starred/act

Fork 0

mirror of https://github.com/nektos/act.git synced 2026-04-26 09:25:54 +03:00

[GH-ISSUE #2866] Add support for automatically signing and pushing workflow results to the repo with tamper-proof verification #1260

New issue

Closed

opened 2026-03-01 21:49:59 +03:00 by kerem · 1 comment

kerem commented

2026-03-01 21:49:59 +03:00

Owner

Originally created by @pro-utkarshM on GitHub (May 22, 2025).
Original GitHub issue: https://github.com/nektos/act/issues/2866

Act version

324bab61f0

Feature description

Summary

It would be great if act could support automatically committing, cryptographically signing, and pushing workflow results (logs, artifacts, status files) back to the repository, making the results tamper-proof and verifiable.

Motivation

act currently runs GitHub Actions workflows locally but does not push results or logs back to the repo.
Developers often want to test workflows locally and sync results seamlessly with their remote repos.
Automatically pushing results back is useful but could lead to tampering or faked outputs if not secured.
Adding GPG commit signing and file signing support would create a cryptographically verifiable audit trail.
This feature will bring act closer to a real CI environment with trustworthy local workflow runs.

Proposed functionality

Add an optional feature or flag (e.g., --push-signed-results) that:
- Commits workflow results/logs/artifacts to the local Git repo.
- Signs those commits using GPG (git commit -S) with a user-provided key.
- Optionally signs individual output files with detached GPG signatures.
- Pushes the signed commits to the remote repository.
Provide configuration options to:
- Specify GPG key or keyring.
- Control which files are signed and pushed.
- Enable or disable automatic pushing.
Ensure secure handling of GPG keys (e.g., mount host keyring into containers).
Provide clear documentation on setup and usage.

Benefits

Ensures workflow results are tamper-proof and auditable.
Allows developers to test workflows locally and automatically update the repo.
Improves confidence and traceability of CI results.
Aligns with GitHub’s signed commit verification model.

Challenges & Considerations

Secure management of private GPG keys within containers.
Network access and authentication for pushing commits.
User experience and configuration complexity.
Handling failures during signing or pushing gracefully.

Additional context

This feature complements existing GitHub Actions signing and verification mechanisms and would fill a gap for local testing with act. It would be especially useful for teams that want to maintain cryptographically verified CI logs and reports generated locally before pushing to GitHub.

I’d be happy to contribute a proof-of-concept implementation or discuss design details!

Originally created by @pro-utkarshM on GitHub (May 22, 2025). Original GitHub issue: https://github.com/nektos/act/issues/2866 ### Act version 324bab61f056e7e103b142b4c2f8b3b34421d764 ### Feature description ### Summary It would be great if `act` could support **automatically committing, cryptographically signing, and pushing workflow results (logs, artifacts, status files) back to the repository**, making the results tamper-proof and verifiable. --- ### Motivation * `act` currently runs GitHub Actions workflows locally but **does not push results or logs back to the repo**. * Developers often want to **test workflows locally and sync results seamlessly** with their remote repos. * Automatically pushing results back is useful but could lead to **tampering or faked outputs** if not secured. * Adding **GPG commit signing and file signing** support would create a **cryptographically verifiable audit trail**. * This feature will bring `act` closer to a real CI environment with **trustworthy local workflow runs**. --- ### Proposed functionality * Add an optional feature or flag (e.g., `--push-signed-results`) that: * Commits workflow results/logs/artifacts to the local Git repo. * Signs those commits using GPG (`git commit -S`) with a user-provided key. * Optionally signs individual output files with detached GPG signatures. * Pushes the signed commits to the remote repository. * Provide configuration options to: * Specify GPG key or keyring. * Control which files are signed and pushed. * Enable or disable automatic pushing. * Ensure secure handling of GPG keys (e.g., mount host keyring into containers). * Provide clear documentation on setup and usage. --- ### Benefits * Ensures **workflow results are tamper-proof and auditable**. * Allows developers to **test workflows locally and automatically update the repo**. * Improves confidence and traceability of CI results. * Aligns with GitHub’s signed commit verification model. --- ### Challenges & Considerations * Secure management of private GPG keys within containers. * Network access and authentication for pushing commits. * User experience and configuration complexity. * Handling failures during signing or pushing gracefully. --- ### Additional context This feature complements existing GitHub Actions signing and verification mechanisms and would fill a gap for local testing with `act`. It would be especially useful for teams that want to maintain cryptographically verified CI logs and reports generated locally before pushing to GitHub. --- **I’d be happy to contribute a proof-of-concept implementation or discuss design details!**

kerem

2026-03-01 21:49:59 +03:00

closed this issue
added the
kind/feature-request
label

kerem commented

2026-03-01 21:50:00 +03:00

Author

Owner

@panekj commented on GitHub (May 23, 2025):

All of that can be done manually or part of a workflow runner (like Makefile or act itself)

@panekj commented on GitHub (May 23, 2025): All of that can be done manually or part of a workflow runner (like `Makefile` or `act` itself)

kerem referenced this issue

2026-03-01 21:53:00 +03:00

[PR #1260] [MERGED] Update README.md #1865

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/act#1260

No description provided.

Rows
Columns