[
https://issues.apache.org/jira/browse/FINERACT-2495?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Krishna Mewara resolved FINERACT-2495.
--------------------------------------
Resolution: Fixed
> GitHub Action verify.yml fails GPG check due to incorrect head-ref SHA
> ----------------------------------------------------------------------
>
> Key: FINERACT-2495
> URL: https://issues.apache.org/jira/browse/FINERACT-2495
> Project: Apache Fineract
> Issue Type: Bug
> Components: Build, Security
> Affects Versions: 1.14.0
> Environment: GitHub Actions runner (Ubuntu-latest), GPG Verification
> Script.
> Reporter: Krishna Mewara
> Priority: Major
>
> *Problem:* The GPG signature verification script in the GitHub Actions
> workflow is failing because it passes {{${\{ github.sha }}}} as the
> {{{}--head-ref{}}}. On {{pull_request}} events, {{github.sha}} points to the
> auto-generated *merge commit* created by GitHub. This merge commit is
> unsigned, leading the verification tool to report a signature failure even if
> the contributor's original commit was properly signed.
> *Impact:* Legitimate signed commits are flagged as "unsigned" in the CI/CD
> pipeline, preventing PRs from passing the security/verification checks.
> *Proposed Fix:* Update the workflow to use {{{}${\{
> github.event.pull_request.head.sha }}{}}}. This ensures the verification
> script checks the actual HEAD of the contributor's branch rather than the
> temporary GitHub merge commit.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
