From d83f142c630ffede97dca24bf1f502bcbca9a6c2 Mon Sep 17 00:00:00 2001
From: Max Kotliar <mkotlyar@victoriametrics.com>
Date: Thu, 26 Mar 2026 19:37:16 +0200
Subject: [PATCH] .github: check commit signature for both GPG and SSH

---
 .github/workflows/check-commit-signed.yml | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/check-commit-signed.yml b/.github/workflows/check-commit-signed.yml
index dcaf8d4335..3ebe68825f 100644
--- a/.github/workflows/check-commit-signed.yml
+++ b/.github/workflows/check-commit-signed.yml
@@ -27,11 +27,21 @@ jobs:
             exit 0
           fi
           
-          unsigned=$(git log --pretty="%H %G?" $RANGE | grep -vE " (G|E)$" || true)
+          # Check raw commit objects for a "gpgsig" header as a fast early signal for
+          # contributors. Both GPG and SSH signatures use this header. 
+          # This avoids relying on %G? which returns N for SSH commits.
+          # This check is not a security enforcement — unsigned commits cannot be merged
+          # anyway due to the GitHub repository merge policy.
+          unsigned=""
+          for sha in $(git rev-list $RANGE); do
+            if ! git cat-file commit "$sha" | grep -q "^gpgsig"; then
+              unsigned="$unsigned $sha"
+            fi
+          done
           if [ -n "$unsigned" ]; then
             echo "Found unsigned commits:"
             echo "$unsigned"
             exit 1
           fi
-          
-          echo "All commits in PR are signed (G or E)"
\ No newline at end of file
+
+          echo "All commits in PR are signed (GPG or SSH)"
\ No newline at end of file