go-openapi · fredbi · Dec 12, 2025 · Dec 11, 2025
diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml
@@ -2,6 +2,24 @@ name: Dependabot auto-merge
 
 on:
   workflow_call:
+    inputs:
+      enable-organization-bot:
+        description: |
+          Enable automatic approval and merge of PRs initiated by a bot.
+
+        type: boolean
+        required: false
+        default: true
+      organization-bot:
+        description: |
+          The bot name for your organization,
+          for which you wish to enable auto-merge.
+
+          Example: bot-go-openapi[bot]
+
+        type: string
+        required: false
+        default: 'bot-go-openapi[bot]'
 
 permissions:
   contents: read
@@ -50,7 +68,7 @@ jobs:
       contents: write
       pull-requests: write
     runs-on: ubuntu-latest
-    if: ${{ github.event.pull_request.user.login == 'bot-go-openapi[bot]' }}
+    if: ${{ inputs.enable-organization-bot == 'true' && github.event.pull_request.user.login == inputs.organization-bot }}
     env:
       PR_URL: ${{github.event.pull_request.html_url}}
       GH_TOKEN: ${{secrets.GITHUB_TOKEN}}

diff --git a/.github/workflows/bump-release.yml b/.github/workflows/bump-release.yml
@@ -42,6 +42,14 @@ on:
           (use "|" to replace end of line).
         required: false
         type: string
+      enable-tag-signing:
+        description: |
+          Enable PGP tag-signing by a bot user.
+
+          When enabled, you must pass the GPG secrets to this workflow.
+        required: false
+        type: boolean
+        default: true
       cliff-config:
         type: string
         required: false
@@ -52,6 +60,31 @@ on:
         required: false
         default: 'https://raw.githubusercontent.com/go-openapi/ci-workflows/refs/heads/master/.cliff.toml'
         description: 'URL to the remote git-cliff config file (used if local config does not exist)'
+    secrets:
+      gpg-private-key:
+        description: |
+          GPG private key in armored format for signing tags.
+
+          Default for go-openapi: CI_BOT_GPG_PRIVATE_KEY
+
+          Required when enable-tag-signing is true.
+        required: false
+      gpg-passphrase:
+        description: |
+          Passphrase to unlock the GPG private key.
+
+          Default for go-openapi: CI_BOT_GPG_PASSPHRASE
+
+          Required when enable-tag-signing is true.
+        required: false
+      gpg-fingerprint:
+        description: |
+          Fingerprint of the GPG signing key (spaces removed).
+
+          Default for go-openapi: CI_BOT_SIGNING_KEY
+
+          Required when enable-tag-signing is true.
+        required: false
 
 jobs:
   tag-release:
@@ -94,21 +127,23 @@ jobs:
           echo "next-tag=${NEXT_TAG}" >> "$GITHUB_OUTPUT"
           echo "::notice title=next-tag:${NEXT_TAG}"
       -
-        name: Import GPG key
-        uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
+        name: Configure bot credentials
+        if: ${{ inputs.enable-tag-signing == 'true' }}
+        uses: go-openapi/gh-actions/ci-jobs/bot-credentials@6c7952706aa7afa9141262485767d9270ef5b00b # master
         # This is using the GPG signature of bot-go-openapi.
         #
-        # CI_BOT_GPG_PRIVATE_KEY: the bot gpg key, armored
-        # CI_BOT_GPG_PASSPHRASE: the bot gpg passphrase
-        # CI_BOT_SIGNING_KEY: the fingerprint of the subkey used (space removed)
+        # For go-openapi repos (using secrets: inherit):
+        #   Falls back to: CI_BOT_GPG_PRIVATE_KEY, CI_BOT_GPG_PASSPHRASE, CI_BOT_SIGNING_KEY
+        #
+        # For other orgs: explicitly pass secrets with your custom names
         # NOTE(fredbi): extracted w/ gpg -K --homedir gnupg --keyid-format LONG --with-keygrip --fingerprint --with-subkey-fingerprint
         with:
-          gpg_private_key: ${{ secrets.CI_BOT_GPG_PRIVATE_KEY }}
-          passphrase: ${{ secrets.CI_BOT_GPG_PASSPHRASE }}
-          fingerprint: ${{ secrets.CI_BOT_SIGNING_KEY }}
-          git_user_signingkey: true
-          git_commit_gpgsign: true
-          git_tag_gpgsign: true
+          enable-gpg-signing: 'true'
+          gpg-private-key: ${{ secrets.gpg-private-key || secrets.CI_BOT_GPG_PRIVATE_KEY }}
+          gpg-passphrase: ${{ secrets.gpg-passphrase || secrets.CI_BOT_GPG_PASSPHRASE }}
+          gpg-fingerprint: ${{ secrets.gpg-fingerprint || secrets.CI_BOT_SIGNING_KEY }}
+          enable-tag-signing: 'true'
+          enable-commit-signing: 'false'
       -
         name: Create and sign tag
         env:
@@ -125,8 +160,15 @@ jobs:
           fi
           echo "::notice title=tag-message:${MESSAGE}"
 
-          git tag -s -m "${MESSAGE}" "${NEXT_TAG}"
-          git tag -v "${NEXT_TAG}"
+          SIGNED=""
+          if [[ '${{ inputs.enable-tag-signing }}' == 'true' ]] ; then
+             SIGNED="-s"
+          fi
+
+          git tag "${SIGNED}" -m "${MESSAGE}" "${NEXT_TAG}"
+          if [[ -n "${SIGNED}" ]] ; then
+            git tag -v "${NEXT_TAG}"
+          fi
           git push origin "${NEXT_TAG}"
 
   gh-release:

diff --git a/.github/workflows/contributors.yml b/.github/workflows/contributors.yml
@@ -1,10 +1,60 @@
 name: Contributors
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
+    inputs:
+      enable-commit-signing:
+        description: |
+          Enable GPG commit signing by a bot user.
 
-permissions:
-  contents: read
+          When enabled, commits in the pull request will be signed with the bot's GPG key.
+        required: false
+        type: boolean
+        default: true
+    secrets:
+      github-app-id:
+        description: |
+          GitHub App ID for bot user authentication.
+
+          Default for go-openapi: CI_BOT_APP_ID
+
+          Required to create pull requests as the bot user.
+        required: false
+      github-app-private-key:
+        description: |
+          GitHub App private key in PEM format.
+
+          Default for go-openapi: CI_BOT_APP_PRIVATE_KEY
+
+          Required to create pull requests as the bot user.
+        required: false
+      gpg-private-key:
+        description: |
+          GPG private key in armored format for signing commits.
+
+          Default for go-openapi: CI_BOT_GPG_PRIVATE_KEY
+
+          Required when enable-commit-signing is true.
+        required: false
+      gpg-passphrase:
+        description: |
+          Passphrase to unlock the GPG private key.
+
+          Default for go-openapi: CI_BOT_GPG_PASSPHRASE
+
+          Required when enable-commit-signing is true.
+        required: false
+      gpg-fingerprint:
+        description: |
+          Fingerprint of the GPG signing key (spaces removed).
+
+          Default for go-openapi: CI_BOT_SIGNING_KEY
+
+          Required when enable-commit-signing is true.
+        required: false
 
 jobs:
   update-contributors:
@@ -32,22 +82,23 @@ jobs:
           rm -rf contributors.json
           mv contributors.md CONTRIBUTORS.md
       -
-        name: Switch to go-openapi bot user
-        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
-        id: app-token
-        with:
-          app-id: ${{ secrets.CI_BOT_APP_ID }}
-          private-key: ${{ secrets.CI_BOT_APP_PRIVATE_KEY }}
-      -
-        name: Import GPG key
-        uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
+        name: Configure bot credentials
+        uses: go-openapi/gh-actions/ci-jobs/bot-credentials@6c7952706aa7afa9141262485767d9270ef5b00b # master
+        id: bot-credentials
+        # For go-openapi repos (using secrets: inherit):
+        #   Falls back to: CI_BOT_APP_ID, CI_BOT_APP_PRIVATE_KEY, CI_BOT_GPG_PRIVATE_KEY, etc.
+        #
+        # For other orgs: explicitly pass secrets with your custom names
         with:
-          gpg_private_key: ${{ secrets.CI_BOT_GPG_PRIVATE_KEY }}
-          passphrase: ${{ secrets.CI_BOT_GPG_PASSPHRASE }}
-          fingerprint: ${{ secrets.CI_BOT_SIGNING_KEY }}
-          git_user_signingkey: true
-          git_commit_gpgsign: true
-          git_tag_gpgsign: true
+          enable-github-app: 'true'
+          github-app-id: ${{ secrets.github-app-id || secrets.CI_BOT_APP_ID }}
+          github-app-private-key: ${{ secrets.github-app-private-key || secrets.CI_BOT_APP_PRIVATE_KEY }}
+          enable-gpg-signing: ${{ inputs.enable-commit-signing }}
+          gpg-private-key: ${{ secrets.gpg-private-key || secrets.CI_BOT_GPG_PRIVATE_KEY }}
+          gpg-passphrase: ${{ secrets.gpg-passphrase || secrets.CI_BOT_GPG_PASSPHRASE }}
+          gpg-fingerprint: ${{ secrets.gpg-fingerprint || secrets.CI_BOT_SIGNING_KEY }}
+          enable-commit-signing: 'true'
+          enable-tag-signing: 'false'
       -
         name: Create a PR
         id: create-pull-request
@@ -57,12 +108,12 @@ jobs:
           branch: doc/contributors-bot
           delete-branch: true
           title: "doc: updated contributors file"
-          token: ${{ steps.app-token.outputs.token }}
+          token: ${{ steps.bot-credentials.outputs.app-token }}
           labels: "bot"
           draft: false
           assignees: fredbi
           reviewers: fredbi
-          sign-commits: true
+          sign-commits: ${{ inputs.enable-commit-signing }}
           signoff: true # DCO
 
   auto-merge: