feat(hydrator): sign hydrated commits (Alpha) (#28239)

[mladjan-gadzic]

Description

Closes #28239

What does this PR do?

Adds optional GPG signing of hydrated commits to the commit server. When a signing key is
configured, every commit the source hydrator pushes is GPG-signed before being pushed, and the
commit server refuses to push any commit it cannot locally verify against that key (no unsigned
fallback).

This closes a documented limitation of the source hydrator: previously it never signed the commits
it pushed, so when signature verification was enabled the hydrated manifests failed verification at
sync time.

Feature status: Alpha (since v3.6). This builds on the (Beta) source hydrator and the (Alpha)
source-integrity verification of dry sources.

How does it work?

• Signing is enabled simply by setting a key path — there is no separate on/off toggle:
  • commitserver.signing.key.path — path to the ASCII-armored GPG private key (default "",
    signing off).
  • commitserver.signing.key.passphrase.file — optional passphrase file for the key.
• The key is provided via a Kubernetes Secret (argocd-commit-server-gpg-signing-key) mounted into
  the commit server deployment.
• Fail-fast: if a key path is set but the key is missing or invalid, the commit server fails at
  startup rather than silently falling back to unsigned commits.
• The configured key is the commit server's single, cluster-wide default signing key.
  Finer-grained (per-project/per-repo) keys are a planned additive extension; the existing
  commitserver.signing.key.* params remain the default and won't be renamed.
• New commit-server metrics track signing outcomes.

To verify the signed commits at sync time, the corresponding public key must be added to Argo
CD's trusted GPG keys and the project's SourceIntegrity policy configured for the hydrated branch.

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• The title of the PR conforms to the Title of the PR
• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Does this PR require documentation updates?
• I've updated documentation as required by this PR.
• I have signed off all my commits as required by DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My build is green (troubleshooting builds).
• My new feature complies with the feature status guidelines.
• I have added a brief description of why this PR is necessary and/or what this PR solves.
• Optional. My organization is added to USERS.md.
• Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

[bunnyshell]

✅ Preview Environment deployed on Bunnyshell

Component	Endpoints
argocd	https://argocd-z63igk.bunnyenv.com/
argocd-ttyd	https://argocd-web-cli-z63igk.bunnyenv.com/

See: Environment Details | Pipeline Logs

Available commands (reply to this comment):

• 🔴 /bns:stop to stop the environment
• 🚀 /bns:deploy to redeploy the environment
• ❌ /bns:delete to remove the environment

[codecov]

Bundle Report

Bundle size has no change ✅

[codecov]

Codecov Report

❌ Patch coverage is 68.24818% with 87 lines in your changes missing coverage. Please review.
✅ Project coverage is 64.83%. Comparing base (3e2c297) to head (8be2a7f).
⚠️ Report is 56 commits behind head on master.

Files with missing lines	Patch %	Lines
...ocd-commit-server/commands/argocd_commit_server.go	30.00%	34 Missing and 1 partial ⚠️
util/gpgsign/gpgsign.go	79.04%	13 Missing and 9 partials ⚠️
util/git/client.go	51.21%	10 Missing and 10 partials ⚠️
commitserver/commit/commit.go	80.76%	4 Missing and 1 partial ⚠️
util/sourceintegrity/gpg.go	81.48%	3 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #28271      +/-   ##
==========================================
+ Coverage   64.61%   64.83%   +0.21%     
==========================================
  Files         423      426       +3     
  Lines       58320    59333    +1013     
==========================================
+ Hits        37685    38468     +783     
- Misses      17115    17292     +177     
- Partials     3520     3573      +53     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.