docs: GA contributing update with additional ci and repository secret preparation. by jherzstein · Pull Request #319 · secureblue/secureblue.dev

jherzstein · 2026-03-13T02:04:22Z

Closes #305

The information on GA in contributing has out of date and missing information on workflow files, as well as missing information on kernel signing keys.

This first commit simply adds the information I believe is necessary to add without significant reworking of the original steps. I am open to changing this a bit if an easier development workflow is presented.

… preparation.

underscorejoser · 2026-03-13T03:12:05Z

Currently the user is recommended to create a new branch for a PR and then they have to do all this process, right? The problem that I have is if they use this branch for PR it would include the changes to properly build, but they also can't test with github actions without committing, so maybe they would've need to do a commit for the actual change + a commit for reverting the changes, maybe even needing to git push --force-with-lease

So my suggestion would be something I currently do and I think @HastD also do:

Fork it.
Create a specific branch for build testing (test-build)

git switch -c test-build upstream/live

Make all the changes required to properly build on GitHub Actions, then commit, tag and push

git add .
git commit -m "DO NOT MERGE: test-build setup"
git tag -f test-build-setup
git push origin test-build

Then go on and create an actual branch for PR based on live

git switch -c new-feature upstream/live
# ... do the changes ...
git add .
git commit -m "feat: ducks can now fly"
git push origin new-feature

Switch back to test-build and cherry pick the commit from new-feature

git switch test-build
git cherry-pick <hash>
git push origin test-build

Test from image with tag br-test-build-43 (or latest with defined as default branch)

To reset and and update the branch I do the following:

git switch test-build # make sure we're on test-build
git reset --hard upstream/live
git cherry-pick test-build-setup # this is where the tag comes in hand
# can cherry-pick more commits or just add more commits for testing purpose
git push --force-with-lease origin test-build

TBF, it's kinda a lot and I wished it was more friendly, you could probably also use rebase instead of resetting every time but that's the way I do, maybe a script could help to streamline (like Justfile)

Before rebasing you also need to add the image to policy.json:
podman image trust set -t accept ghcr.io/yourname

underscorejoser

There's a lot of ways to mess with git that gives the same results, i'm just not knowledgeable to know what's better and friendly, need to search more

content/CONTRIBUTING.md

…w for PRs

Co-authored-by: Jordan Herzstein <63795875+jherzstein@users.noreply.github.com>

…s to GA.

…->registry.

docs: GA contributing update with additional ci and repository secret…

ecf5bc9

… preparation.

jherzstein mentioned this pull request Mar 13, 2026

ci: improve fork development secureblue/secureblue#2037

Merged

Merge branch 'live' into docs/GA-contributing-workflow-update

7d4173d

underscorejoser reviewed Mar 13, 2026

View reviewed changes