auth-commit-sig/allowlist_example.yaml at main · gobeyondidentity/auth-commit-sig · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
# Allowlist that is used when the commit is a merge commit.
# A merge commit is defined as a commit containing two or more parents.
# e.g. `git merge`
merge_commit_allowlist:
  email_addresses:
    # `repositories` not defined, can bypass signature verification for _any_ repository.
    - email_address: user1@company.com

    # `repositories` defined, can bypass signature verification _only_ for repository_A and repository_B.
    - email_address: user2@company.com
      repositories:
        - repository_A
        - repository_B

  third_party_keys:
    # `repositories` not defined, can be used for signature verification for _any_ repository.
    - key: |
        -----BEGIN PGP PUBLIC KEY BLOCK-----

        m3IEYr73lBMIKoZIzj01AQcCAwT1gCXHMjKP6EWgtzJNxpkfFWhpK4dsV1dfbzRz
        ...truncated

        -----END PGP PUBLIC KEY BLOCK-----

    # `repositories` defined, can be used for signature verification _only_ for repository_C and repository_D.
    - key: |
        -----BEGIN PGP PUBLIC KEY BLOCK-----

        t3IEYr738sG78d7SD01AQcCAwT1gCXHMjKP6EWgtzJNxpkfF01AQcCAwT11dfbzRx
        ...truncated

        -----END PGP PUBLIC KEY BLOCK-----
      repositories:
        - repository_C
        - repository_D

# Allowlist that is used when the commit is not a merge commit.
# Please see https://www.atlassian.com/git/tutorials/using-branches/git-merge for more info.
non_merge_commit_allowlist:
  email_addresses:
    # `repositories` not defined, can bypass signature verification for _any_ repository.
    - email_address: user1@company.com

    # `repositories` defined, can bypass signature verification _only_ for repository_A and repository_B.
    - email_address: user2@company.com
      repositories:
        - repository_A
        - repository_B
        - repository_X
        - repository_Y

    # `repositories` defined, can bypass signature verification _only_ for repository_A and repository_B.
    - email_address: user3@company.com
      repositories:
        - repository_A
        - repository_B

  third_party_keys:
    # `repositories` not defined, can be used for signature verification for _any_ repository.
    - key: |
        -----BEGIN PGP PUBLIC KEY BLOCK-----

        m3IEYr73lBMIKoZIzj01AQcCAwT1gCXHMjKP6EWgtzJNxpkfFWhpK4dsV1dfbzRz
        ...truncated

        -----END PGP PUBLIC KEY BLOCK-----

    # `repositories` defined, can be used for signature verification _only_ for repository_C and repository_D.
    - key: |
        -----BEGIN PGP PUBLIC KEY BLOCK-----

        t3IEYr738sG78d7SD01AQcCAwT1gCXHMjKP6EWgtzJNxpkfF01AQcCAwT11dfbzRx
        ...truncated

        -----END PGP PUBLIC KEY BLOCK-----
      repositories:
        - repository_C
        - repository_D