chore: use github-actions[bot] identity and SSH signing (#850)

* chore: use github-actions[bot] identity and SSH signing

* chore: address security review - tighten SSH permissions and cleanup key

* chore: remove default values from coderabbit config

Author: TomerFi

.coderabbit.yaml

@@ -1,9 +1,6 @@
 # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json
 ---
 reviews:
-  profile: chill
-  collapse_walkthrough: false
-  sequence_diagrams: true
   path_instructions:
     - path: src/**/*.py
       instructions: |
@@ -24,8 +21,3 @@ reviews:
         - Clear CLI argument handling
         - Proper error handling and user feedback
         - Consistent logging and output formatting
-  tools:
-    ruff:
-      enabled: true
-    yamllint:
-      enabled: true

.github/workflows/release.yml

@@ -52,8 +52,18 @@ jobs:
 
       - name: Configure git
         run: |
-          git config user.name "${{ github.actor }}"
-          git config user.email "${{ github.actor }}@users.noreply.github.com"
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+      - name: Setup SSH signing
+        run: |
+          mkdir -p ~/.ssh
+          chmod 700 ~/.ssh
+          echo "${{ secrets.SIGNING_KEY }}" > ~/.ssh/signing_key
+          chmod 600 ~/.ssh/signing_key
+          git config gpg.format ssh
+          git config user.signingkey ~/.ssh/signing_key
+          git config commit.gpgsign true
 
       - name: Determine version and create changelog
         id: bumper
@@ -124,3 +134,7 @@ jobs:
               generate_release_notes: true
             })
             core.setOutput('html_url', response.data.html_url)
+
+      - name: Cleanup SSH signing key
+        if: always()
+        run: rm -f ~/.ssh/signing_key