Krishna Mewara created FINERACT-2495:
----------------------------------------
Summary: GitHub Action verify.yml fails GPG check due to incorrect
head-ref SHA
Key: FINERACT-2495
URL: https://issues.apache.org/jira/browse/FINERACT-2495
Project: Apache Fineract
Issue Type: Bug
Components: Build, Security
Affects Versions: 1.14.0
Environment: GitHub Actions runner (Ubuntu-latest), GPG Verification
Script.
Reporter: Krishna Mewara
*Problem:* The GPG signature verification script in the GitHub Actions workflow
is failing because it passes {{${\{ github.sha }}}} as the {{{}--head-ref{}}}.
On {{pull_request}} events, {{github.sha}} points to the auto-generated *merge
commit* created by GitHub. This merge commit is unsigned, leading the
verification tool to report a signature failure even if the contributor's
original commit was properly signed.
*Impact:* Legitimate signed commits are flagged as "unsigned" in the CI/CD
pipeline, preventing PRs from passing the security/verification checks.
*Proposed Fix:* Update the workflow to use {{{}${\{
github.event.pull_request.head.sha }}{}}}. This ensures the verification script
checks the actual HEAD of the contributor's branch rather than the temporary
GitHub merge commit.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
