Been wishing your bot could sign commits? Starting today your bots can automatically sign the commits made by any GitHub apps 🤖📝 github.co/2KLxBLA

@github This is completely insecure, please turn it off by default. Now bots will incorrectly mark all older commits as verified by signing them, even if a maintainer does not sign them and they contain exploits. So now all untrusted code is trusted by default, making signatures useless.

@github How can this be applied to GitHub Actions? Would be great to have signed commits there as well.

@github I’m waiting to be able to create signed commit from the web. I use the web regularly for small commits (e.g. fixing docs), and had to clone the branch with git just to sign the commit. Wish this will be available soon!