From d57e551ebc1a16dee0b8c9ea6d24dba7627a6e35 Mon Sep 17 00:00:00 2001
From: Peter Evans <18365890+peter-evans@users.noreply.github.com>
Date: Tue, 1 Apr 2025 11:00:38 +0100
Subject: [PATCH] docs: add note about deploy keys and commit signing

---
 docs/concepts-guidelines.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/docs/concepts-guidelines.md b/docs/concepts-guidelines.md
index 269715f..3ad477b 100644
--- a/docs/concepts-guidelines.md
+++ b/docs/concepts-guidelines.md
@@ -197,8 +197,9 @@ Checking out a branch from a different repository from where the workflow is exe
 Allowing the action to push with a configured deploy key will trigger `on: push` workflows. This makes it an alternative to using a PAT to trigger checks for pull requests.
 
 > [!NOTE]
-> You cannot use deploy keys alone to [create a pull request in a remote repository](#creating-pull-requests-in-a-remote-repository) because then using a PAT would become a requirement.
+> - You cannot use deploy keys alone to [create a pull request in a remote repository](#creating-pull-requests-in-a-remote-repository) because then using a PAT would become a requirement.
 > This method only makes sense if creating a pull request in the repository where the workflow is running.
+> - You cannot use deploy keys with [commit signature verification for bots](#commit-signature-verification-for-bots) (`sign-commits: true`).
 
 How to use SSH (deploy keys) with create-pull-request action: