From e0fa5a7774b5c9c52331680f551e3dcfb4a75ea3 Mon Sep 17 00:00:00 2001
From: Allison Piper <alliepiper16@gmail.com>
Date: Tue, 21 May 2024 12:12:13 -0400
Subject: [PATCH] Add section about SSH signing keys to developer docs. (#1755)

* Add section about SSH signing keys to developer docs.

[skip-tests]

* Update CONTRIBUTING.md

[skip-tests]

Co-authored-by: Michael Schellenberger Costa <miscco@nvidia.com>

* Moved, reworded. [skip-tests]

* Address review feedback.

[skip-tests]

---------

Co-authored-by: Michael Schellenberger Costa <miscco@nvidia.com>
---
 CONTRIBUTING.md |  1 +
 ci-overview.md  | 29 +++++++++++++++++++++++++++++
 2 files changed, 30 insertions(+)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index df1efc8ee9..b219264805 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -33,6 +33,7 @@ Thank you for your interest in contributing to the CUDA C++ Core Libraries (CCCL
    For more details on building and testing, refer to the [Building and Testing](#building-and-testing) section below.
 
 4. **Commit Changes**:
+
    ```bash
    git commit -m "Brief description of the change"
    ```
diff --git a/ci-overview.md b/ci-overview.md
index b9cb2acc2a..f123076d47 100644
--- a/ci-overview.md
+++ b/ci-overview.md
@@ -95,6 +95,35 @@ CCCL uses [NVIDIA's self-hosted action runners](https://docs.gha-runners.nvidia.
 
 The CI pipeline will not start automatically for external contributors. A repository member will first review the changes and initiate the CI pipeline with an `/ok to test` comment.
 
+### SSH Signing Keys
+
+[Signed commits](https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits) are required for any internal NVIDIA contributors who want the convenience of CI running automatically whenever a commit is pushed to a branch (i.e., doesn't require using `/ok to test`).
+
+This is not required for external contributions, which will always require an explicit `/ok to test` comment from an approved account for each CI run.
+
+To enable commit signing using your existing ssh key, set the following git options:
+
+```bash
+git config --global gpg.format ssh
+git config --global user.signingKey ~/.ssh/YOUR_PUBLIC_KEY_FILE_HERE.pub
+
+# These settings are optional. They tell git to automatically sign all new commits and tags.
+# If these are set to false, use `git commit -S` to manually sign each commit.
+git config --global commit.gpgsign true
+git config --global tag.gpgsign true
+```
+
+Git is now configured to sign commits with your ssh key.
+
+To complete the process, upload the public key to your [Github Signing Keys](https://github.com/settings/keys) in your browser or using the `gh` CLI tool:
+
+```
+gh ssh-key add ~/.ssh/YOUR_PUBLIC_KEY_FILE_HERE.pub --type signing
+```
+
+Make sure that the key is uploaded to 'Signing Keys', not just 'Authentication Keys'.
+The same key may be used for both.
+
 ## Troubleshooting CI Failures
 
 1. **Review CI logs**: Examine CI logs for specific error messages (see [Viewing CI Workflow Results](#viewing-ci-workflow-results))