Can I rebase and merge a pull request to a branch that blocks pushing and unsigned commits?

Question

Problem

I have a repo on GitHub with the following branch protection rules enabled on main branch:

1. Require signed commits: Commits pushed to matching branches must have verified signatures.
2. Require a pull request before merging: Require all commits be made to a non-target branch and submitted via a pull request before they can be merged.
3. Block force pushes: Prevent users with push access from force pushing to branches.

My question is, can I merge a branch into main via "Rebase and merge" option in a pull request without breaking rules since I'm actually not clear about what "Rebase and merge" does on the target branch.

Replication

I've added some commit to a new branch and created a pull request. And I've enabled auto-merge (rebase). But the merge just stucks even if all required status checks have passed. It reports that "Base branch requires signed commits".

Here is my pull request: Update: causal inference

Answer 1

can I merge a branch into main via "Rebase and merge" option in a pull request without breaking rules

No. If what you are trying to do were possible, all the commits reachable on main would be unsigned. In effect, therefore, what you're trying to do is to completely evade the signing requirement.

Rebase and merge, despite the name, is not a merge. Instead, it creates a whole new series of commits directly on main. These new commits are not the same as the commits that constitute your PR branch, even though they are ultimately based on them. So even though your PR branch commits are signed, these new commits, by definition, are not signed. So you would be introducing onto main a set of commits that are unsigned and have no traceable history of origin. And that is forbidden.