Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v7 - signed commits #3057

Merged
merged 69 commits into from
Sep 3, 2024
Merged

v7 - signed commits #3057

merged 69 commits into from
Sep 3, 2024

Conversation

peter-evans
Copy link
Owner

@peter-evans peter-evans commented Jul 26, 2024
edited
Loading

v7

If anyone is following this development and is willing to test the release candidate, you can find documentation for the sign-commits feature here.

- uses: peter-evans/create-pull-request@v7-rc

TODO:

  • Fix for when base input is not supplied
  • Fix Invalid character error
  • Refactor fileChanges to output from src/create-or-update-branch.ts. (Should fix the push-to-fork cases.)
  • Add tests for fileChanges refactor
  • Add a buildFileChanges test for binary file types
  • Refactor graphql code into github helper class. (Should fix the proxy test.)
  • Make signed commits work for all use cases:
  • Switch to the REST API
  • Investigate strange behaviour where commits are shared between branches
    • (theory) If a commit has no ref pointing to it, a request to create a new commit for an identical tree returns the already created commit's sha. Two create-pull-request processes then create a different ref pointing to the same commit.
    • Fix peter-evans/create-pull-request-tests@322c1d4
  • Limit concurrency of blob creation
  • Add test for executable file changes
    • Executable renames via REST and GraphQL are not currently supported. The executable file mode is removed and becomes non-executable.
  • Check how to handle author/committer
    • Warn when using inputs the action will ignore Can't do this because of the defaults
  • signoff? Appears to work fine with signed commits
  • Only build file changes when signing commit
  • Update test suite to handle signing/non-signing routes
    • Output verification status
    • Fix head sha output
    • Add checks on outputs
  • Remove unnecessary dependencies (e.g. @octokit/graphql)
  • Check for other behaviour differences and failure modes
  • Consider adding retry
  • Switch default back to false
  • Update docs
  • Fix token issues for App auth and fine-grained with push-to-fork
    • Rename git-token to branch-token.
    • Add fine-grained test for push-to-fork
    • Use branch-token for API operations to create/update the branch.
      • push-to-fork with fine-grained or App auth will need to set the branch-token, and leave token as the default.
      • push-to-fork with fine-grained or App auth, where the pull request is being created in a remote repo will not work.
        • (It probably would work just to give the app token scope for both the parent and fork, but then does that defeat the purpose of push-to-fork?)
  • Update tests to use app tokens when commit signing
  • Document how to use fine-grained PATs and app tokens with push-to-fork (enabling signed commits with app tokens)
  • Check verified status when not known
  • Test build branch commits with very large diff
    • Support empty commits and check the tree is correct
    • Build large trees incrementally
  • Test sign commits with large files
    • Document the 40MiB limit for blobs and trees
  • Investigate converting PRs back to draft (true/always-true/false)
  • Update docs regarding default permissions for GITHUB_TOKEN on new repos.
  • Prepare for a major version release and document breaking changes
    • git-token -> branch-token
    • Removing deprecated features

Fixes: #2062
Fixes: #2848
Fixes: #1791
Fixes: #2443
Fixes: #2778
Fixes: #3159

@peter-evans peter-evans mentioned this pull request Jul 26, 2024
Merged
@github-actions GitHub Actions
Copy link
Contributor

Full test suite slash command (repository admin only)

/test repository=peter-evans/create-pull-request ref=signed-commits build=true

lichao127
lichao127 reviewed Jul 26, 2024
View reviewed changes
Copy link

@lichao127 lichao127 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

minor rephrase in the feature description

README.md Outdated Show resolved Hide resolved
action.yml Outdated Show resolved Hide resolved
@dushyant-gemini
Copy link

Hey, Is the sign-commit feature ready? It is required by the branch protection rule. Anyway, I can assist to boost it up?

@lichao127
Copy link

Hey, Is the sign-commit feature ready? It is required by the branch protection rule. Anyway, I can assist to boost it up?

It will be ready when this PR merges. I believe the TODOs are updated in the PR description.

In the current version, the workaround is to generate a GPG key, then import it: https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#gpg-commit-signature-verification

@peter-evans peter-evans force-pushed the signed-commits branch 3 times, most recently from 44e8de5 to 6c1922b Compare August 7, 2024 14:31
@peter-evans peter-evans marked this pull request as ready for review August 15, 2024 14:57
@peter-evans

This comment was marked as outdated.

Sign in to view
@peter-evans peter-evans mentioned this pull request Aug 15, 2024
Closed
@peter-evans peter-evans marked this pull request as draft August 17, 2024 19:45
@peter-evans peter-evans changed the title Signed commits v7 - signed commits Aug 17, 2024
This was referenced Aug 18, 2024
Closed
Closed
Closed
Closed
Closed
Closed
Closed
@peter-evans peter-evans mentioned this pull request Aug 22, 2024
Closed
@peter-evans
add maintainer-can-modify input
5294a5e
@peter-evans
rename git-token to branch-token
1985abb
@peter-evans
fix branch token input
c006a63
@peter-evans
remove deprecated env output
4a0f9a8
@peter-evans
update docs
981b469
@peter-evans
fix doc
942e5a9
@peter-evans
update docs
2ba41ed
@peter-evans
build branch commits when there is a diff with the base
32e97fc
@peter-evans
check verification status of head commit when not known
1cd6df6
@peter-evans
fix verified output when no commit signing is being used
1045472
@peter-evans
draft always-true
c64379e
@peter-evans
convert to draft on branch updates when there is a diff with base
8f92797
@peter-evans
update docs with blob size limit
1e681e3
@peter-evans
catch errors during blob creation for debugging
a354636
@peter-evans
parse empty commits
42beb85
@peter-evans
pass base commit to push signed commits
034fcb0
@peter-evans
use parent commit details in create commit
02efff6
@peter-evans
use parent tree for base_tree
633a5a9
@peter-evans
multipart tree creation
6c4c6cf
@peter-evans
update docs
9fc91d9
@peter-evans
update readme about the permissions of the default token
ce190a9
@peter-evans peter-evans mentioned this pull request Aug 28, 2024
Closed
@peter-evans peter-evans marked this pull request as ready for review September 3, 2024 07:53
@peter-evans peter-evans merged commit 4320041 into main Sep 3, 2024
6 checks passed
trindadedev13 referenced this pull request in Robok-Engine/Robok-Engine Sep 3, 2024
@renovate @trindadedev13
chore(deps): update peter-evans/create-pull-request action to v7 (#224)
a596930 
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
|
[peter-evans/create-pull-request](https://redirect.github.com/peter-evans/create-pull-request)
| action | major | `v6.1.0` -> `v7.0.0` |

---

### Release Notes

<details>
<summary>peter-evans/create-pull-request
(peter-evans/create-pull-request)</summary>

###
[`v7.0.0`](https://redirect.github.com/peter-evans/create-pull-request/releases/tag/v7.0.0)

[Compare
Source](https://redirect.github.com/peter-evans/create-pull-request/compare/v6.1.0...v7.0.0)

:sparkles: Now supports commit signing with bot-generated tokens! See
"What's new" below. :writing_hand::robot:

##### Behaviour changes

- Action input `git-token` has been renamed `branch-token`, to be more
clear about its purpose. The `branch-token` is the token that the action
will use to create and update the branch.
- The action now handles requests that have been rate-limited by GitHub.
Requests hitting a primary rate limit will retry twice, for a total of
three attempts. Requests hitting a secondary rate limit will not be
retried.
- The `pull-request-operation` output now returns `none` when no
operation was executed.
- Removed deprecated output environment variable `PULL_REQUEST_NUMBER`.
Please use the `pull-request-number` action output instead.

##### What's new

- The action can now sign commits as `github-actions[bot]` when using
`GITHUB_TOKEN`, or your own bot when using [GitHub App
tokens](docs/concepts-guidelines.md#authenticating-with-github-app-generated-tokens).
See [commit
signing](docs/concepts-guidelines.md#commit-signature-verification-for-bots)
for details.
- Action input `draft` now accepts a new value `always-true`. This will
set the pull request to draft status when the pull request is updated,
as well as on creation.
- A new action input `maintainer-can-modify` indicates whether
[maintainers can
modify](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/allowing-changes-to-a-pull-request-branch-created-from-a-fork)
the pull request. The default is `true`, which retains the existing
behaviour of the action.
- A new output `pull-request-commits-verified` returns `true` or
`false`, indicating whether GitHub considers the signature of the
branch's commits to be verified.

#### What's Changed

- build(deps-dev): bump
[@&#8203;types/node](https://redirect.github.com/types/node) from
18.19.36 to 18.19.39 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/peter-evans/create-pull-request/pull/3000](https://redirect.github.com/peter-evans/create-pull-request/pull/3000)
- build(deps-dev): bump ts-jest from 29.1.5 to 29.2.0 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/peter-evans/create-pull-request/pull/3008](https://redirect.github.com/peter-evans/create-pull-request/pull/3008)
- build(deps-dev): bump prettier from 3.3.2 to 3.3.3 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/peter-evans/create-pull-request/pull/3018](https://redirect.github.com/peter-evans/create-pull-request/pull/3018)
- build(deps-dev): bump ts-jest from 29.2.0 to 29.2.2 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/peter-evans/create-pull-request/pull/3019](https://redirect.github.com/peter-evans/create-pull-request/pull/3019)
- build(deps-dev): bump eslint-plugin-prettier from 5.1.3 to 5.2.1 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/peter-evans/create-pull-request/pull/3035](https://redirect.github.com/peter-evans/create-pull-request/pull/3035)
- build(deps-dev): bump
[@&#8203;types/node](https://redirect.github.com/types/node) from
18.19.39 to 18.19.41 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/peter-evans/create-pull-request/pull/3037](https://redirect.github.com/peter-evans/create-pull-request/pull/3037)
- build(deps): bump undici from 6.19.2 to 6.19.4 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/peter-evans/create-pull-request/pull/3036](https://redirect.github.com/peter-evans/create-pull-request/pull/3036)
- build(deps-dev): bump ts-jest from 29.2.2 to 29.2.3 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/peter-evans/create-pull-request/pull/3038](https://redirect.github.com/peter-evans/create-pull-request/pull/3038)
- build(deps-dev): bump
[@&#8203;types/node](https://redirect.github.com/types/node) from
18.19.41 to 18.19.42 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/peter-evans/create-pull-request/pull/3070](https://redirect.github.com/peter-evans/create-pull-request/pull/3070)
- build(deps): bump undici from 6.19.4 to 6.19.5 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/peter-evans/create-pull-request/pull/3086](https://redirect.github.com/peter-evans/create-pull-request/pull/3086)
- build(deps-dev): bump
[@&#8203;types/node](https://redirect.github.com/types/node) from
18.19.42 to 18.19.43 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/peter-evans/create-pull-request/pull/3087](https://redirect.github.com/peter-evans/create-pull-request/pull/3087)
- build(deps-dev): bump ts-jest from 29.2.3 to 29.2.4 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/peter-evans/create-pull-request/pull/3088](https://redirect.github.com/peter-evans/create-pull-request/pull/3088)
- build(deps): bump undici from 6.19.5 to 6.19.7 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/peter-evans/create-pull-request/pull/3145](https://redirect.github.com/peter-evans/create-pull-request/pull/3145)
- build(deps-dev): bump
[@&#8203;types/node](https://redirect.github.com/types/node) from
18.19.43 to 18.19.44 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/peter-evans/create-pull-request/pull/3144](https://redirect.github.com/peter-evans/create-pull-request/pull/3144)
- Update distribution by
[@&#8203;actions-bot](https://redirect.github.com/actions-bot) in
[https://github.com/peter-evans/create-pull-request/pull/3154](https://redirect.github.com/peter-evans/create-pull-request/pull/3154)
- build(deps): bump undici from 6.19.7 to 6.19.8 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/peter-evans/create-pull-request/pull/3213](https://redirect.github.com/peter-evans/create-pull-request/pull/3213)
- build(deps-dev): bump
[@&#8203;types/node](https://redirect.github.com/types/node) from
18.19.44 to 18.19.45 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/peter-evans/create-pull-request/pull/3214](https://redirect.github.com/peter-evans/create-pull-request/pull/3214)
- Update distribution by
[@&#8203;actions-bot](https://redirect.github.com/actions-bot) in
[https://github.com/peter-evans/create-pull-request/pull/3221](https://redirect.github.com/peter-evans/create-pull-request/pull/3221)
- build(deps-dev): bump eslint-import-resolver-typescript from 3.6.1 to
3.6.3 by [@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/peter-evans/create-pull-request/pull/3255](https://redirect.github.com/peter-evans/create-pull-request/pull/3255)
- build(deps-dev): bump
[@&#8203;types/node](https://redirect.github.com/types/node) from
18.19.45 to 18.19.46 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/peter-evans/create-pull-request/pull/3254](https://redirect.github.com/peter-evans/create-pull-request/pull/3254)
- build(deps-dev): bump ts-jest from 29.2.4 to 29.2.5 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/peter-evans/create-pull-request/pull/3256](https://redirect.github.com/peter-evans/create-pull-request/pull/3256)
- v7 - signed commits by
[@&#8203;peter-evans](https://redirect.github.com/peter-evans) in
[https://github.com/peter-evans/create-pull-request/pull/3057](https://redirect.github.com/peter-evans/create-pull-request/pull/3057)

#### New Contributors

- [@&#8203;rustycl0ck](https://redirect.github.com/rustycl0ck) made
their first contribution in
[https://github.com/peter-evans/create-pull-request/pull/3057](https://redirect.github.com/peter-evans/create-pull-request/pull/3057)

**Full Changelog**:
peter-evans/create-pull-request@v6.1.0...v7.0.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/robok-inc/Robok-Engine).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC41OS4yIiwidXBkYXRlZEluVmVyIjoiMzguNTkuMiIsInRhcmdldEJyYW5jaCI6ImRldiIsImxhYmVscyI6W119-->

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Aquiles Trindade <devsuay@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lichao127 lichao127 lichao127 left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@peter-evans @dushyant-gemini @lichao127 @rustycl0ck