feat: support signed commits for resource 'github_repository_file'

[wparr-circle]

Resolves #879

---

Before the change?

• Currently github_repository_file modifies files via the github content API. Which means there is limited support for signed commits (ie. anything which supports automatic signing via API). However there is no support for signing using a custom PGP key this way.

After the change?

• Adds support for sensitive variables 'pgp_signing_key' and 'pgp_signing_key_passphrase' which contains an armored PGP private key and an optional passphrase (if the key is locked). This can be used to sign commits when paired with 'use_contents_api = false', where we manipulate a commit and push it to the reference rather than using the contents API to provide a higher level interface.

(note unverified due to github not having public key of the pgp key used in test and author/committer being mismatched).

Pull request checklist

• Tests for the changes have been added (for bug fixes / features)
• Docs have been reviewed and added / updated if needed (for bug fixes / features)

Does this introduce a breaking change?

Please see our docs on breaking changes to help!

• Yes
• No

---

[nickfloyd]

Hey @wparr-circle Thanks for the contributions here. Please run lint when you get the chance! It looks like CI is getting hung up on that. Thanks.

[wparr-circle]

Ran against linters now @nickfloyd! Thanks :)

[kfcampbell]

@wparr-circle do you mind explaining more about the below part of your writeup? I'm not sure I understand, sorry.

where we manipulate a commit and push it to the reference rather than using the contents API to provide a higher level interface.

[wparr-circle]

@kfcampbell Sure no problem! Sorry if I wasn't clear.
Current implementation of this resource is utilising the GitHub Contents API.
We get some verified signature support using this like auto sign for bots/github actions.
However, for the use case of GPG based signing - we can't leverage the contents API. Rather we need to manipulate the git tree directly.

Does that help explain?

I left the old contents API way of working as the default behaviour, because of the size of change creeping up.

[marek-karwacki-rdx]

Hi, is there a timeline on this feature? Thanks

[M0NsTeRRR]

Hello, is something missing @kfcampbell to get this merged ?

[ahanafy]

Landed at this PR after realizing the resource doesn't support signing. @kfcampbell do you have any direction or feedback on this PR to get it completed? Trying to get an idea on whether this feature is planned for this resource or if its not achievable?

[nickfloyd]

Hey thanks for the contributions here! ❤️

[kfcampbell]

@wparr-circle we just merged #2100 and we're ready to go with this before we cut a release with your new features in it. I didn't anticipate that there might be a merge conflict between your two PRs though, and I'm wondering if you'd feel comfortable resolving the conflict. If you'd prefer that Nick and I do it, please let me know and we'll get to it!

Thanks for the contributions, and I'm looking forward to seeing commit signing in the wild.

[wparr-circle]

Hey @kfcampbell @nickfloyd thanks for getting around to looking at these 👀
Let me quickly fix the conflicts

[ahanafy]

@wparr-circle / @nickfloyd / @kfcampbell I think this PR will need to have conflicts resolved and review occur pretty tightly together in order to get it past the goal. Thoughts?

[rwblokzijl]

@nickfloyd / @kfcampbell Thank you for all the work on this provider! At the risk of sounding too pushy, we would love to see this PR merged. Would it be possible to review again?

[wparr-circle]

@nickfloyd sorry I haven't had time to follow up on this until now. I've just resolved merge conflicts - please review when you have a chance 🙏

[rwblokzijl]

Maybe it would be better if this resource supported using environment variables to set pgp_signing_key and/or pgp_signing_key_passphrase. That way they don't have to be stored in the state. Perhaps the specific env var to use could be passed to the resource. Eg:

resource "github_repository_file" "file" {
  ...
  pgp_signing_key_env = "SECRET_PGP_SIGNING_KEY"
  ...
}

[rwblokzijl]

Actually, terraform just released Write-only attributes and i think this is the perfect usecase. By marking the key as write-only it won't be persisted in the state.