Add automated GPG signatures
Major new feature is the signature job and signing in the build job.
Many different scenarios are possible:
Use the gitlab CI variables to directly sign commits in the build job. Depending on how variables are configured this will sign all branches. To restrict the branches you one can make them only available in protected branches.
Another method is to use the sign job. This job can then be extended with rules to e.g. only run on branches distinct from the main branch, because you'd like to sign commits on main branch manually with a different more secure key. Or only execute the job on protected branches.
Apart from gitlab CI variables the GPG credentials might also be provided fully or partially through the gitlab-runner. With the runners env configuration it can override or add the credentials on the fly. The benefit with this is that you can distribute e.g. the key and it's passphrase through different machines with different access levels. This way someone with access to the gitlab repo will not automatically gain acccess on the full gpg creds. Keep in mind that a runner configured like that is now confidential and that all jobs could leak the GPG key or passphrase.