Move the signed commits check in our repos to the left in our process

[basiliskus]

DevEx/OpEx

One possible option is to add a pre-commit hook

Tasks

• Adjust TI repository settings to disallow unsigned commits to all branches
• Do the same for the SFTP ingestion repo

Additional Context

https://flexion.slack.com/archives/C055XTF22B0/p1727721609331709

[jbiskie]

Upon researching, we found an issue with the current branch protection rules. The naming specification for the branch protection rules (In GitHub, under Settings->Branches), was not picking up all of our branches. As of the screenshot below, there were 34 branches in our repo, but the rules applied to only 14.

The rules use fnmatch (unix filename pattern matching), so "*" does not pick up any branches with a "/" slash in the name, as most of our branches use. Changing the catch-all pattern to "/" resolves this issue:

[jbiskie]

Secondly, all of us on the TI team were still able to push unsigned commits (to branches other than main) since we are all repo admins. The "Do not allow bypassing the above settings" option within the rule also needs to be checked. Without it, there's no warning or indication that we're pushing an unsigned commit.

[jbiskie]

These new settings have been applied to trusted-intermediary and reportstream-sftp-ingestion.

reportstream-sftp-ingestion only had the rule for main. The catch-all rule has been added so both repos' branch protection rules are consistent.

[halprin]

Thanks for looking into this! I never figured out what I was doing wrong to get the checks to work.