From efa3a2dd7d1a65b78ba0c43373d0d07e4e3b2a2b Mon Sep 17 00:00:00 2001 From: Trevor James Smith <10819524+Zeitsperre@users.noreply.github.com> Date: Fri, 15 May 2026 08:02:50 -0400 Subject: [PATCH 1/6] add missing gpg key to create-tag workflow Signed-off-by: Trevor James Smith <10819524+Zeitsperre@users.noreply.github.com> --- .github/workflows/create-tag.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/create-tag.yml b/.github/workflows/create-tag.yml index 5a3e4e534..ed061f7a4 100644 --- a/.github/workflows/create-tag.yml +++ b/.github/workflows/create-tag.yml @@ -44,6 +44,15 @@ jobs: with: python-version: ${{ matrix.python-version }} + - name: Import GPG Key + uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0 + with: + gpg_private_key: ${{ secrets.BIRDHOUSE_HELPER_BOT_GPG_PRIVATE_KEY }} + passphrase: ${{ secrets.BIRDHOUSE_HELPER_BOT_GPG_PRIVATE_KEY_PASSWORD }} + git_user_signingkey: true + git_commit_gpgsign: true + trust_level: 5 + - name: Install Python CI Dependencies run: | python -m pip install --require-hashes -r ./.github/requirements_ci.txt From 738955f682cace188f2c9ca3a80924a2cccb60b7 Mon Sep 17 00:00:00 2001 From: Trevor James Smith <10819524+Zeitsperre@users.noreply.github.com> Date: Fri, 15 May 2026 08:35:55 -0400 Subject: [PATCH 2/6] adjust label Signed-off-by: Trevor James Smith <10819524+Zeitsperre@users.noreply.github.com> --- .github/workflows/auto-accept-ci-changes.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/auto-accept-ci-changes.yml b/.github/workflows/auto-accept-ci-changes.yml index 3200fe79e..1979d447c 100644 --- a/.github/workflows/auto-accept-ci-changes.yml +++ b/.github/workflows/auto-accept-ci-changes.yml @@ -20,7 +20,7 @@ jobs: environment: automation if: > github.event.pull_request.user.login == 'dependabot[bot]' && - contains(github.event.pull_request.labels.*.name, 'ci/operations') + contains(github.event.pull_request.labels.*.name, 'github_actions') permissions: contents: write pull-requests: write From 2eef160a4d734c35a40c060e91e49ae32b28e60b Mon Sep 17 00:00:00 2001 From: Trevor James Smith <10819524+Zeitsperre@users.noreply.github.com> Date: Fri, 15 May 2026 10:16:59 -0400 Subject: [PATCH 3/6] git_tag_gpgsign = true Signed-off-by: Trevor James Smith <10819524+Zeitsperre@users.noreply.github.com> --- .github/workflows/create-tag.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/create-tag.yml b/.github/workflows/create-tag.yml index ed061f7a4..85ac12ccb 100644 --- a/.github/workflows/create-tag.yml +++ b/.github/workflows/create-tag.yml @@ -50,7 +50,7 @@ jobs: gpg_private_key: ${{ secrets.BIRDHOUSE_HELPER_BOT_GPG_PRIVATE_KEY }} passphrase: ${{ secrets.BIRDHOUSE_HELPER_BOT_GPG_PRIVATE_KEY_PASSWORD }} git_user_signingkey: true - git_commit_gpgsign: true + git_tag_gpgsign: true trust_level: 5 - name: Install Python CI Dependencies From 57a36507dc6bd829932bd032e1f6d17ff00e2fee Mon Sep 17 00:00:00 2001 From: Trevor James Smith <10819524+Zeitsperre@users.noreply.github.com> Date: Tue, 19 May 2026 13:38:30 -0400 Subject: [PATCH 4/6] add GitHub Workflows configurations Signed-off-by: Trevor James Smith <10819524+Zeitsperre@users.noreply.github.com> --- birdhouse/README.rst | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/birdhouse/README.rst b/birdhouse/README.rst index 6e16f1225..29682ccd6 100644 --- a/birdhouse/README.rst +++ b/birdhouse/README.rst @@ -844,3 +844,42 @@ the backup and restore jobs. .. _restic: https://restic.readthedocs.io/en/stable/ .. |test-restic-keypair.sh| replace:: ``birdhouse/scripts/test-restic-keypair.sh`` .. _test-restic-keypair.sh: scripts/test-restic-keypair.sh + +GitHub Workflows configurations +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The following section is meant for project maintainers which describes the requirements for setting up the various +GitHub Workflow automations. Only administrators and users with repository secrets provilieges can use this information. + +There are a handful of automations that require specialized secrets, configurations, and tokens. +Workflows thats specifically depend on the *Birdhouse-Helper-Bot* App require that the app have certain repositiory +privileges, specifically: + + * Read access to actions, issues, metadata, and organization secrets + * Read and write access to code, projects, and pull requests + +Additionally, a set of secrets is also required in order to make use of the specialized workflows, specifically: + + * ``BIRDHOUSE_HELPER_BOT_GPG_PRIVATE_KEY`` : The private key used to perform commits. + This must be either associated with a user or a bot account that has tag creation privileges for the project. + As of time of writing, the RSA key type with AES256 encryption and a key length of 4096 is suggested. + **This key must be associated with a valid GitHub user account**. The associated public key does not need to + be uploaded to a public keyserver. The key should have an expiration date. + + * ``BIRDHOUSE_HELPER_BOT_GPG_PRIVATE_KEY_PASSWORD`` : The private key password. This should be adequately long + hard enough to not be easily guessed/brute-forced. + + * ``BIRDHOUSE_HELPER_BOT_ID`` : The ID number of the App. Available within the relevant entry under GitHub Apps. + + * ``BIRDHOUSE_HELPER_BOT_KEY`` : The unqiue key of the App. If this needs to be changed, it must be regenerated. + This is only shown once in order to prevent misuse/distribution. + +All the above prvilieges and keys must be visible/accessible to the repository that uses workflows that rely on +the following workflows: + + * ``auto-accept-ci-changes.yml`` and ``create-tag.yml`` + * Additionally, ``auto-accept-ci-changes.yml`` requires a valid ``dependabot.yml`` configuration + (see: https://docs.github.com/en/code-security/tutorials/secure-your-dependencies/dependabot-quickstart-guide). + +Finally, the ``label.yml`` workflow is a specialized workflow that requires a ``labeler.yml`` configuration. +This workflow does not depend on any specific provileges (see: https://github.com/actions/labeler) \ No newline at end of file From fd6c57f1352a04bbb5098eab8540d8b667ac995f Mon Sep 17 00:00:00 2001 From: Trevor James Smith <10819524+Zeitsperre@users.noreply.github.com> Date: Tue, 19 May 2026 13:42:27 -0400 Subject: [PATCH 5/6] formatting Signed-off-by: Trevor James Smith <10819524+Zeitsperre@users.noreply.github.com> --- birdhouse/README.rst | 35 ++++++++++++++++++----------------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/birdhouse/README.rst b/birdhouse/README.rst index 29682ccd6..7bb4c0875 100644 --- a/birdhouse/README.rst +++ b/birdhouse/README.rst @@ -849,37 +849,38 @@ GitHub Workflows configurations ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The following section is meant for project maintainers which describes the requirements for setting up the various -GitHub Workflow automations. Only administrators and users with repository secrets provilieges can use this information. +GitHub Workflow automations. Only administrators and users with repository secrets privilieges can use this information. There are a handful of automations that require specialized secrets, configurations, and tokens. Workflows thats specifically depend on the *Birdhouse-Helper-Bot* App require that the app have certain repositiory privileges, specifically: - * Read access to actions, issues, metadata, and organization secrets - * Read and write access to code, projects, and pull requests +* Read access to actions, issues, metadata, and organization secrets +* Read and write access to code, organization projects, and pull requests Additionally, a set of secrets is also required in order to make use of the specialized workflows, specifically: - * ``BIRDHOUSE_HELPER_BOT_GPG_PRIVATE_KEY`` : The private key used to perform commits. - This must be either associated with a user or a bot account that has tag creation privileges for the project. - As of time of writing, the RSA key type with AES256 encryption and a key length of 4096 is suggested. - **This key must be associated with a valid GitHub user account**. The associated public key does not need to - be uploaded to a public keyserver. The key should have an expiration date. +* ``BIRDHOUSE_HELPER_BOT_GPG_PRIVATE_KEY`` : The private key used to perform commits. + This must be either associated with a user or a bot account that has tag creation privileges for the project. + As of time of writing, the RSA key type with AES256 encryption and a key length of 4096 is suggested. + **This key must be associated with a valid GitHub user account**. The associated public key does not need to + be uploaded to a public keyserver. The key should have an expiration date. - * ``BIRDHOUSE_HELPER_BOT_GPG_PRIVATE_KEY_PASSWORD`` : The private key password. This should be adequately long - hard enough to not be easily guessed/brute-forced. +* ``BIRDHOUSE_HELPER_BOT_GPG_PRIVATE_KEY_PASSWORD`` : The private key password. This should be adequately long + hard enough to not be easily guessed/brute-forced. - * ``BIRDHOUSE_HELPER_BOT_ID`` : The ID number of the App. Available within the relevant entry under GitHub Apps. +* ``BIRDHOUSE_HELPER_BOT_ID`` : The ID number of the App. Available within the relevant entry under GitHub Apps. - * ``BIRDHOUSE_HELPER_BOT_KEY`` : The unqiue key of the App. If this needs to be changed, it must be regenerated. - This is only shown once in order to prevent misuse/distribution. +* ``BIRDHOUSE_HELPER_BOT_KEY`` : The unqiue key of the App. If this needs to be changed, it must be regenerated. + This is only shown once in order to prevent misuse/distribution. All the above prvilieges and keys must be visible/accessible to the repository that uses workflows that rely on the following workflows: - * ``auto-accept-ci-changes.yml`` and ``create-tag.yml`` - * Additionally, ``auto-accept-ci-changes.yml`` requires a valid ``dependabot.yml`` configuration - (see: https://docs.github.com/en/code-security/tutorials/secure-your-dependencies/dependabot-quickstart-guide). +* ``auto-accept-ci-changes.yml`` and ``create-tag.yml`` + + * Additionally, ``auto-accept-ci-changes.yml`` requires a valid ``dependabot.yml`` configuration + (see: https://docs.github.com/en/code-security/tutorials/secure-your-dependencies/dependabot-quickstart-guide). Finally, the ``label.yml`` workflow is a specialized workflow that requires a ``labeler.yml`` configuration. -This workflow does not depend on any specific provileges (see: https://github.com/actions/labeler) \ No newline at end of file +This workflow does not depend on any specific provileges (see: https://github.com/actions/labeler). From f409531f83c69877c296852421b5ce4ad20a15cd Mon Sep 17 00:00:00 2001 From: Trevor James Smith <10819524+Zeitsperre@users.noreply.github.com> Date: Tue, 19 May 2026 13:50:58 -0400 Subject: [PATCH 6/6] provileges Signed-off-by: Trevor James Smith <10819524+Zeitsperre@users.noreply.github.com> --- birdhouse/README.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/birdhouse/README.rst b/birdhouse/README.rst index 7bb4c0875..f66aff9f5 100644 --- a/birdhouse/README.rst +++ b/birdhouse/README.rst @@ -883,4 +883,4 @@ the following workflows: (see: https://docs.github.com/en/code-security/tutorials/secure-your-dependencies/dependabot-quickstart-guide). Finally, the ``label.yml`` workflow is a specialized workflow that requires a ``labeler.yml`` configuration. -This workflow does not depend on any specific provileges (see: https://github.com/actions/labeler). +This workflow does not depend on any specific privileges (see: https://github.com/actions/labeler).