git-commit-guard 0.21.0__tar.gz → 0.22.1__tar.gz

{git_commit_guard-0.21.0 → git_commit_guard-0.22.1}/.github/workflows/lint-commits.yml

@@ -22,6 +22,6 @@ jobs:
           key: nltk-averaged-perceptron-tagger-punkt
       - name: Lint commits
         # yamllint disable-line rule:line-length
-        uses: benner/commit-guard@87889d2f3a1fb68bfa55dbbab28c96def415341e  # v0.20.1
+        uses: benner/commit-guard@e438d8c4c287a1575e0cda352222fbbe71a88231  # v0.22.0
         with:
           range: origin/${{ github.base_ref }}..HEAD

git_commit_guard-0.22.1/.github/workflows/lint-md.yml

@@ -0,0 +1,68 @@
+---
+name: Lint Markdown
+on:  # yamllint disable-line rule:truthy
+  pull_request:
+permissions:
+  contents: read
+jobs:
+  lint-md:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Checkout code
+        # yamllint disable-line rule:line-length
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+      - name: Lint Markdown files with reviewdog
+        # yamllint disable-line rule:line-length
+        uses: reviewdog/action-markdownlint@3667398db9118d7e78f7a63d10e26ce454ba5f58  # v0.26.2
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          reporter: github-pr-review
+          level: info
+          fail_level: any
+  lint-md-rumdl:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Checkout code
+        # yamllint disable-line rule:line-length
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+      - name: Set up uv
+        # yamllint disable-line rule:line-length
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78  # v7.6.0
+        with:
+          enable-cache: false
+      - name: Set up reviewdog
+        # yamllint disable-line rule:line-length
+        uses: reviewdog/action-setup@d8a7baabd7f3e8544ee4dbde3ee41d0011c3a93f  # ratchet:reviewdog/action-setup@v1
+      - name: Lint Markdown files with rumdl via reviewdog
+        env:
+          REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |-
+          uvx rumdl check . --output-format json-lines > rumdl.jsonl || true
+          jq -c '
+            {
+              source: {name: "rumdl"},
+              severity: (.severity | ascii_upcase),
+              message: .message,
+              location: {
+                path: .file,
+                range: {start: {line: .line, column: .column}}
+              },
+              code: {value: .rule}
+            }
+          ' rumdl.jsonl \
+            | reviewdog \
+                -f=rdjsonl \
+                -name=rumdl \
+                -reporter=github-pr-review \
+                -filter-mode=added \
+                -fail-level=any

{git_commit_guard-0.21.0 → git_commit_guard-0.22.1}/.github/workflows/release.yml

@@ -18,9 +18,6 @@ jobs:
         with:
           persist-credentials: false
           fetch-depth: 0
-      - name: Set up Python
-        # yamllint disable-line rule:line-length
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
       - name: Set up uv
         # yamllint disable-line rule:line-length
         uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78  # v7.6.0

{git_commit_guard-0.21.0 → git_commit_guard-0.22.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: git-commit-guard
-Version: 0.21.0
+Version: 0.22.1
 Summary: Opinionated conventional commit message linter with imperative mood detection
 Project-URL: Homepage, https://github.com/benner/commit-guard
 Project-URL: Repository, https://github.com/benner/commit-guard
@@ -47,7 +47,9 @@ Opinionated conventional commit message linter with imperative mood detection.
 $ commit-guard
   ✗ [subject] subject does not match 'type(scope): description': WIP
   ✗ [signed-off] missing 'Signed-off-by' trailer — use 'git commit -s'
-  ✗ [signature] commit is not signed (GPG/SSH)
+  ✗ [signature] signature could not be verified — commit may be
+                unsigned, or signed with a key not uploaded as a
+                Signing key on https://github.com/settings/keys
 ```
 
 ## Installation
@@ -249,8 +251,10 @@ The `signature` check verifies the commit without any local keyring setup:
    `{username}@users.noreply.github.com`) — no API call needed.
 3. If neither of the above resolves a username, fall back to searching GitHub
    by the commit author's email.
-4. Fetch the resolved user's public keys from `github.com/{username}.gpg` and
-   `github.com/{username}.keys`.
+4. Fetch the resolved user's public keys from `github.com/{username}.gpg`
+   (GPG) and the `/users/{username}/ssh_signing_keys` API (SSH keys tagged
+   with the **Signing key** role). Auth-only SSH keys are deliberately not
+   accepted — this mirrors GitHub's "Verified" badge semantics.
 5. Try GPG verification: import the fetched key into a temporary keyring and
    run `git verify-commit`.
 6. Try SSH verification: write a temporary `allowed_signers` file and run
@@ -261,7 +265,9 @@ If the author cannot be resolved via either method, or the GitHub API is
 unreachable, the check fails with a clear error.
 
 For private repositories, set `GITHUB_TOKEN` or `GH_TOKEN` so the Commits API
-can authenticate.
+can authenticate. The official GitHub Action wires the workflow's automatic
+token via the `github-token` input, so no manual `env:` is required; override
+with a PAT only for cross-repo lookups.
 
 ### Configuration file
 
@@ -310,7 +316,7 @@ COMMIT_GUARD_GIT_TIMEOUT=30 commit-guard --range origin/main..HEAD
 In GitHub Actions, set it at the step or job level:
 
 ```yaml
-- uses: benner/commit-guard@v0.21.0
+- uses: benner/commit-guard@v0.22.1
   env:
     COMMIT_GUARD_GIT_TIMEOUT: 30
   with:
@@ -394,7 +400,7 @@ steps:
   - uses: actions/checkout@v4
     with:
       fetch-depth: 0
-  - uses: benner/commit-guard@v0.21.0
+  - uses: benner/commit-guard@v0.22.1
 ```
 
 Check all commits in a pull request:
@@ -410,7 +416,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: benner/commit-guard@v0.21.0
+      - uses: benner/commit-guard@v0.22.1
         with:
           range: ${{ env.PR_BASE }}..${{ env.PR_HEAD }}
 ```
@@ -418,7 +424,7 @@ jobs:
 Check a specific commit SHA (mirrors the positional CLI argument):
 
 ```yaml
-      - uses: benner/commit-guard@v0.21.0
+      - uses: benner/commit-guard@v0.22.1
         with:
           rev: ${{ github.sha }}
 ```
@@ -436,7 +442,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: benner/commit-guard@v0.21.0
+      - uses: benner/commit-guard@v0.22.1
         with:
           range: ${{ env.PR_BASE }}..${{ env.PR_HEAD }}
           disable: signed-off,signature
@@ -456,7 +462,7 @@ jobs:
 When `output-file` is set the action exposes the path as an output:
 
 ```yaml
-      - uses: benner/commit-guard@v0.21.0
+      - uses: benner/commit-guard@v0.22.1
         id: cg
         with:
           range: ${{ env.PR_BASE }}..${{ env.PR_HEAD }}
@@ -472,7 +478,7 @@ Add to your `.pre-commit-config.yaml`:
 ---
 repos:
   - repo: https://github.com/benner/commit-guard
-    rev: v0.21.0
+    rev: v0.22.1
     hooks:
       - id: commit-guard
       - id: commit-guard-signature
@@ -497,11 +503,14 @@ To selectively enable or disable checks, pass `args`:
 
 ## Imperative mood detection
 
-commit-guard combines two strategies to detect non-imperative descriptions:
+commit-guard combines three strategies to detect non-imperative descriptions:
 
 1. nltk POS tagging — flags words tagged as past tense (`VBD`),
    gerund (`VBG`), third person (`VBZ`), etc.
 2. WordNet morphology as a fallback for words the tagger misclassifies.
+3. Hyphenated verb prefixes — accepts `re-enable`, `auto-detect`,
+   `pre-process`, `co-locate`, `under-mine` and similar
+   `<prefix>-<verb>` compounds the POS tagger misclassifies.
 
 This catches common mistakes like `added logging` or `fixes bug` while
 keeping false positives low.

{git_commit_guard-0.21.0 → git_commit_guard-0.22.1}/README.md

@@ -26,7 +26,9 @@ Opinionated conventional commit message linter with imperative mood detection.
 $ commit-guard
   ✗ [subject] subject does not match 'type(scope): description': WIP
   ✗ [signed-off] missing 'Signed-off-by' trailer — use 'git commit -s'
-  ✗ [signature] commit is not signed (GPG/SSH)
+  ✗ [signature] signature could not be verified — commit may be
+                unsigned, or signed with a key not uploaded as a
+                Signing key on https://github.com/settings/keys
 ```
 
 ## Installation
@@ -228,8 +230,10 @@ The `signature` check verifies the commit without any local keyring setup:
    `{username}@users.noreply.github.com`) — no API call needed.
 3. If neither of the above resolves a username, fall back to searching GitHub
    by the commit author's email.
-4. Fetch the resolved user's public keys from `github.com/{username}.gpg` and
-   `github.com/{username}.keys`.
+4. Fetch the resolved user's public keys from `github.com/{username}.gpg`
+   (GPG) and the `/users/{username}/ssh_signing_keys` API (SSH keys tagged
+   with the **Signing key** role). Auth-only SSH keys are deliberately not
+   accepted — this mirrors GitHub's "Verified" badge semantics.
 5. Try GPG verification: import the fetched key into a temporary keyring and
    run `git verify-commit`.
 6. Try SSH verification: write a temporary `allowed_signers` file and run
@@ -240,7 +244,9 @@ If the author cannot be resolved via either method, or the GitHub API is
 unreachable, the check fails with a clear error.
 
 For private repositories, set `GITHUB_TOKEN` or `GH_TOKEN` so the Commits API
-can authenticate.
+can authenticate. The official GitHub Action wires the workflow's automatic
+token via the `github-token` input, so no manual `env:` is required; override
+with a PAT only for cross-repo lookups.
 
 ### Configuration file
 
@@ -289,7 +295,7 @@ COMMIT_GUARD_GIT_TIMEOUT=30 commit-guard --range origin/main..HEAD
 In GitHub Actions, set it at the step or job level:
 
 ```yaml
-- uses: benner/commit-guard@v0.21.0
+- uses: benner/commit-guard@v0.22.1
   env:
     COMMIT_GUARD_GIT_TIMEOUT: 30
   with:
@@ -373,7 +379,7 @@ steps:
   - uses: actions/checkout@v4
     with:
       fetch-depth: 0
-  - uses: benner/commit-guard@v0.21.0
+  - uses: benner/commit-guard@v0.22.1
 ```
 
 Check all commits in a pull request:
@@ -389,7 +395,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: benner/commit-guard@v0.21.0
+      - uses: benner/commit-guard@v0.22.1
         with:
           range: ${{ env.PR_BASE }}..${{ env.PR_HEAD }}
 ```
@@ -397,7 +403,7 @@ jobs:
 Check a specific commit SHA (mirrors the positional CLI argument):
 
 ```yaml
-      - uses: benner/commit-guard@v0.21.0
+      - uses: benner/commit-guard@v0.22.1
         with:
           rev: ${{ github.sha }}
 ```
@@ -415,7 +421,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: benner/commit-guard@v0.21.0
+      - uses: benner/commit-guard@v0.22.1
         with:
           range: ${{ env.PR_BASE }}..${{ env.PR_HEAD }}
           disable: signed-off,signature
@@ -435,7 +441,7 @@ jobs:
 When `output-file` is set the action exposes the path as an output:
 
 ```yaml
-      - uses: benner/commit-guard@v0.21.0
+      - uses: benner/commit-guard@v0.22.1
         id: cg
         with:
           range: ${{ env.PR_BASE }}..${{ env.PR_HEAD }}
@@ -451,7 +457,7 @@ Add to your `.pre-commit-config.yaml`:
 ---
 repos:
   - repo: https://github.com/benner/commit-guard
-    rev: v0.21.0
+    rev: v0.22.1
     hooks:
       - id: commit-guard
       - id: commit-guard-signature
@@ -476,11 +482,14 @@ To selectively enable or disable checks, pass `args`:
 
 ## Imperative mood detection
 
-commit-guard combines two strategies to detect non-imperative descriptions:
+commit-guard combines three strategies to detect non-imperative descriptions:
 
 1. nltk POS tagging — flags words tagged as past tense (`VBD`),
    gerund (`VBG`), third person (`VBZ`), etc.
 2. WordNet morphology as a fallback for words the tagger misclassifies.
+3. Hyphenated verb prefixes — accepts `re-enable`, `auto-detect`,
+   `pre-process`, `co-locate`, `under-mine` and similar
+   `<prefix>-<verb>` compounds the POS tagger misclassifies.
 
 This catches common mistakes like `added logging` or `fixes bug` while
 keeping false positives low.

{git_commit_guard-0.21.0 → git_commit_guard-0.22.1}/action.yml

@@ -39,7 +39,8 @@ inputs:
     required: false
     default: 'false'
   no-trailing-chars:
-    description: Forbidden trailing characters, comma-separated (default '.', '!', '?', ' ')
+    description: Forbidden trailing characters, comma-separated (default '.', '!',
+      '?', ' ')
     required: false
   allow-empty:
     description: Exit 0 when --range yields no commits
@@ -58,9 +59,15 @@ inputs:
   output-file:
     description: Write JSONL results to this file path (text still goes to stdout)
     required: false
+  github-token:
+    description: GitHub token for Commits API access (signature check). Defaults to
+      the workflow's automatic token; override with a PAT for cross-repo lookups.
+    required: false
+    default: ${{ github.token }}
 outputs:
   output-file:
-    description: Path to the JSONL output file (set only when output-file input is provided)
+    description: Path to the JSONL output file (set only when output-file input is
+      provided)
     value: ${{ steps.run.outputs.output-file }}
 runs:
   using: composite
@@ -76,6 +83,7 @@ runs:
     - name: Run commit-guard
       id: run
       env:
+        GITHUB_TOKEN: ${{ inputs.github-token }}
         CG_REV: ${{ inputs.rev }}
         CG_RANGE: ${{ inputs.range }}
         CG_ENABLE: ${{ inputs.enable }}

{git_commit_guard-0.21.0 → git_commit_guard-0.22.1}/docs/index.html

@@ -294,7 +294,9 @@
           <pre><code id="hero-code">$ commit-guard
   <span class="c-red">✗</span> <span class="c-dim">[subject]</span> subject does not match 'type(scope): description': WIP
   <span class="c-red">✗</span> <span class="c-dim">[signed-off]</span> missing 'Signed-off-by' trailer — use 'git commit -s'
-  <span class="c-red">✗</span> <span class="c-dim">[signature]</span> commit is not signed (GPG/SSH)</code></pre>
+  <span class="c-red">✗</span> <span class="c-dim">[signature]</span> signature could not be verified — commit may be
+                unsigned, or signed with a key not uploaded as a
+                Signing key on https://github.com/settings/keys</code></pre>
         </div>
         <div class="hero-dots">
           <button class="hero-dot" data-i="0"></button>
@@ -464,8 +466,11 @@ require-subject-pattern = "[A-Z]+-[0-9]+"</code></pre>
           <li>If neither of the above resolves a username, fall back to
             searching GitHub by the commit author's email.</li>
           <li>Fetch the resolved user's public keys from
-            <code>github.com/{username}.gpg</code> and
-            <code>github.com/{username}.keys</code>.</li>
+            <code>github.com/{username}.gpg</code> (GPG) and
+            <code>/users/{username}/ssh_signing_keys</code> (SSH keys tagged
+            with the <strong>Signing key</strong> role). Auth-only SSH keys
+            are deliberately not accepted — this mirrors GitHub's
+            &ldquo;Verified&rdquo; badge semantics.</li>
           <li>Try GPG verification using a temporary keyring.</li>
           <li>Try SSH verification using a temporary <code>allowed_signers</code> file.</li>
           <li>Pass if any key verifies; fail if none do.</li>
@@ -474,7 +479,10 @@ require-subject-pattern = "[A-Z]+-[0-9]+"</code></pre>
           If the author cannot be resolved via either method, or the GitHub API
           is unreachable, the check fails with a clear error. For private
           repositories, set <code>GITHUB_TOKEN</code> or <code>GH_TOKEN</code>
-          so the Commits API can authenticate. Disable the
+          so the Commits API can authenticate. The official GitHub Action wires
+          the workflow's automatic token via the <code>github-token</code>
+          input, so no manual <code>env:</code> is required; override with a
+          PAT only for cross-repo lookups. Disable the
           <code>signature</code> check if GitHub API access is unavailable:
         </p>
         <pre><code class="language-bash">commit-guard --disable signature</code></pre>
@@ -558,13 +566,13 @@ require-subject-pattern = "[A-Z]+-[0-9]+"</code></pre>
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: benner/commit-guard@v0.21.0
+      - uses: benner/commit-guard@v0.22.1
         with:
           range: ${{ env.PR_BASE }}..${{ env.PR_HEAD }}
           disable: signed-off,signature</code></pre>
 
         <p>Check a specific commit SHA:</p>
-        <pre><code class="language-yaml">      - uses: benner/commit-guard@v0.21.0
+        <pre><code class="language-yaml">      - uses: benner/commit-guard@v0.22.1
         with:
           rev: ${{ github.sha }}</code></pre>
 
@@ -583,7 +591,7 @@ require-subject-pattern = "[A-Z]+-[0-9]+"</code></pre>
           When <code>output-file</code> is set the action exposes the path as
           a step output, making JSONL results available to subsequent steps:
         </p>
-        <pre><code class="language-yaml">      - uses: benner/commit-guard@v0.21.0
+        <pre><code class="language-yaml">      - uses: benner/commit-guard@v0.22.1
         id: cg
         with:
           range: ${{ env.PR_BASE }}..${{ env.PR_HEAD }}
@@ -596,7 +604,7 @@ require-subject-pattern = "[A-Z]+-[0-9]+"</code></pre>
         <p>Add to <code>.pre-commit-config.yaml</code>:</p>
         <pre><code class="language-yaml">repos:
   - repo: https://github.com/benner/commit-guard
-    rev: v0.21.0
+    rev: v0.22.1
     hooks:
       - id: commit-guard
       - id: commit-guard-signature</code></pre>
@@ -618,7 +626,7 @@ require-subject-pattern = "[A-Z]+-[0-9]+"</code></pre>
           ["$ commit-guard\n  ", null],
           ["✗", "c-red"], [" [subject]", "c-dim"], [" subject does not match 'type(scope): description': WIP\n  ", null],
           ["✗", "c-red"], [" [signed-off]", "c-dim"], [" missing 'Signed-off-by' trailer — use 'git commit -s'\n  ", null],
-          ["✗", "c-red"], [" [signature]", "c-dim"], [" commit is not signed (GPG/SSH)", null],
+          ["✗", "c-red"], [" [signature]", "c-dim"], [" signature could not be verified — commit may be\n                unsigned, or signed with a key not uploaded as a\n                Signing key on https://github.com/settings/keys", null],
         ],
         [
           ["$ commit-guard --range origin/main..HEAD\n", null],

{git_commit_guard-0.21.0 → git_commit_guard-0.22.1}/src/git_commit_guard/__init__.py

@@ -34,6 +34,15 @@ TYPES = frozenset(
 )
 
 _NON_IMPERATIVE_SUFFIX_RE = re.compile(r"(?:ing|ed)$")
+_VERB_FORMING_PREFIXES = frozenset(
+    {
+        "re",
+        "pre",
+        "auto",
+        "co",
+        "under",
+    }
+)
 _TRAILER_RE = re.compile(r"^[\w-]+:\s+\S")
 _GITHUB_REMOTE_RE = re.compile(
     r"github\.com[:/](?P<owner>[^/]+)/(?P<repo>[^/\s]+?)(?:\.git)?$"
@@ -235,6 +244,13 @@ def check_imperative(desc, result):
     if tagged[1][1] != "VB":
         if wordnet.morphy(first, wordnet.VERB) == first:
             return
+        if "-" in first:
+            hyphen_prefix, hyphen_base = first.split("-", 1)
+            if (
+                hyphen_prefix in _VERB_FORMING_PREFIXES
+                and wordnet.morphy(hyphen_base, wordnet.VERB) == hyphen_base
+            ):
+                return
         result.error(
             f"expected imperative verb, got '{tagged[1][0]}' (POS={tagged[1][1]})",
             check=Check.IMPERATIVE,
@@ -336,9 +352,21 @@ def _fetch_url(url):
         return resp.read().decode()
 
 
+def _fetch_github_signing_keys(username):
+    url = f"https://api.github.com/users/{username}/ssh_signing_keys"
+    headers = {"Accept": "application/vnd.github+json"}
+    token = os.environ.get("GITHUB_TOKEN") or os.environ.get("GH_TOKEN")
+    if token:
+        headers["Authorization"] = f"Bearer {token}"
+    req = urllib.request.Request(url, headers=headers)  # noqa: S310 Audit URL open for permitted schemes
+    with urllib.request.urlopen(req, timeout=_git_timeout()) as resp:  # noqa: S310 Audit URL open for permitted schemes
+        data = json.loads(resp.read())
+    return "\n".join(item["key"] for item in data)
+
+
 def _fetch_github_keys(username):
     gpg = _fetch_url(f"https://github.com/{username}.gpg")
-    ssh = _fetch_url(f"https://github.com/{username}.keys")
+    ssh = _fetch_github_signing_keys(username)
     return gpg.strip(), ssh.strip()
 
 
@@ -450,7 +478,12 @@ def check_signature(rev, result):
         if _verify_ssh(rev, email, ssh_text):
             result.info("signature type: SSH", check=Check.SIGNATURE)
             return
-        result.error("commit is not signed (GPG/SSH)", check=Check.SIGNATURE)
+        result.error(
+            "signature could not be verified — commit may be unsigned, "
+            "or signed with a key not uploaded as a Signing key on "
+            "https://github.com/settings/keys",
+            check=Check.SIGNATURE,
+        )
     except subprocess.TimeoutExpired:
         result.error(
             "git operation timed out — cannot verify signature",

{git_commit_guard-0.21.0 → git_commit_guard-0.22.1}/tests/test_git_commit_guard.py

@@ -17,6 +17,7 @@ from git_commit_guard import (
     _ensure_nltk_data,
     _fetch_github_commit_author,
     _fetch_github_keys,
+    _fetch_github_signing_keys,
     _fetch_github_username,
     _fetch_url,
     _get_author_email,
@@ -572,6 +573,39 @@ class TestCheckImperative:
         assert not r.ok
         assert "POS=NN" in r.errors[0][2]
 
+    def test_hyphen_re_prefix_verb_passes(self):
+        r = Result()
+        check_imperative("re-enable signature check", r)
+        assert r.ok
+
+    def test_hyphen_auto_prefix_verb_passes(self):
+        r = Result()
+        check_imperative("auto-detect format from header", r)
+        assert r.ok
+
+    def test_hyphen_pre_prefix_verb_passes(self):
+        r = Result()
+        check_imperative("pre-process input lines", r)
+        assert r.ok
+
+    def test_hyphen_unknown_prefix_fails(self):
+        # 'high' is not in the verb-forming prefix allowlist
+        r = Result()
+        check_imperative("high-level overview of foo", r)
+        assert not r.ok
+
+    def test_hyphen_non_verb_base_fails(self):
+        # 'in' is not a verb, so even though split shape matches, base check rejects
+        r = Result()
+        check_imperative("built-in helper function", r)
+        assert not r.ok
+
+    def test_hyphen_inflected_suffix_still_fails(self):
+        # Suffix check runs before hyphen escape — 're-running' caught by ing$
+        r = Result()
+        check_imperative("re-running the tests", r)
+        assert not r.ok
+
 
 class TestDownloadIfMissing:
     def test_skips_download_when_present(self):
@@ -735,10 +769,69 @@ class TestFetchGithubCommitAuthor:
         assert captured[0].get_header("Authorization") == "Bearer ghtoken"
 
 
+class TestFetchGithubSigningKeys:
+    def _mock_response(self, data):
+        mock_resp = MagicMock()
+        mock_resp.__enter__ = lambda s: s
+        mock_resp.__exit__ = MagicMock(return_value=False)
+        mock_resp.read.return_value = json.dumps(data).encode()
+        return mock_resp
+
+    def test_returns_keys_joined_by_newline(self):
+        resp = self._mock_response(
+            [{"key": "ssh-ed25519 AAAA"}, {"key": "ssh-rsa BBBB"}]
+        )
+        with patch("git_commit_guard.urllib.request.urlopen", return_value=resp):
+            assert (
+                _fetch_github_signing_keys("testuser")
+                == "ssh-ed25519 AAAA\nssh-rsa BBBB"
+            )
+
+    def test_empty_list_returns_empty_string(self):
+        resp = self._mock_response([])
+        with patch("git_commit_guard.urllib.request.urlopen", return_value=resp):
+            assert _fetch_github_signing_keys("testuser") == ""
+
+    def test_github_token_sent_in_header(self):
+        resp = self._mock_response([])
+        captured = []
+
+        def mock_urlopen(req, **_):
+            captured.append(req)
+            return resp
+
+        with (
+            patch("git_commit_guard.urllib.request.urlopen", side_effect=mock_urlopen),
+            patch.dict("os.environ", {"GITHUB_TOKEN": "mytoken"}, clear=False),
+        ):
+            _fetch_github_signing_keys("testuser")
+        assert captured[0].get_header("Authorization") == "Bearer mytoken"
+
+    def test_gh_token_used_when_github_token_absent(self):
+        resp = self._mock_response([])
+        captured = []
+
+        def mock_urlopen(req, **_):
+            captured.append(req)
+            return resp
+
+        env = {k: v for k, v in os.environ.items() if k != "GITHUB_TOKEN"}
+        env["GH_TOKEN"] = "ghtoken"  # noqa: S105 Possible hardcoded password assigned to: "GH_TOKEN"
+        with (
+            patch("git_commit_guard.urllib.request.urlopen", side_effect=mock_urlopen),
+            patch.dict("os.environ", env, clear=True),
+        ):
+            _fetch_github_signing_keys("testuser")
+        assert captured[0].get_header("Authorization") == "Bearer ghtoken"
+
+
 class TestFetchGithubKeys:
     def test_returns_gpg_and_ssh(self):
-        with patch(
-            "git_commit_guard._fetch_url", side_effect=["GPG KEY\n", "SSH KEY\n"]
+        with (
+            patch("git_commit_guard._fetch_url", return_value="GPG KEY\n"),
+            patch(
+                "git_commit_guard._fetch_github_signing_keys", return_value="SSH KEY\n"
+            ),
         ):
             gpg, ssh = _fetch_github_keys("testuser")
         assert gpg == "GPG KEY"

git_commit_guard-0.21.0/.github/workflows/lint-md.yml

@@ -1,26 +0,0 @@
----
-name: Lint Markdown
-on:  # yamllint disable-line rule:truthy
-  pull_request:
-permissions:
-  contents: read
-jobs:
-  lint-md:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      pull-requests: write
-    steps:
-      - name: Checkout code
-        # yamllint disable-line rule:line-length
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-        with:
-          persist-credentials: false
-      - name: Lint Markdown files with reviewdog
-        # yamllint disable-line rule:line-length
-        uses: reviewdog/action-markdownlint@3667398db9118d7e78f7a63d10e26ce454ba5f58  # v0.26.2
-        with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          reporter: github-pr-review
-          level: info
-          fail_level: any