feat: add gpg support (#1954)

* feat: add GPG commit signing support to GitHub Action

* feat: add GPG signing test workflow

* chore: remove unnecessary console log from CI command

* chore: remove GPG signing test workflow from CI

Author: cherkanovart

.changeset/public-nails-tease.md

@@ -0,0 +1,25 @@
+---
+"lingo.dev": minor
+---
+
+feat: add GPG commit signing support to GitHub Action
+
+- Added `gpg-sign` input to action.yml for enabling GPG commit signing
+- Added `--gpg-sign` CLI option for the `ci` command
+- Added preflight check to verify GPG signing key is configured before committing
+- Commits are signed with `-S` flag when GPG signing is enabled
+- Works with both in-branch and pull-request modes
+
+Usage:
+```yaml
+- uses: crazy-max/ghaction-import-gpg@v6
+  with:
+    gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+    git_user_signingkey: true
+    git_commit_gpgsign: true
+
+- uses: lingodotdev/lingo.dev@main
+  with:
+    api-key: ${{ secrets.LINGODOTDEV_API_KEY }}
+    gpg-sign: true
+```

action.yml

@@ -20,7 +20,8 @@ runs:
           --commit-author-email "${{ inputs.commit-author-email }}" \
           --working-directory "${{ inputs.working-directory }}" \
           --process-own-commits "${{ inputs.process-own-commits }}" \
-          --parallel ${{ inputs.parallel }}
+          --parallel ${{ inputs.parallel }} \
+          --gpg-sign "${{ inputs.gpg-sign }}"
       shell: bash
 inputs:
   version:
@@ -62,3 +63,7 @@ inputs:
     description: "Run in parallel mode"
     default: false
     required: false
+  gpg-sign:
+    description: "Sign commits with GPG. Requires GPG key to be configured (e.g., via crazy-max/ghaction-import-gpg)"
+    default: false
+    required: false

packages/cli/src/cli/cmd/ci/flows/in-branch.ts

@@ -33,8 +33,9 @@ export class InBranchFlow extends IntegrationFlow {
       this.ora.start("Committing changes");
       execSync(`git add .`, { stdio: "inherit" });
       execSync(`git status --porcelain`, { stdio: "inherit" });
+      const signFlag = this.platformKit.config.gpgSign ? "-S " : "";
       execSync(
-        `git commit -m ${escapeShellArg(
+        `git commit ${signFlag}-m ${escapeShellArg(
           this.platformKit.config.commitMessage,
         )} --no-verify`,
         {
@@ -101,6 +102,26 @@ export class InBranchFlow extends IntegrationFlow {
     execSync(`git config user.name "${gitConfig.userName}"`);
     execSync(`git config user.email "${gitConfig.userEmail}"`);
 
+    // Configure GPG signing if enabled
+    if (this.platformKit.config.gpgSign) {
+      // Preflight check: verify signing key is configured
+      try {
+        const signingKey = execSync(`git config user.signingkey`, {
+          encoding: "utf8",
+        }).trim();
+        if (!signingKey) {
+          throw new Error("No signing key configured");
+        }
+      } catch {
+        throw new Error(
+          "GPG signing is enabled but no signing key is configured. " +
+            "Import a GPG key (e.g., using crazy-max/ghaction-import-gpg) before running this action, " +
+            "or set gpg-sign to false.",
+        );
+      }
+      execSync(`git config commit.gpgsign true`);
+    }
+
     // perform platform-specific configuration before fetching or pushing to the remote
     this.platformKit?.gitConfig();
 

packages/cli/src/cli/cmd/ci/flows/pull-request.ts

@@ -198,8 +198,9 @@ export class PullRequestFlow extends InBranchFlow {
     const hasChanges = this.checkCommitableChanges();
     if (hasChanges) {
       execSync("git add .", { stdio: "inherit" });
+      const signFlag = this.platformKit.config.gpgSign ? "-S " : "";
       execSync(
-        `git commit -m "chore: sync with ${this.platformKit.platformConfig.baseBranchName}" --no-verify`,
+        `git commit ${signFlag}-m "chore: sync with ${this.platformKit.platformConfig.baseBranchName}" --no-verify`,
         {
           stdio: "inherit",
         },

packages/cli/src/cli/cmd/ci/index.ts

@@ -18,6 +18,7 @@ interface CIOptions {
   commitAuthorEmail?: string;
   workingDirectory?: string;
   processOwnCommits?: boolean;
+  gpgSign?: boolean;
 }
 
 export default new Command()
@@ -63,11 +64,14 @@ export default new Command()
     "Allow processing commits made by this CI user (bypasses infinite loop prevention)",
     parseBooleanArg,
   )
+  .option(
+    "--gpg-sign [boolean]",
+    "Sign commits with GPG. Requires GPG to be configured in the environment",
+    parseBooleanArg,
+  )
   .action(async (options: CIOptions) => {
     const settings = getSettings(options.apiKey);
 
-    console.log(options);
-
     if (!settings.auth.apiKey) {
       console.error("No API key provided");
       return;
@@ -105,6 +109,9 @@ export default new Command()
       ...(options.processOwnCommits && {
         LINGODOTDEV_PROCESS_OWN_COMMITS: options.processOwnCommits.toString(),
       }),
+      ...(options.gpgSign && {
+        LINGODOTDEV_GPG_SIGN: options.gpgSign.toString(),
+      }),
     };
 
     process.env = { ...process.env, ...env };

packages/cli/src/cli/cmd/ci/platforms/_base.ts

@@ -61,6 +61,10 @@ export abstract class PlatformKit<
         (val) => val === "true" || val === true,
         Z.boolean(),
       ).optional(),
+      LINGODOTDEV_GPG_SIGN: Z.preprocess(
+        (val) => val === "true" || val === true,
+        Z.boolean(),
+      ).optional(),
     }).parse(process.env);
 
     return {
@@ -73,6 +77,7 @@ export abstract class PlatformKit<
         env.LINGODOTDEV_COMMIT_AUTHOR_EMAIL || "support@lingo.dev",
       workingDir: env.LINGODOTDEV_WORKING_DIRECTORY || ".",
       processOwnCommits: env.LINGODOTDEV_PROCESS_OWN_COMMITS || false,
+      gpgSign: env.LINGODOTDEV_GPG_SIGN || false,
     };
   }
 }