|
| 1 | +--- |
| 2 | +applyTo: "**" |
| 3 | +description: This file describes how to write commit and use GPG messages for the project. |
| 4 | +--- |
| 5 | + |
| 6 | +# Git Commit Messages |
| 7 | + |
| 8 | +Git commit messages must follow the [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) specification. This means that commit messages should be structured as follows: |
| 9 | + |
| 10 | +```text |
| 11 | +type(scope): subject |
| 12 | +
|
| 13 | +extended description (optional) |
| 14 | +``` |
| 15 | + |
| 16 | +Where: |
| 17 | + |
| 18 | +```text |
| 19 | +type: The type of change (e.g., feat, fix, docs, style, refactor, test, chore). |
| 20 | +scope: An optional scope that provides additional context about the change (e.g., component, module, etc.). |
| 21 | +subject: A brief description of the change. |
| 22 | +extended description: An optional, more detailed description of the change, which can include motivation, context, and any relevant information. |
| 23 | +``` |
| 24 | + |
| 25 | +> [!IMPORTANT] |
| 26 | +> If the commit fixes a vulnerability then this should be specified as text in the extended description and the commit message should include the text "fixes #<issue number>" to link the commit to the issue or "fixes <CVE identifier>" to link the commit to a specific CVE or GHSA. |
| 27 | +
|
| 28 | +# GPG Signatures |
| 29 | + |
| 30 | +All commits must be signed with a GPG key to ensure the authenticity and integrity of the commit history. To sign a commit, use the `-S` or `--gpg-sign` option with the `git commit` command: |
| 31 | + |
| 32 | +```sh |
| 33 | +git commit -S -m "type(scope): subject" |
| 34 | +``` |
| 35 | + |
| 36 | +Make sure to configure your GPG key in Git before signing commits: |
| 37 | + |
| 38 | +```sh |
| 39 | +git config --global user.signingkey <your-gpg-key-id> |
| 40 | +``` |
| 41 | + |
| 42 | +> [!IMPORTANT] |
| 43 | +> If the signing key is not configured then stop the current conversation and ask the user to configure their GPG key before proceeding with any commits. |
| 44 | +
|
| 45 | +## Handling GPG Signature Errors |
| 46 | + |
| 47 | +If you encounter errors related to GPG signatures, ensure that your GPG key is properly configured and that you have the necessary permissions to use it. Retry the signing process once after resolving any issues with your GPG key. If the problem persists, stop the conversation and notify the user to check their GPG configuration and permissions before attempting to commit again. |
| 48 | + |
| 49 | +> [!IMPORTANT] |
| 50 | +> Under no circumstances should you attempt to bypass GPG signature requirements or suggest any workarounds that compromise the security of the commit history. Always encourage users to resolve GPG issues properly to maintain the integrity of the project. |
0 commit comments