Skip to content

Chore: [AEA-0000] - add sync copilot and check commit signing pre-commit hook #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
anthony-nhs merged 1 commit into from
Apr 1, 2026
Merged

Chore: [AEA-0000] - add sync copilot and check commit signing pre-commit hook #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 22 additions & 0 deletions .github/workflows/sync_copilot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
name: Sync Copilot Instructions

on:
workflow_dispatch:
schedule:
- cron: "0 6 * * 1"

jobs:
sync-copilot-instructions:
runs-on: ubuntu-22.04
environment: create_pull_request
permissions:
contents: read

Comment on lines +1 to +14
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Other workflows in this repo set top-level permissions: {} and then grant per-job permissions. This workflow omits the top-level permissions block, which likely results in broader default token permissions than intended. Add permissions: {} at the workflow root and keep only the minimal job permissions needed.

Copilot uses AI. Check for mistakes.
steps:
- name: Sync shared instructions
uses: NHSDigital/eps-copilot-instructions@304ab2f4b7cdc15a1d7c0a0fae5290fad41b2451
with:
copilot_instructions_ref: main
calling_repo_base_branch: master
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

calling_repo_base_branch is set to master, but this repo’s workflows target main (and the README example uses main). If master doesn’t exist, the sync job will fail or open PRs against the wrong branch. Update this to main (or derive it from the repository default branch).

Suggested change
calling_repo_base_branch: master
calling_repo_base_branch: main

Copilot uses AI. Check for mistakes.
CREATE_PULL_REQUEST_APP_ID: ${{ secrets.CREATE_PULL_REQUEST_APP_ID }}
CREATE_PULL_REQUEST_PEM: ${{ secrets.CREATE_PULL_REQUEST_PEM }}
31 changes: 29 additions & 2 deletions .pre-commit-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,8 +49,35 @@ repos:
types_or: [sh, shell]
pass_filenames: false

- repo: local
hooks:
- id: check-commit-signing
name: Check commit signing
description: Ensures that commits are GPG signed
Comment on lines +53 to +54
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The hook description says it "Ensures that commits are GPG signed", but the implementation only checks local Git config (user.signingkey/commit.gpgsign). This can be misleading for contributors because it doesn’t verify that an actual commit is signed. Consider rewording the description/name to reflect that it enforces local signing configuration.

Suggested change
name: Check commit signing
description: Ensures that commits are GPG signed
name: Check commit signing configuration
description: Ensures Git is configured to sign commits with GPG

Copilot uses AI. Check for mistakes.
entry: bash
args:
- -c
- |
if ! git config --get user.signingkey > /dev/null 2>&1; then
echo "Error: Git signing key not configured."
echo "Please configure your GPG signing key with:"
echo " git config user.signingkey <YOUR_GPG_KEY_ID>"
echo ""
echo "To find your GPG key ID, run: gpg --list-secret-keys --keyid-format=long"
echo "For more information, see: https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits"
exit 1
fi
Comment on lines +59 to +67
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Failing when user.signingkey is unset will block users who have commit signing working via a default GPG key (or other signing setups) without explicitly setting user.signingkey. This can cause false failures on commit. Prefer checking/enforcing commit.gpgsign (and optionally gpg.format) without requiring user.signingkey, or make the signingkey check conditional/optional.

Copilot uses AI. Check for mistakes.
if ! git config --get commit.gpgsign | grep -q "true" > /dev/null 2>&1; then
echo "Error: Commit signing is not enabled."
echo "Please enable commit signing with:"
echo " git config commit.gpgsign true"
echo ""
echo "For more information, see: https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits"
exit 1
fi
Comment on lines +68 to +75
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The commit.gpgsign check relies on grepping raw git config output for the string true. Git boolean configs can be represented in multiple ways and git config --get doesn’t normalize them. Use git config --bool --get commit.gpgsign (or equivalent) and compare the normalized value; also the extra > /dev/null after grep -q is redundant.

Copilot uses AI. Check for mistakes.
echo "Commit signing is properly configured."
language: system
pass_filenames: false
always_run: true

- id: git-secrets
name: Git Secrets
description: git-secrets scans commits, commit messages, and --no-ff merges to prevent adding secrets into your git repositories.
Expand Down
Loading