We are actively trying to eliminate the requirement for signing the yaml file. See https://github.com/drone/drone/issues/1935
The initial implementation implements a simple approval system that blocks a build if the pull request attempts to alter the yaml and the following conditions are met:
- hook is a pull request
- pull request author is not a project member (rw access)
- pull request yaml does not match target branch
- secrets exists, with verification required
This prevents the attack vector where a bad actor submits a pull request that attempts to expose secrets, while removing the need to sign the yaml file.
With the basic implementation in place, we are now discussing more robust workflows for blocking builds and how drone should behave by deafult. I would love community feedback and ideas, but would ask that everyone read the following issues carefully prior to giving feedback, so that we don’t end up having to repeat myself