From b3d27bbbcfa0c2e0dcc79ec90b84e85f836e0977 Mon Sep 17 00:00:00 2001
From: Jeremiah Russell <jerry@jrussell.ie>
Date: Wed, 11 Feb 2026 17:21:18 +0000
Subject: [PATCH 1/2] feat: add security improvements to CI

Add dual commit signature verification and
forked PR isolation on gating jobs.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Jeremiah Russell <jerry@jrussell.ie>
---
 .circleci/config.yml | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index ec30555..ce53e4a 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -49,6 +49,25 @@ workflows:
         - << pipeline.parameters.validation_flag >>
         - not: << pipeline.parameters.release_flag >>
     jobs:
+      # Signature verification for trusted PRs (with write access for comments)
+      - toolkit/verify_commit_signatures:
+          name: verify_commit_signatures_trusted
+          context: bot-check
+          post_comment: true
+          update_pcu: false
+          filters:
+            branches:
+              ignore:
+                - main
+                - /pull\/[0-9]+/
+      # Signature verification for forked PRs (read-only, no comments)
+      - toolkit/verify_commit_signatures:
+          name: verify_commit_signatures_forked
+          post_comment: false
+          update_pcu: false
+          filters:
+            branches:
+              only: /pull\/[0-9]+/
       - toolkit/label:
           min_rust_version: << pipeline.parameters.min_rust_version >>
           context: pcu-app
@@ -69,7 +88,13 @@ workflows:
       - toolkit/idiomatic_rust:
           min_rust_version: << pipeline.parameters.min_rust_version >>
       - toolkit/update_prlog:
+          filters:
+            branches:
+              ignore:
+                - /pull\/[0-9]+/
+                - main
           requires:
+            - verify_commit_signatures_trusted
             - toolkit/required_builds
             - toolkit/common_tests
             - toolkit/idiomatic_rust

From 7706e5612abf90ff8819ba6956cc39fa6f233969 Mon Sep 17 00:00:00 2001
From: Jerus Bot <171541392+jerus-bot@users.noreply.github.com>
Date: Wed, 11 Feb 2026 17:23:18 +0000
Subject: [PATCH 2/2] chore: update prlog for pr

Signed-off-by: Jerus Bot <171541392+jerus-bot@users.noreply.github.com>
---
 PRLOG.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/PRLOG.md b/PRLOG.md
index 5e9fae5..68b4f8e 100644
--- a/PRLOG.md
+++ b/PRLOG.md
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- add security improvements to CI(pr [#129])
+
 ### Security
 
 - Dependencies: bump bytes from 1.9.0 to 1.11.1 in the cargo group across 1 directory(pr [#128])
@@ -431,6 +435,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 [#126]: https://github.com/jerus-org/lambda_sqs/pull/126
 [#127]: https://github.com/jerus-org/lambda_sqs/pull/127
 [#128]: https://github.com/jerus-org/lambda_sqs/pull/128
+[#129]: https://github.com/jerus-org/lambda_sqs/pull/129
 [Unreleased]: https://github.com/jerus-org/lambda_sqs/compare/v0.3.0...HEAD
 [0.3.0]: https://github.com/jerus-org/lambda_sqs/compare/v0.2.37...v0.3.0
 [0.2.37]: https://github.com/jerus-org/lambda_sqs/compare/v0.2.36...v0.2.37