From 777b8de88009c878c6aa38e7d649acebf8aeb86a Mon Sep 17 00:00:00 2001
From: Daz DeBoer <daz@gradle.com>
Date: Wed, 2 Apr 2025 12:32:16 -0600
Subject: [PATCH] Sign bot-generated commits

---
 .github/workflows/ci-update-dist.yml | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci-update-dist.yml b/.github/workflows/ci-update-dist.yml
index 7e2a9e8..d4c088f 100644
--- a/.github/workflows/ci-update-dist.yml
+++ b/.github/workflows/ci-update-dist.yml
@@ -53,12 +53,23 @@ jobs:
       run: |
         cp -r sources/dist .
 
+    - name: Import GPG key to sign commits
+      uses: crazy-max/ghaction-import-gpg@v6
+      with:
+        gpg_private_key: ${{ secrets.GH_BOT_PGP_PRIVATE_KEY }}
+        passphrase: ${{ secrets.GH_BOT_PGP_PASSPHRASE }}
+        git_user_signingkey: true
+        git_commit_gpgsign: true
+        git_config_global: true
+    
     # Commit and push changes; has no effect if the files did not change
     # Important: The push event will not trigger any other workflows, see
     # https://github.com/stefanzweifel/git-auto-commit-action?tab=readme-ov-file#commits-made-by-this-action-do-not-trigger-new-workflow-runs
     - name: Commit & push changes
       uses: stefanzweifel/git-auto-commit-action@e348103e9026cc0eee72ae06630dbe30c8bf7a79 # v5.1.0
       with:
-        commit_author: Bot Githubaction <bot-githubaction@gradle.com>
+        commit_author: bot-githubaction <bot-githubaction@gradle.com>
+        commit_user_name: bot-githubaction
+        commit_user_email: bot-githubaction@gradle.com
         commit_message: '[bot] Update dist directory'
         file_pattern: dist