GitHub/Repository Security/Problems and Options
Some of the Guidelines can appear to be excessively disruptive to workflows. This page lists options and workarounds folks have found for some circumstances. Please add additional ones that you have used successfully! (It's a wiki!)
The first 2 sections list problems and options per guideline. If a guideline isn't listed, no one has (yet) had a problem. It's fair game to list a problem you actually have without a solution - other folks in the community may have ideas, even if they do not experience that particular problem. (No hypothetical problems though, please.)
Membership Guidelines
Repository Guidelines
Commits (including merges) to the production branch should be GPG signed.
Problem: Needing to setup GPG for use on GitHub might dissuade contributors
The guidance "require signed commits" only targets the production branch(es). Other branches (such as feature or topic branches) need not require signing. However, having unsigned commits in a branch means you need to handle merges in a certain way. In particular, you will not be able to rebase unsigned commits onto a production branch. You will need to merge ("squash-merge" is a GitHub feature that is incompatible with requiring signing).
One option:
- create a "feature branch", used only for merges (no signing required)
- create a "shadow branch", used only for merges (no signing required)
- whomever does the merge, merges via shadow branch using GitHub web UI:
General Notes
For tips that don't fit nicely above, please list them here.