chore(ci): sign release-as marker commit with GPG-linked bot identity

[SoulPancake]

Description

Fix for the CLA issue

#607 (comment)

What problem is being solved?

How is it being solved?

What changes are made to solve it?

References

Review Checklist

• I have clicked on "allow edits by maintainers".
• I have added documentation for new/changed functionality in this PR or in a PR to openfga.dev [Provide a link to any relevant PRs in the references section above]
• The correct base branch is being used, if not main
• I have added tests to validate that the change in functionality is working as expected

Summary by CodeRabbit

• Chores
  • Release commits are now GPG-signed to enhance security and verify the authenticity of published releases.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 37b52f61-3861-42ea-a513-d9d76bbc1bea

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

The PR modifies the reusable release-please workflow to enable GPG-signed commits. It adds a step to import the GPG private key via the crazy-max/ghaction-import-gpg action and updates git configuration to use the imported email and enable commit.gpgSign.

Changes

Release Workflow GPG Signing

Layer / File(s)	Summary
GPG signed commits setup .github/workflows/reusable-release-please.yaml	Adds Import GPG key and enable signed commits step using crazy-max/ghaction-import-gpg and updates the subsequent Configure git identity step to set user.email from the GPG import action output while enabling commit.gpgSign, replacing the prior static bot identity configuration.

Possibly related PRs

• openfga/language#594: Introduced the reusable release-please workflow that this PR extends with GPG signing capabilities.

Suggested reviewers

• sergiught
• rhamzeh

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: enabling GPG signing for release-as marker commits using a bot identity in the CI workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/release-please-cla-fix

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR updates the reusable Release Please workflow to GPG-sign the “Release-As” marker commits, aiming to address a CLA-related issue during release automation.

Changes:

• Import a GPG key in the release-please job and enable signed commits.
• Update git identity configuration to use the imported key’s email (and enable commit.gpgSign).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.