From f17de7ea15033e613522ce671ede7e2bed761f05 Mon Sep 17 00:00:00 2001
From: Timo Pagel <github@timo-pagel.de>
Date: Thu, 9 Nov 2023 18:24:53 +0100
Subject: [PATCH] feat: enhance signing description

---
 src/assets/YAML/default/BuildAndDeployment/Build.yaml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/assets/YAML/default/BuildAndDeployment/Build.yaml b/src/assets/YAML/default/BuildAndDeployment/Build.yaml
index 9bce3fe7..73af8621 100755
--- a/src/assets/YAML/default/BuildAndDeployment/Build.yaml
+++ b/src/assets/YAML/default/BuildAndDeployment/Build.yaml
@@ -158,6 +158,11 @@ Build and Deployment:
       measure:
         Digitally signing artifacts for all steps during the build and especially
         docker images, helps to ensure their integrity and authenticity.
+      description: |
+        ## Github
+        You need to be authenticated to perform a push to a Github repository. Github doesn't check if the authenticated user and the mail address in the commit corresponds. 
+        To highlight to reviewers who performed a commit, signing is needed.
+        Be aware that github actions like [semantic-release-action](https://github.com/cycjimmy/semantic-release-action) will not sign commits and will fail. You find an example working configuration to use semantic release action together with [planetscale/ghcommit-action](https://github.com/planetscale/ghcommit-action) in the [workflow folder](https://github.com/devsecopsmaturitymodel/DevSecOps-MaturityModel/blob/master/.github/workflows/main.yml) of DSOMM.
       difficultyOfImplementation:
         knowledge: 2
         time: 2