bird-house · Zeitsperre · Jun 2, 2026 · May 15, 2026 · May 15, 2026 · May 15, 2026
@@ -20,7 +20,7 @@ jobs:
     environment: automation
     if: >
       github.event.pull_request.user.login == 'dependabot[bot]' &&
-      contains(github.event.pull_request.labels.*.name, 'ci/operations')
+      contains(github.event.pull_request.labels.*.name, 'github_actions')
     permissions:
       contents: write
       pull-requests: write

@@ -44,6 +44,15 @@ jobs:
         with:
           python-version: ${{ matrix.python-version }}
 
+      - name: Import GPG Key
+        uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0
+        with:
+          gpg_private_key: ${{ secrets.BIRDHOUSE_HELPER_BOT_GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.BIRDHOUSE_HELPER_BOT_GPG_PRIVATE_KEY_PASSWORD }}
+          git_user_signingkey: true
+          git_tag_gpgsign: true
+          trust_level: 5
+
       - name: Install Python CI Dependencies
         run: |
           python -m pip install --require-hashes -r ./.github/requirements_ci.txt

@@ -844,3 +844,43 @@ the backup and restore jobs.
 .. _restic: https://restic.readthedocs.io/en/stable/
 .. |test-restic-keypair.sh| replace:: ``birdhouse/scripts/test-restic-keypair.sh``
 .. _test-restic-keypair.sh: scripts/test-restic-keypair.sh
+
+GitHub Workflows configurations
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The following section is meant for project maintainers which describes the requirements for setting up the various 
+GitHub Workflow automations. Only administrators and users with repository secrets privilieges can use this information.
+
+There are a handful of automations that require specialized secrets, configurations, and tokens.
+Workflows thats specifically depend on the *Birdhouse-Helper-Bot* App require that the app have certain repositiory
+privileges, specifically:
+
+* Read access to actions, issues, metadata, and organization secrets 
+* Read and write access to code, organization projects, and pull requests
+
+Additionally, a set of secrets is also required in order to make use of the specialized workflows, specifically:
+
+* ``BIRDHOUSE_HELPER_BOT_GPG_PRIVATE_KEY`` : The private key used to perform commits.
+  This must be either associated with a user or a bot account that has tag creation privileges for the project.
+  As of time of writing, the RSA key type with AES256 encryption and a key length of 4096 is suggested.
+  **This key must be associated with a valid GitHub user account**. The associated public key does not need to
+  be uploaded to a public keyserver. The key should have an expiration date. 
+
+* ``BIRDHOUSE_HELPER_BOT_GPG_PRIVATE_KEY_PASSWORD`` : The private key password. This should be adequately long
+  hard enough to not be easily guessed/brute-forced.
+
+* ``BIRDHOUSE_HELPER_BOT_ID`` : The ID number of the App. Available within the relevant entry under GitHub Apps.
+
+* ``BIRDHOUSE_HELPER_BOT_KEY`` : The unqiue key of the App. If this needs to be changed, it must be regenerated.
+  This is only shown once in order to prevent misuse/distribution.
+
+All the above prvilieges and keys must be visible/accessible to the repository that uses workflows that rely on
+the following workflows:
+
+* ``auto-accept-ci-changes.yml`` and ``create-tag.yml``
+
+  * Additionally, ``auto-accept-ci-changes.yml`` requires a valid ``dependabot.yml`` configuration
+    (see: https://docs.github.com/en/code-security/tutorials/secure-your-dependencies/dependabot-quickstart-guide).
+
+Finally, the ``label.yml`` workflow is a specialized workflow that requires a ``labeler.yml`` configuration.
+This workflow does not depend on any specific privileges (see: https://github.com/actions/labeler).