From 8fd3c6a48bedb9a430572a71b815f3d8297dd858 Mon Sep 17 00:00:00 2001
From: vimal-java-dev <vimal929@gmail.com>
Date: Wed, 22 Apr 2026 06:57:38 +0530
Subject: [PATCH 1/4] Import GPG Public Key block removed

Rulesets added

Signed-off-by: vimal-java-dev <vimal929@gmail.com>
---
 .github/CODEOWNERS                     |  2 +
 .github/workflows/doc-check-linter.yml | 82 +++++++-------------------
 2 files changed, 24 insertions(+), 60 deletions(-)
 create mode 100644 .github/CODEOWNERS

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 0000000..f96bb4a
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1,2 @@
+# Global owner
+* @vimal-java-dev
\ No newline at end of file
diff --git a/.github/workflows/doc-check-linter.yml b/.github/workflows/doc-check-linter.yml
index 3c4be3d..f26dc0a 100644
--- a/.github/workflows/doc-check-linter.yml
+++ b/.github/workflows/doc-check-linter.yml
@@ -34,7 +34,8 @@ jobs:
         run: htmlhint "**/*.html" || true
 
   # -------------------
-  # 2. DCO + GPG Check (latest commit only)
+  # 2. DCO + GPG Check
+  # 2.1 Commit Verification (GPG + Trust)
   # -------------------
   commit-checks:
     runs-on: ubuntu-latest
@@ -49,74 +50,35 @@ jobs:
         if: github.event_name == 'pull_request'
         uses: tisonkun/actions-dco@v1.1
 
-      # ---------- Import GPG Public Key ----------
-      - name: Import trusted GPG public key
-        if: ${{ github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request' }}
-        env:
-          GPG_PUBLIC_KEY: ${{ secrets.GPG_PUBLIC_KEY }}
-          GPG_PUBLIC_KEY_1: ${{ secrets.GPG_PUBLIC_KEY_1 }}
-        run: |
-          # Check for primary GPG key
-          if [ -z "$GPG_PUBLIC_KEY" ] && [ -z "$GPG_PUBLIC_KEY_1" ]; then
-            echo "⚠️ Skipping GPG import: No secrets available (forked PR or missing keys)."
-            exit 0
-          fi
-
-          # Function to import and trust a GPG key
-          import_key() {
-            local key="$1"
-            local varname="$2"
-            if [ -n "$key" ]; then
-              echo "$key" | gpg --import
-              echo "✅ Imported $varname successfully."
-              fingerprint=$(echo "$key" | gpg --with-colons --import-options show-only --import 2>/dev/null | awk -F: '$1=="fpr"{print $10; exit}')
-              if [ -n "$fingerprint" ]; then
-                echo "$fingerprint:6:" | gpg --import-ownertrust
-                echo "🔐 Set $varname ($fingerprint) to ultimate trust."
-              fi
-            fi
-          }
-
-          # Import your own keys
-          import_key "$GPG_PUBLIC_KEY" "GPG_PUBLIC_KEY"
-          import_key "$GPG_PUBLIC_KEY_1" "GPG_PUBLIC_KEY_1"
-
-          # ✅ Import GitHub’s official signing keys (commit + merge)
-          echo "🌐 Importing GitHub official GPG signing keys..."
-          curl -fsSL https://github.com/web-flow.gpg | gpg --import || true
-          curl -fsSL https://github.com/actions/runner-images/blob/main/images/github-bot.gpg?raw=true | gpg --import || true
-          echo "✅ Imported GitHub web-flow and merge bot keys successfully."
-
-          echo "🎉 All available GPG public keys imported successfully."
-
-      # ---------- Verify latest commit signature ----------
+      # ---------- Verify latest commit ----------
       - name: Verify latest commit signature
         if: ${{ github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request' }}
         run: |
           LATEST_COMMIT=$(git rev-parse HEAD)
-          echo "🔍 Checking latest commit: $LATEST_COMMIT"
+          echo "🔍 Verifying commit: $LATEST_COMMIT"
+
+          # Step 1: Cryptographic verification
+          if git verify-commit "$LATEST_COMMIT" >/dev/null 2>&1; then
+            echo "✅ Signature is cryptographically valid"
+          else
+            echo "❌ Invalid or missing GPG signature"
+            exit 1
+          fi
 
-          SIG=$(git log --show-signature -1 "$LATEST_COMMIT")
-          echo "$SIG"
+          # Step 2: Extract fingerprint
+          FINGERPRINT=$(git log -1 --pretty=format:'%GF')
+          echo "🔑 Signing fingerprint: $FINGERPRINT"
 
-          # ✅ Include all trusted fingerprints
-          TRUSTED_KEYS="7F4C7CA953E1C09E D432152833DA3244 88F6CD4E295C9062 BE677DAEFE33CB57 C97540DA6C9FA85C"
-          GITHUB_COMMIT_KEY="4AEE18F83AFDEB23"     # GitHub web-flow
-          GITHUB_MERGE_KEY="B5690EEEBB952194"      # GitHub merge bot
-          TRUSTED="$TRUSTED_KEYS $GITHUB_COMMIT_KEY $GITHUB_MERGE_KEY"
+          # Step 3: Trusted keys (you + GitHub)
+          TRUSTED_KEYS="7F4C7CA953E1C09E 4AEE18F83AFDEB23 B5690EEEBB952194"
 
-          if echo "$SIG" | grep -q "Good signature"; then
-            for key in $TRUSTED; do
-              if echo "$SIG" | grep -q "$key"; then
-                echo "✅ Commit signed with trusted key: $key"
-                exit 0
-              fi
-            done
+          if echo "$TRUSTED_KEYS" | grep -q "$FINGERPRINT"; then
+            echo "✅ Trusted signer"
+          else
+            echo "❌ Untrusted signing key!"
+            exit 1
           fi
 
-          echo "❌ Commit is not GPG signed with a trusted key!"
-          exit 1
-
       # ---------- Optional status for skipped forked PRs ----------
       - name: Skip GPG checks for external PRs
         if: ${{ github.event.pull_request.head.repo.full_name != github.repository && github.event_name == 'pull_request' }}

From 264d8118c19df4e4afdf361bd3669f1d5630ba63 Mon Sep 17 00:00:00 2001
From: vimal-java-dev <vimal929@gmail.com>
Date: Wed, 22 Apr 2026 07:24:28 +0530
Subject: [PATCH 2/4] LATEST_COMMIT replaced

Signed-off-by: vimal-java-dev <vimal929@gmail.com>
---
 .github/workflows/doc-check-linter.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/doc-check-linter.yml b/.github/workflows/doc-check-linter.yml
index f26dc0a..01af2fe 100644
--- a/.github/workflows/doc-check-linter.yml
+++ b/.github/workflows/doc-check-linter.yml
@@ -54,7 +54,7 @@ jobs:
       - name: Verify latest commit signature
         if: ${{ github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request' }}
         run: |
-          LATEST_COMMIT=$(git rev-parse HEAD)
+          LATEST_COMMIT=${{ github.event.pull_request.head.sha }}
           echo "🔍 Verifying commit: $LATEST_COMMIT"
 
           # Step 1: Cryptographic verification

From 51eebf69c055831b2b99f8b4eeb61d95efa1967d Mon Sep 17 00:00:00 2001
From: vimal-java-dev <vimal929@gmail.com>
Date: Wed, 22 Apr 2026 07:48:39 +0530
Subject: [PATCH 3/4] Import GPG Public Key added

Signed-off-by: vimal-java-dev <vimal929@gmail.com>
---
 .github/workflows/doc-check-linter.yml | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/doc-check-linter.yml b/.github/workflows/doc-check-linter.yml
index 01af2fe..f83f03d 100644
--- a/.github/workflows/doc-check-linter.yml
+++ b/.github/workflows/doc-check-linter.yml
@@ -50,14 +50,24 @@ jobs:
         if: github.event_name == 'pull_request'
         uses: tisonkun/actions-dco@v1.1
 
+      - name: Import GPG public keys
+        run: |
+          if [ -n "${{ secrets.GPG_PUBLIC_KEY }}" ]; then
+            echo "${{ secrets.GPG_PUBLIC_KEY }}" | gpg --import
+            echo "✅ Imported GPG_PUBLIC_KEY"
+          fi
+
+          if [ -n "${{ secrets.GPG_PUBLIC_KEY_1 }}" ]; then
+            echo "${{ secrets.GPG_PUBLIC_KEY_1 }}" | gpg --import
+            echo "✅ Imported GPG_PUBLIC_KEY_1"
+          fi
+          
       # ---------- Verify latest commit ----------
       - name: Verify latest commit signature
-        if: ${{ github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request' }}
         run: |
           LATEST_COMMIT=${{ github.event.pull_request.head.sha }}
           echo "🔍 Verifying commit: $LATEST_COMMIT"
 
-          # Step 1: Cryptographic verification
           if git verify-commit "$LATEST_COMMIT" >/dev/null 2>&1; then
             echo "✅ Signature is cryptographically valid"
           else
@@ -65,12 +75,10 @@ jobs:
             exit 1
           fi
 
-          # Step 2: Extract fingerprint
-          FINGERPRINT=$(git log -1 --pretty=format:'%GF')
+          FINGERPRINT=$(git log -1 --pretty=format:'%GF' "$LATEST_COMMIT")
           echo "🔑 Signing fingerprint: $FINGERPRINT"
 
-          # Step 3: Trusted keys (you + GitHub)
-          TRUSTED_KEYS="7F4C7CA953E1C09E 4AEE18F83AFDEB23 B5690EEEBB952194"
+          TRUSTED_KEYS="7F4C7CA953E1C09E D432152833DA3244 4AEE18F83AFDEB23 B5690EEEBB952194"
 
           if echo "$TRUSTED_KEYS" | grep -q "$FINGERPRINT"; then
             echo "✅ Trusted signer"

From d0a98a701acb15155a4f8db4f6a36d45ce4315d9 Mon Sep 17 00:00:00 2001
From: vimal-java-dev <vimal929@gmail.com>
Date: Wed, 22 Apr 2026 08:00:31 +0530
Subject: [PATCH 4/4] Full fingerprint trusted key added

Signed-off-by: vimal-java-dev <vimal929@gmail.com>
---
 .github/workflows/doc-check-linter.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/doc-check-linter.yml b/.github/workflows/doc-check-linter.yml
index f83f03d..f05f4f0 100644
--- a/.github/workflows/doc-check-linter.yml
+++ b/.github/workflows/doc-check-linter.yml
@@ -78,7 +78,7 @@ jobs:
           FINGERPRINT=$(git log -1 --pretty=format:'%GF' "$LATEST_COMMIT")
           echo "🔑 Signing fingerprint: $FINGERPRINT"
 
-          TRUSTED_KEYS="7F4C7CA953E1C09E D432152833DA3244 4AEE18F83AFDEB23 B5690EEEBB952194"
+          TRUSTED_KEYS="83FB991D930D7177F25456C07F4C7CA953E1C09E D432152833DA3244 4AEE18F83AFDEB23 B5690EEEBB952194"
 
           if echo "$TRUSTED_KEYS" | grep -q "$FINGERPRINT"; then
             echo "✅ Trusted signer"