I added a template to my organization and ported a project’s .drone.yml to use the template instead. As this is a protected repository, I signed the config afterwards using the drone cli, so in this case it looks like this:
---
kind: template
load: docker-buildx.yaml
data:
image: my/repository
---
kind: signature
hmac: REDACTED
...
Now although the repository is now protected and signed, I still have to manually approve every build. I think there is something wrong here.
