diff --git a/mex-{{ cookiecutter.project_name }}/.github/workflows/cookiecutter.yml b/mex-{{ cookiecutter.project_name }}/.github/workflows/cookiecutter.yml
index 468ca94..5078810 100644
--- a/mex-{{ cookiecutter.project_name }}/.github/workflows/cookiecutter.yml	
+++ b/mex-{{ cookiecutter.project_name }}/.github/workflows/cookiecutter.yml	
@@ -22,6 +22,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          {% raw %}token: ${{ secrets.WORKFLOW_TOKEN }}{% endraw %}
 
       - name: Cache requirements
         uses: actions/cache@v4
@@ -41,12 +42,31 @@ jobs:
       - name: Install requirements
         run: make setup
 
+      - name: Configure git
+        env:
+          {% raw %}SIGNING_KEY: ${{ secrets.SIGNING_KEY }}{% endraw %}
+          {% raw %}SIGNING_PUB: ${{ secrets.SIGNING_PUB }}{% endraw %}
+        run: |
+          {% raw -%}
+          eval "$(ssh-agent -s)"
+          install --directory ~/.ssh --mode 700
+          base64 -d <<< '${{ secrets.SIGNING_KEY }}' > ~/.ssh/mex
+          base64 -d <<< '${{ secrets.SIGNING_PUB }}' > ~/.ssh/mex.pub
+          chmod 600 ~/.ssh/*
+          ssh-add ~/.ssh/mex
+          git config --local user.email ${{ vars.MEX_BOT_EMAIL }}
+          git config --local user.name ${{ vars.MEX_BOT_USER }}
+          git config --local gpg.format ssh
+          git config --local user.signingkey ~/.ssh/mex.pub
+          git config --local commit.gpgsign true
+          {%- endraw %}
+
       - name: Update template
-        continue-on-error: true
         env:
           {% raw %}GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}{% endraw %}
         run: |
-          {% raw %}if cruft check; then
+          {% raw -%}
+          if cruft check; then
             echo template is up to date
             exit 0
           fi
@@ -60,8 +80,8 @@ jobs:
           git checkout -b cruft/cookiecutter-template-${template_ref}
           cruft update --skip-apply-ask
           printf '# Changes\n\n- bumped cookiecutter template to %s/commit/%s\n' "$template_url" "$template_ref" > .cruft-pr-body
-          if [[ $(git status --porcelain | wc -c) -ne 0 ]]; then
-            printf '\n# Conflicts\n' >> .cruft-pr-body
+          if [[ $(git status --porcelain | grep .rej | wc -c) -ne 0 ]]; then
+            printf '\n# Conflicts\n' > .cruft-pr-body
           fi
           git status --porcelain | grep .rej | awk '{print $2;}' | while read -r line ; do
             printf '\n```' >> .cruft-pr-body
@@ -69,9 +89,7 @@ jobs:
             printf '```\n' >> .cruft-pr-body
           done
           git add --all --verbose
-          git config --global user.email ${{ vars.MEX_BOT_EMAIL }}
-          git config --global user.name ${{ vars.MEX_BOT_USER }}
           git commit --message "Bump cookiecutter template to $template_ref" --verbose
           git push --set-upstream origin cruft/cookiecutter-template-${template_ref} --force --verbose
           gh pr create --title "Bump cookiecutter template to $template_ref" --body-file .cruft-pr-body --label cruft --assignee ${{ vars.MEX_BOT_USER }}
-          exit 1{% endraw %}
+          {%- endraw %}