Add require signed commit for protected branch

[zeripath]

• Adds new require signed commit option to protect branch.
• Adds indicators for CRUD and Merge screens to show if commits will be signed
• Prevents CRUD and merge if these would affect a protected branch with require signed commit.
• API merge and CRUD actions are handled
• Fix bug in delete file API action

Fix #4249

Screenshots

New setting on protected branch

Merge Signed

Prevent Merge Unsigned

CRUD signed

Prevent CRUD unsigned

[zeripath]

It's annoying but you can't just use gogitRepository to get these as it appears that the quarantine incoming checks don't work correctly.

[6543]

also close #8584

[codecov-io]

Codecov Report

Merging #9708 into master will decrease coverage by <.01%.
The diff coverage is 66.66%.

@@            Coverage Diff             @@
##           master    #9708      +/-   ##
==========================================
- Coverage   42.21%   42.21%   -0.01%     
==========================================
  Files         602      602              
  Lines       78669    78669              
==========================================
- Hits        33213    33209       -4     
- Misses      41392    41395       +3     
- Partials     4064     4065       +1

Impacted Files	Coverage Δ
models/repo.go	46.74% <ø> (ø)	⬆️
services/repository/transfer.go	66.66% <66.66%> (ø)	⬆️
services/pull/check.go	53.37% <0%> (-2.03%)	⬇️
models/error.go	30.76% <0%> (-0.55%)	⬇️
modules/log/event.go	65.64% <0%> (+1.02%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 2d454cd...788ed2f. Read the comment docs.

[guillep2k]

Only a concern about very large commits. In a future PR we should make it so the signature is checked as the payload is being loaded (and discarded) in order to require less memory.

[zeripath]

The issue will be verification

Nope it's that I failed to get the payload regeneration correct in the last few changes.

[6543]

not working

EDIT: looks like 7a04a47 break something (worked before - with this commit it dont)

[sapk]

@zeripath remember to claim the bounty.

[davidsvantesson]

I don't think this else case should be here. It should only be shown if RequireSigned and is already handled above.

[zeripath]

Users should know if the commit will be signed or not.

[davidsvantesson]

Yes but the green text + icon if it will be signed would be enough? Many teams/companies don't use signing at all, so if you don't require signed commits it would be a bit annoying to have a yellow text "Commits are never signed" which many users will not even know what it means.

[davidsvantesson]

GitHub allow admin to override also signing. If signed commits are not required, GitHub doesn't show anything about signing.

[zeripath]

So on the editor screen I was able to add a simple unlock icon to precede the Create Commit which could be mouseovered but there's not really a place on the merge screen to do that hence I felt that just adding it as another status box on merge is reasonable.

You need to know if your commits are going to be signed and why - on GH it's impossible to know why and if a commit is going to be signed.

In reality it's a status box that is only visible if you can merge.

[davidsvantesson]

Shall repo admin be able to bypass "require signed" or not? Currently the term in $notAllOk has no effect.

[zeripath]

It's a question I put on the original issue. I would guess we need an additional suboption to allow the repo admin to bypass this. The trouble is signing is different from pr approval or whitelisting.

[davidsvantesson]

If you really want every commit to be signed I think it doesn't make sense for admin to override it?
So the condition to $notAllOk are more there for future, in case we allow admin to merge?

[zeripath]

I haven't changed $notAllOK - those are the other checks that were there previously. As I've written it RequireSign overrides all other checks as it's not overridable.

Perhaps I should have changed the name of notAllOK to notAllOverridableStatusChecksOK but it felt a little over the top.

[davidsvantesson]

But you have added (and .RequireSigned (not .WillSign)), is that not intentional?

[zeripath]

yeah that was future proofing.

[zeripath]

It also meant that the UI would keep sane.

[davidsvantesson]

The logic would need to be revised anyhow if allowing overriding signing. Otherwise you will get this:

[zeripath]

yeah exactly.