.

• For PRs: All commits in the PR are checked for verified signatures.
• For pushes: Only the latest commit is checked.

Copy the text below into a file in your repository called .github/workflows/verified_commits_check.yml then just commit and push it to your default branch.

# .github/workflows/verify-commits.yml
name: Verifying the latest commit
run-name: ${{ github.actor }} is verifying the validity of current commit
on: [push]
jobs:
  check-sha:
    runs-on: ubuntu-latest
    name: Check the SHA of the latest commit
    steps:
      - name: Checkout the code
        uses: actions/checkout@v5
      - name: Run repasar on the latest SHA
        uses: rogeruiz/[email protected]
        with:
          allowed-signers-file-path: ./.github/allowed_signers
          fail-on-unverified: true
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

The only required input is the allowed-signers-file-path which is recommended to be resolved to ./.github/allowed_signers. This file contains the public SSH keys in the following format per-line.

<email>[,<email>...] <key type> <public key>

By default, this Action does not fail the run if the verification of the commit is unsuccessful. If you would like to have the Action fail, then set the fail-on-unverified to true in the workflows/ Yaml file.

• ${GITHUB_SHA}: Used for single commit verification (push events).
• ${GITHUB_EVENT_NAME} and ${GITHUB_EVENT_PATH}: Used to detect PR context and extract PR number.
• ${GITHUB_TOKEN}: Required for PR verification to fetch all commits in the PR using the GitHub API.

Note: For PRs, ensure the workflow has access to GITHUB_TOKEN (default in GitHub Actions) and that the token has repo scope for private repositories.