From a206f547010ac8d47d71d112d32a9907080769a4 Mon Sep 17 00:00:00 2001
From: Bo Zimmerman <bo@zimmers.net>
Date: Tue, 22 Apr 2025 14:14:56 -0700
Subject: [PATCH] Added verify.yml

---
 .github/dependabot.yml       |  6 ++++++
 .github/workflows/verify.yml | 37 ++++++++++++++++++++++++++++++++++++
 2 files changed, 43 insertions(+)
 create mode 100644 .github/dependabot.yml
 create mode 100644 .github/workflows/verify.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..8ac6b8c
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"
diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml
new file mode 100644
index 0000000..e93ac87
--- /dev/null
+++ b/.github/workflows/verify.yml
@@ -0,0 +1,37 @@
+name: Verify
+on: [pull_request]
+env:
+  TERM: xterm-256color
+jobs:
+  verify-commits:
+    name: Check Commit Signatures
+    runs-on: [ubuntu-latest]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Check signatures
+        shell: bash
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          COMMITS=$(gh api repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/commits \
+            --jq '.[].sha') || {
+            echo "::error::Failed to fetch commits from GitHub"
+            exit 1
+          }
+
+          if [ -z "$COMMITS" ]; then
+            echo "::error::Unexpected empty commit list"
+            exit 1
+          fi
+
+          for sha in $COMMITS; do
+            echo "Checking commit $sha"
+            VERIFIED=$(gh api repos/${{ github.repository }}/commits/$sha --jq '.commit.verification.verified')
+            if [ "$VERIFIED" != "true" ]; then
+              echo "::error::Commit $sha is not verified"
+              exit 1
+            fi
+          done