git-commit-guard 0.18.0__tar.gz → 0.20.0__tar.gz

{git_commit_guard-0.18.0 → git_commit_guard-0.20.0}/.github/workflows/lint-commits.yml

@@ -22,7 +22,7 @@ jobs:
           key: nltk-averaged-perceptron-tagger-punkt
       - name: Lint commits
         # yamllint disable-line rule:line-length
-        uses: benner/commit-guard@d4c9fbe4a203ab32f63f66e1902d780528f781f2  # v0.17.0
+        uses: benner/commit-guard@7704c563540b24bb10394e373e508dc664a7f01f  # v0.19.0
         with:
           range: origin/${{ github.base_ref }}..HEAD
           disable: signature

{git_commit_guard-0.18.0 → git_commit_guard-0.20.0}/.github/workflows/lint-workflows.yml

@@ -21,7 +21,30 @@ jobs:
         with:
           github_token: ${{ github.token }}
           reporter: github-pr-review
-
+  yamlfix:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    steps:
+      - name: Checkout code
+        # yamllint disable-line rule:line-length
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # ratchet:actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Set up uv
+        # yamllint disable-line rule:line-length
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78  # ratchet:astral-sh/setup-uv@v7
+      - name: Set up reviewdog
+        # yamllint disable-line rule:line-length
+        uses: reviewdog/action-setup@d8a7baabd7f3e8544ee4dbde3ee41d0011c3a93f  # ratchet:reviewdog/action-setup@v1
+      - name: Run yamlfix
+        env:
+          REVIEWDOG_GITHUB_API_TOKEN: ${{ github.token }}
+        run: |-
+          uvx yamlfix .github/workflows/
+          git diff .github/workflows/ |
+            reviewdog -f=diff -name=yamlfix \
+              -reporter=github-pr-review -fail-on-error
   zizmor:
     runs-on: ubuntu-latest
     permissions:
@@ -41,7 +64,7 @@ jobs:
       - name: Run zizmor
         env:
           REVIEWDOG_GITHUB_API_TOKEN: ${{ github.token }}
-        run: |
+        run: |-
           uvx zizmor==1.24.1 --format=sarif . |
             reviewdog -f=sarif -name=zizmor \
               -reporter=github-pr-review -fail-on-error

{git_commit_guard-0.18.0 → git_commit_guard-0.20.0}/.github/workflows/release.yml

@@ -2,14 +2,15 @@
 name: Release
 on:  # yamllint disable-line rule:truthy
   push:
-    tags:
-      - 'v*'
+    tags: [v*]
 permissions:
   contents: write
   id-token: write
+  pull-requests: read
 jobs:
   release:
     runs-on: ubuntu-latest
+    environment: pypi
     steps:
       - name: Checkout code
         # yamllint disable-line rule:line-length
@@ -34,6 +35,8 @@ jobs:
         id: git-cliff
         # yamllint disable-line rule:line-length
         uses: orhun/git-cliff-action@f50e11560dce63f7c33227798f90b924471a88b5  # ratchet:orhun/git-cliff-action@v4.8.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           args: --current
       - name: Create GitHub Release

{git_commit_guard-0.18.0 → git_commit_guard-0.20.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: git-commit-guard
-Version: 0.18.0
+Version: 0.20.0
 Summary: Opinionated conventional commit message linter with imperative mood detection
 Project-URL: Homepage, https://github.com/benner/commit-guard
 Project-URL: Repository, https://github.com/benner/commit-guard
@@ -98,7 +98,8 @@ Available checks:
 * `imperative` - First word is an imperative verb (for example `add` not `added`)
 * `body` - Blank line separates subject from body, and body is non-empty
 * `signed-off` - `Signed-off-by:` trailer exists
-* `signature` - Verify GPG or SSH signature
+* `signature` - Verify GPG or SSH signature via the GitHub Commits API or
+    public key lookup
 
 ### Subject length
 
@@ -181,6 +182,25 @@ commit-guard --require-scope
 commit-guard --scopes auth,api --require-scope
 ```
 
+### Required subject pattern
+
+Require the commit subject to match a regular expression. Useful for
+enforcing ticket references or any custom naming convention:
+
+```bash
+commit-guard --require-subject-pattern "[A-Z]+-[0-9]+"
+commit-guard --require-subject-pattern "#[0-9]+"
+```
+
+In `.commit-guard.toml`:
+
+```toml
+require-subject-pattern = "[A-Z]+-[0-9]+"
+```
+
+An invalid regex causes an immediate error at startup (exit 2). This
+check runs independently of `--enable`/`--disable`.
+
 ### Required custom trailers
 
 Require arbitrary trailers to be present in the commit message. Multiple
@@ -201,12 +221,40 @@ Trailer matching is case-sensitive and requires at least one non-space
 character after the colon (e.g. `Closes: #42`). This check runs
 independently of `--enable`/`--disable`.
 
+### Signature verification
+
+The `signature` check verifies the commit without any local keyring setup:
+
+1. If the repo has a GitHub remote, call the Commits API
+   (`GET /repos/{owner}/{repo}/commits/{sha}`) to resolve the author's GitHub
+   username — this works for corporate emails, noreply addresses, or any email
+   not listed publicly on a GitHub profile.
+2. If the Commits API is unavailable (no GitHub remote, commit not yet pushed,
+   or API error), parse the username directly from a GitHub noreply address
+   (`{id}+{username}@users.noreply.github.com` or
+   `{username}@users.noreply.github.com`) — no API call needed.
+3. If neither of the above resolves a username, fall back to searching GitHub
+   by the commit author's email.
+4. Fetch the resolved user's public keys from `github.com/{username}.gpg` and
+   `github.com/{username}.keys`.
+5. Try GPG verification: import the fetched key into a temporary keyring and
+   run `git verify-commit`.
+6. Try SSH verification: write a temporary `allowed_signers` file and run
+   `git verify-commit` with the SSH allowed-signers config.
+7. If any key verifies, the check passes. If none do, it fails.
+
+If the author cannot be resolved via either method, or the GitHub API is
+unreachable, the check fails with a clear error.
+
+For private repositories, set `GITHUB_TOKEN` or `GH_TOKEN` so the Commits API
+can authenticate.
+
 ### Configuration file
 
 Place `.commit-guard.toml` in your project root (or any parent directory) to
 set defaults for `enable`, `disable`, `scopes`, `require-scope`, `types`,
 `max-subject-length`, `min-description-length`, `require-lowercase`,
-`no-trailing-chars`, and `require-trailers`.
+`no-trailing-chars`, `require-subject-pattern`, and `require-trailers`.
 commit-guard searches upward from the working directory and uses the first
 file found.
 
@@ -235,9 +283,11 @@ full precedence and ignore config file values when provided.
 
 ### Environment variables
 
-| Variable                   | Default | Description                                  |
-| -------------------------- | ------- | -------------------------------------------- |
-| `COMMIT_GUARD_GIT_TIMEOUT` | `10`    | Timeout in seconds for git subprocess calls. |
+| Variable                   | Default | Description                                                               |
+| -------------------------- | ------- | ------------------------------------------------------------------------- |
+| `COMMIT_GUARD_GIT_TIMEOUT` | `10`    | Timeout in seconds for git subprocess calls.                              |
+| `GITHUB_TOKEN`             | —       | GitHub token for Commits API access on private repos (signature check).   |
+| `GH_TOKEN`                 | —       | Alias for `GITHUB_TOKEN`; used when `GITHUB_TOKEN` is not set.            |
 
 ```bash
 COMMIT_GUARD_GIT_TIMEOUT=30 commit-guard --range origin/main..HEAD
@@ -246,7 +296,7 @@ COMMIT_GUARD_GIT_TIMEOUT=30 commit-guard --range origin/main..HEAD
 In GitHub Actions, set it at the step or job level:
 
 ```yaml
-- uses: benner/commit-guard@v0.18.0
+- uses: benner/commit-guard@v0.19.0
   env:
     COMMIT_GUARD_GIT_TIMEOUT: 30
   with:
@@ -330,7 +380,7 @@ steps:
   - uses: actions/checkout@v4
     with:
       fetch-depth: 0
-  - uses: benner/commit-guard@v0.18.0
+  - uses: benner/commit-guard@v0.19.0
 ```
 
 Check all commits in a pull request:
@@ -346,7 +396,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: benner/commit-guard@v0.18.0
+      - uses: benner/commit-guard@v0.19.0
         with:
           range: ${{ env.PR_BASE }}..${{ env.PR_HEAD }}
 ```
@@ -354,7 +404,7 @@ jobs:
 Check a specific commit SHA (mirrors the positional CLI argument):
 
 ```yaml
-      - uses: benner/commit-guard@v0.18.0
+      - uses: benner/commit-guard@v0.19.0
         with:
           rev: ${{ github.sha }}
 ```
@@ -372,12 +422,13 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: benner/commit-guard@v0.18.0
+      - uses: benner/commit-guard@v0.19.0
         with:
           range: ${{ env.PR_BASE }}..${{ env.PR_HEAD }}
           disable: signed-off,signature
           scopes: auth,api,db
           require-scope: 'true'
+          require-subject-pattern: '[A-Z]+-[0-9]+'
           require-trailer: 'Closes,Reviewed-by'
           max-subject-length: '100'
           min-description-length: '10'
@@ -391,7 +442,7 @@ jobs:
 When `output-file` is set the action exposes the path as an output:
 
 ```yaml
-      - uses: benner/commit-guard@v0.18.0
+      - uses: benner/commit-guard@v0.19.0
         id: cg
         with:
           range: ${{ env.PR_BASE }}..${{ env.PR_HEAD }}
@@ -407,7 +458,7 @@ Add to your `.pre-commit-config.yaml`:
 ---
 repos:
   - repo: https://github.com/benner/commit-guard
-    rev: v0.18.0
+    rev: v0.19.0
     hooks:
       - id: commit-guard
       - id: commit-guard-signature

{git_commit_guard-0.18.0 → git_commit_guard-0.20.0}/README.md

@@ -77,7 +77,8 @@ Available checks:
 * `imperative` - First word is an imperative verb (for example `add` not `added`)
 * `body` - Blank line separates subject from body, and body is non-empty
 * `signed-off` - `Signed-off-by:` trailer exists
-* `signature` - Verify GPG or SSH signature
+* `signature` - Verify GPG or SSH signature via the GitHub Commits API or
+    public key lookup
 
 ### Subject length
 
@@ -160,6 +161,25 @@ commit-guard --require-scope
 commit-guard --scopes auth,api --require-scope
 ```
 
+### Required subject pattern
+
+Require the commit subject to match a regular expression. Useful for
+enforcing ticket references or any custom naming convention:
+
+```bash
+commit-guard --require-subject-pattern "[A-Z]+-[0-9]+"
+commit-guard --require-subject-pattern "#[0-9]+"
+```
+
+In `.commit-guard.toml`:
+
+```toml
+require-subject-pattern = "[A-Z]+-[0-9]+"
+```
+
+An invalid regex causes an immediate error at startup (exit 2). This
+check runs independently of `--enable`/`--disable`.
+
 ### Required custom trailers
 
 Require arbitrary trailers to be present in the commit message. Multiple
@@ -180,12 +200,40 @@ Trailer matching is case-sensitive and requires at least one non-space
 character after the colon (e.g. `Closes: #42`). This check runs
 independently of `--enable`/`--disable`.
 
+### Signature verification
+
+The `signature` check verifies the commit without any local keyring setup:
+
+1. If the repo has a GitHub remote, call the Commits API
+   (`GET /repos/{owner}/{repo}/commits/{sha}`) to resolve the author's GitHub
+   username — this works for corporate emails, noreply addresses, or any email
+   not listed publicly on a GitHub profile.
+2. If the Commits API is unavailable (no GitHub remote, commit not yet pushed,
+   or API error), parse the username directly from a GitHub noreply address
+   (`{id}+{username}@users.noreply.github.com` or
+   `{username}@users.noreply.github.com`) — no API call needed.
+3. If neither of the above resolves a username, fall back to searching GitHub
+   by the commit author's email.
+4. Fetch the resolved user's public keys from `github.com/{username}.gpg` and
+   `github.com/{username}.keys`.
+5. Try GPG verification: import the fetched key into a temporary keyring and
+   run `git verify-commit`.
+6. Try SSH verification: write a temporary `allowed_signers` file and run
+   `git verify-commit` with the SSH allowed-signers config.
+7. If any key verifies, the check passes. If none do, it fails.
+
+If the author cannot be resolved via either method, or the GitHub API is
+unreachable, the check fails with a clear error.
+
+For private repositories, set `GITHUB_TOKEN` or `GH_TOKEN` so the Commits API
+can authenticate.
+
 ### Configuration file
 
 Place `.commit-guard.toml` in your project root (or any parent directory) to
 set defaults for `enable`, `disable`, `scopes`, `require-scope`, `types`,
 `max-subject-length`, `min-description-length`, `require-lowercase`,
-`no-trailing-chars`, and `require-trailers`.
+`no-trailing-chars`, `require-subject-pattern`, and `require-trailers`.
 commit-guard searches upward from the working directory and uses the first
 file found.
 
@@ -214,9 +262,11 @@ full precedence and ignore config file values when provided.
 
 ### Environment variables
 
-| Variable                   | Default | Description                                  |
-| -------------------------- | ------- | -------------------------------------------- |
-| `COMMIT_GUARD_GIT_TIMEOUT` | `10`    | Timeout in seconds for git subprocess calls. |
+| Variable                   | Default | Description                                                               |
+| -------------------------- | ------- | ------------------------------------------------------------------------- |
+| `COMMIT_GUARD_GIT_TIMEOUT` | `10`    | Timeout in seconds for git subprocess calls.                              |
+| `GITHUB_TOKEN`             | —       | GitHub token for Commits API access on private repos (signature check).   |
+| `GH_TOKEN`                 | —       | Alias for `GITHUB_TOKEN`; used when `GITHUB_TOKEN` is not set.            |
 
 ```bash
 COMMIT_GUARD_GIT_TIMEOUT=30 commit-guard --range origin/main..HEAD
@@ -225,7 +275,7 @@ COMMIT_GUARD_GIT_TIMEOUT=30 commit-guard --range origin/main..HEAD
 In GitHub Actions, set it at the step or job level:
 
 ```yaml
-- uses: benner/commit-guard@v0.18.0
+- uses: benner/commit-guard@v0.19.0
   env:
     COMMIT_GUARD_GIT_TIMEOUT: 30
   with:
@@ -309,7 +359,7 @@ steps:
   - uses: actions/checkout@v4
     with:
       fetch-depth: 0
-  - uses: benner/commit-guard@v0.18.0
+  - uses: benner/commit-guard@v0.19.0
 ```
 
 Check all commits in a pull request:
@@ -325,7 +375,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: benner/commit-guard@v0.18.0
+      - uses: benner/commit-guard@v0.19.0
         with:
           range: ${{ env.PR_BASE }}..${{ env.PR_HEAD }}
 ```
@@ -333,7 +383,7 @@ jobs:
 Check a specific commit SHA (mirrors the positional CLI argument):
 
 ```yaml
-      - uses: benner/commit-guard@v0.18.0
+      - uses: benner/commit-guard@v0.19.0
         with:
           rev: ${{ github.sha }}
 ```
@@ -351,12 +401,13 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: benner/commit-guard@v0.18.0
+      - uses: benner/commit-guard@v0.19.0
         with:
           range: ${{ env.PR_BASE }}..${{ env.PR_HEAD }}
           disable: signed-off,signature
           scopes: auth,api,db
           require-scope: 'true'
+          require-subject-pattern: '[A-Z]+-[0-9]+'
           require-trailer: 'Closes,Reviewed-by'
           max-subject-length: '100'
           min-description-length: '10'
@@ -370,7 +421,7 @@ jobs:
 When `output-file` is set the action exposes the path as an output:
 
 ```yaml
-      - uses: benner/commit-guard@v0.18.0
+      - uses: benner/commit-guard@v0.19.0
         id: cg
         with:
           range: ${{ env.PR_BASE }}..${{ env.PR_HEAD }}
@@ -386,7 +437,7 @@ Add to your `.pre-commit-config.yaml`:
 ---
 repos:
   - repo: https://github.com/benner/commit-guard
-    rev: v0.18.0
+    rev: v0.19.0
     hooks:
       - id: commit-guard
       - id: commit-guard-signature

{git_commit_guard-0.18.0 → git_commit_guard-0.20.0}/action.yml

@@ -49,6 +49,9 @@ inputs:
     description: Include merge commits when checking a range
     required: false
     default: 'false'
+  require-subject-pattern:
+    description: Regex the subject line must match (e.g. '[A-Z]+-[0-9]+')
+    required: false
   require-trailer:
     description: Comma-separated list of required trailers (e.g. Closes,Reviewed-by)
     required: false
@@ -86,6 +89,7 @@ runs:
         CG_NO_TRAILING_CHARS: ${{ inputs.no-trailing-chars }}
         CG_ALLOW_EMPTY: ${{ inputs.allow-empty }}
         CG_INCLUDE_MERGES: ${{ inputs.include-merges }}
+        CG_REQUIRE_SUBJECT_PATTERN: ${{ inputs.require-subject-pattern }}
         CG_REQUIRE_TRAILER: ${{ inputs.require-trailer }}
         CG_OUTPUT_FILE: ${{ inputs.output-file }}
       run: |
@@ -105,6 +109,8 @@ runs:
         [[ -n "$CG_NO_TRAILING_CHARS" ]] && ARGS+=(--no-trailing-chars "$CG_NO_TRAILING_CHARS")
         [[ "$CG_ALLOW_EMPTY" == "true" ]] && ARGS+=(--allow-empty)
         [[ "$CG_INCLUDE_MERGES" == "true" ]] && ARGS+=(--include-merges)
+        [[ -n "$CG_REQUIRE_SUBJECT_PATTERN" ]] && \
+            ARGS+=(--require-subject-pattern "$CG_REQUIRE_SUBJECT_PATTERN")
         [[ -n "$CG_REQUIRE_TRAILER" ]] && ARGS+=(--require-trailer "$CG_REQUIRE_TRAILER")
         [[ -n "$CG_OUTPUT_FILE" ]] && ARGS+=(--output-file "$CG_OUTPUT_FILE")
         commit-guard "${ARGS[@]}"

git_commit_guard-0.20.0/cliff.toml

@@ -0,0 +1,56 @@
+[changelog]
+body = """
+{% if version %}\
+    ## [{{ version | trim_start_matches(pat="v") }}] - {{ timestamp | date(format="%Y-%m-%d") }}
+{% else %}\
+    ## [unreleased]
+{% endif %}\
+{% for group, commits in commits | group_by(attribute="group") %}
+    ### {{ group | striptags | trim | upper_first }}
+    {% for commit in commits %}
+        - {% if commit.scope %}*({{ commit.scope }})* {% endif %}\
+            {% if commit.breaking %}[**breaking**] {% endif %}\
+            {{ commit.message | upper_first }} \
+            ([`{{ commit.id | truncate(length=7, end="") }}`]\
+            (https://github.com/benner/commit-guard/commit/{{ commit.id }}))\
+    {% endfor %}
+{% endfor %}
+{%- if github.contributors | filter(attribute="is_first_time", value=true) | length != 0 %}
+
+### New Contributors
+{% for contributor in github.contributors | filter(attribute="is_first_time", value=true) %}
+    - @{{ contributor.username }} made their first contribution\
+        {% if contributor.pr_number %} in \
+            [#{{ contributor.pr_number }}]\
+            (https://github.com/benner/commit-guard/pull/{{ contributor.pr_number }})\
+        {% endif %}
+{% endfor %}
+{%- endif %}
+"""
+trim = true
+
+[remote.github]
+owner = "benner"
+repo = "commit-guard"
+
+[git]
+conventional_commits = true
+filter_unconventional = true
+split_commits = false
+protect_breaking_commits = false
+commit_parsers = [
+    { message = "^feat", group = "<!-- 0 -->🚀 Features" },
+    { message = "^fix", group = "<!-- 1 -->🐛 Bug Fixes" },
+    { message = "^perf", group = "<!-- 2 -->⚡ Performance" },
+    { message = "^refactor", group = "<!-- 3 -->🚜 Refactor" },
+    { message = "^style", group = "<!-- 4 -->🎨 Styling" },
+    { message = "^test", group = "<!-- 5 -->🧪 Testing" },
+    { message = "^docs", skip = true },
+    { message = "^ci", skip = true },
+    { message = "^chore", group = "<!-- 6 -->⚙️ Miscellaneous Tasks" },
+    { message = "^revert", group = "<!-- 7 -->◀️ Revert" },
+    { body = ".*security", group = "<!-- 8 -->🛡️ Security" },
+]
+filter_commits = true
+topo_order = false
+sort_commits = "oldest"

{git_commit_guard-0.18.0 → git_commit_guard-0.20.0}/docs/index.html

@@ -377,7 +377,7 @@ $ echo "fix(auth): add token refresh" | commit-guard</code></pre>
               </tr>
               <tr>
                 <td><code>signature</code></td>
-                <td>GPG or SSH signature is valid</td>
+                <td>GPG or SSH signature is valid — verified via GitHub Commits API or public key lookup</td>
               </tr>
             </tbody>
           </table>
@@ -400,7 +400,23 @@ max-subject-length = 100
 min-description-length = 10
 require-lowercase = false
 no-trailing-chars = [".", "!"]
-require-trailers = ["Closes", "Reviewed-by"]</code></pre>
+require-trailers = ["Closes", "Reviewed-by"]
+require-subject-pattern = "[A-Z]+-[0-9]+"</code></pre>
+
+        <h3>Required subject pattern</h3>
+        <p>
+          Require the commit subject to match a regular expression. Useful for
+          enforcing ticket references or any custom naming convention:
+        </p>
+        <pre><code class="language-bash">commit-guard --require-subject-pattern "[A-Z]+-[0-9]+"</code></pre>
+        <p>
+          In <code>.commit-guard.toml</code>:
+        </p>
+        <pre><code class="language-toml">require-subject-pattern = "[A-Z]+-[0-9]+"</code></pre>
+        <p>
+          An invalid regex causes an immediate error at startup (exit 2). This
+          check runs independently of <code>--enable</code>/<code>--disable</code>.
+        </p>
 
         <h3>Required trailers</h3>
         <p>
@@ -410,6 +426,39 @@ require-trailers = ["Closes", "Reviewed-by"]</code></pre>
         </p>
         <pre><code class="language-bash">commit-guard --require-trailer "Closes,Reviewed-by"</code></pre>
 
+        <h3>Signature verification</h3>
+        <p>
+          The <code>signature</code> check verifies commits without requiring a
+          pre-configured local keyring:
+        </p>
+        <ol>
+          <li>If the repo has a GitHub remote, call the Commits API
+            (<code>GET /repos/{owner}/{repo}/commits/{sha}</code>) to resolve
+            the author's GitHub username — works for corporate emails, noreply
+            addresses, or any email not listed publicly on a GitHub profile.</li>
+          <li>If the Commits API is unavailable (no GitHub remote, commit not
+            yet pushed, or API error), parse the username directly from a
+            GitHub noreply address
+            (<code>{id}+{username}@users.noreply.github.com</code>) — no API
+            call needed.</li>
+          <li>If neither of the above resolves a username, fall back to
+            searching GitHub by the commit author's email.</li>
+          <li>Fetch the resolved user's public keys from
+            <code>github.com/{username}.gpg</code> and
+            <code>github.com/{username}.keys</code>.</li>
+          <li>Try GPG verification using a temporary keyring.</li>
+          <li>Try SSH verification using a temporary <code>allowed_signers</code> file.</li>
+          <li>Pass if any key verifies; fail if none do.</li>
+        </ol>
+        <p>
+          If the author cannot be resolved via either method, or the GitHub API
+          is unreachable, the check fails with a clear error. For private
+          repositories, set <code>GITHUB_TOKEN</code> or <code>GH_TOKEN</code>
+          so the Commits API can authenticate. Disable the
+          <code>signature</code> check if GitHub API access is unavailable:
+        </p>
+        <pre><code class="language-bash">commit-guard --disable signature</code></pre>
+
         <h3>Range options</h3>
         <p>
           When using <code>--range</code>, merge commits are excluded by
@@ -435,6 +484,16 @@ require-trailers = ["Closes", "Reviewed-by"]</code></pre>
                 <td><code>10</code></td>
                 <td>Timeout in seconds for git subprocess calls</td>
               </tr>
+              <tr>
+                <td><code>GITHUB_TOKEN</code></td>
+                <td>—</td>
+                <td>GitHub token for Commits API access on private repos (signature check)</td>
+              </tr>
+              <tr>
+                <td><code>GH_TOKEN</code></td>
+                <td>—</td>
+                <td>Alias for <code>GITHUB_TOKEN</code>; used when <code>GITHUB_TOKEN</code> is not set</td>
+              </tr>
             </tbody>
           </table>
         </figure>
@@ -479,13 +538,13 @@ require-trailers = ["Closes", "Reviewed-by"]</code></pre>
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: benner/commit-guard@v0.18.0
+      - uses: benner/commit-guard@v0.19.0
         with:
           range: ${{ env.PR_BASE }}..${{ env.PR_HEAD }}
           disable: signed-off,signature</code></pre>
 
         <p>Check a specific commit SHA:</p>
-        <pre><code class="language-yaml">      - uses: benner/commit-guard@v0.18.0
+        <pre><code class="language-yaml">      - uses: benner/commit-guard@v0.19.0
         with:
           rev: ${{ github.sha }}</code></pre>
 
@@ -504,7 +563,7 @@ require-trailers = ["Closes", "Reviewed-by"]</code></pre>
           When <code>output-file</code> is set the action exposes the path as
           a step output, making JSONL results available to subsequent steps:
         </p>
-        <pre><code class="language-yaml">      - uses: benner/commit-guard@v0.18.0
+        <pre><code class="language-yaml">      - uses: benner/commit-guard@v0.19.0
         id: cg
         with:
           range: ${{ env.PR_BASE }}..${{ env.PR_HEAD }}
@@ -517,7 +576,7 @@ require-trailers = ["Closes", "Reviewed-by"]</code></pre>
         <p>Add to <code>.pre-commit-config.yaml</code>:</p>
         <pre><code class="language-yaml">repos:
   - repo: https://github.com/benner/commit-guard
-    rev: v0.18.0
+    rev: v0.19.0
     hooks:
       - id: commit-guard
       - id: commit-guard-signature</code></pre>