Why
Module signing currently requires the private key locally, blocking non-interactive development (AI agents, Cursor, headless CI) on any branch where modules change. The pre-commit hook and CI verify-module-signatures job enforce --require-signature regardless of branch, so every commit on a feature or dev branch hangs or fails without the key. Moving signing to a CI step triggered by PR approval eliminates the local key requirement while preserving the integrity guarantee at the main trust boundary.
Scope
- NEW
.github/workflows/sign-modules-on-approval.yml — pull_request_review trigger (approved), signs changed module manifests via CI secrets, commits back to PR branch
- MODIFY
scripts/pre-commit-smart-checks.sh — branch-aware: --allow-unsigned on non-main, --require-signature on main
- MODIFY
.github/workflows/pr-orchestrator.yml — split verify-module-signatures by target branch (dev: checksum-only; main: require-signature)
- MODIFY
.github/workflows/sign-modules.yml — scope --require-signature to main only
Trust Model
| Context |
Policy |
| Local / feature / dev branch |
--allow-unsigned (checksum-only) |
| CI feature→dev PR |
checksum-only |
| CI any PR approved to dev |
CI signs via secrets |
| CI any PR approved to main |
CI signs via secrets |
| Push to main |
--require-signature gate |
| End-user module install |
always --require-signature (unchanged) |
OpenSpec Change
openspec/changes/marketplace-06-ci-module-signing/
Paired Change
specfact-cli-modules — adds missing signing job (the modules repo currently has no signing step at all, only verify).
Parent Feature
#353 Marketplace Module Distribution
Why
Module signing currently requires the private key locally, blocking non-interactive development (AI agents, Cursor, headless CI) on any branch where modules change. The pre-commit hook and CI
verify-module-signaturesjob enforce--require-signatureregardless of branch, so every commit on a feature or dev branch hangs or fails without the key. Moving signing to a CI step triggered by PR approval eliminates the local key requirement while preserving the integrity guarantee at themaintrust boundary.Scope
.github/workflows/sign-modules-on-approval.yml—pull_request_reviewtrigger (approved), signs changed module manifests via CI secrets, commits back to PR branchscripts/pre-commit-smart-checks.sh— branch-aware:--allow-unsignedon non-main,--require-signatureon main.github/workflows/pr-orchestrator.yml— splitverify-module-signaturesby target branch (dev: checksum-only; main: require-signature).github/workflows/sign-modules.yml— scope--require-signatureto main onlyTrust Model
--allow-unsigned(checksum-only)--require-signaturegate--require-signature(unchanged)OpenSpec Change
openspec/changes/marketplace-06-ci-module-signing/Paired Change
specfact-cli-modules— adds missing signing job (the modules repo currently has no signing step at all, only verify).Parent Feature
#353 Marketplace Module Distribution