Upcoming Changes for Developers: What You Need to Know

Development
1

We’re introducing several important updates to our development workflow to improve security, consistency, and long-term maintainability across all repositories. These changes take effect immediately unless stated otherwise.

:locked_with_key: Mandatory Commit Signing

All commits must now be signed.

Commit signing ensures that changes can be verified as coming from a trusted source, helping to prevent spoofed contributions and improving overall repository security. GitHub marks signed commits as “Verified,” providing clear traceability. (GitHub Docs)

:backhand_index_pointing_right: Learn how to set up GPG commit signing:
Signing commits with GPG

:rocket: Migration to GitHub Actions

All CI pipelines are being migrated from drone.owncloud.com to GitHub Actions.

This migration is effective immediately. Any existing Drone pipelines should be considered deprecated and will no longer be maintained. Developers are expected to move workflows to .github/workflows.

:locked: Mandatory SHA Pinning for Actions

All GitHub Actions used in workflows must be pinned to a specific commit SHA.

Pinning ensures that workflows always run the exact same version of an action, preventing unexpected changes or supply chain risks that can occur when using mutable tags like @v3 or @main.

:backhand_index_pointing_right: Learn more about secure usage of actions and pinning:
Using third-party actions securely (SHA pinning)

:white_check_mark: Allowed Actions Policy

Only the following GitHub Actions are allowed:

  • Official GitHub Actions
  • Actions from verified publishers

Any exceptions must be discussed with the development team before use.

:magnifying_glass_tilted_left: Workflow Approval for External Contributions

GitHub workflows triggered by pull requests from external contributors will require explicit approval before execution.

This adds an additional security layer to prevent unintended execution of untrusted code in CI environments.

Summary

These changes are focused on strengthening our supply chain security and aligning with modern best practices:

  • Signed commits for verified authorship
  • GitHub Actions as the single CI platform
  • SHA-pinned actions for reproducibility and security
  • Restricted and reviewed third-party integrations
  • Safer handling of external contributions

If you have questions or need help adapting your workflows, feel free to reach out in the development channels.

3 Likes