Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

v7 - signed commits #3057

Merged
merged 69 commits into from
Sep 3, 2024
Merged

v7 - signed commits #3057

merged 69 commits into from
Sep 3, 2024

Conversation

peter-evans
Copy link
Owner

@peter-evans peter-evans commented Jul 26, 2024

v7

If anyone is following this development and is willing to test the release candidate, you can find documentation for the sign-commits feature here.

- uses: peter-evans/create-pull-request@v7-rc

TODO:

  • Fix for when base input is not supplied
  • Fix Invalid character error
  • Refactor fileChanges to output from src/create-or-update-branch.ts. (Should fix the push-to-fork cases.)
  • Add tests for fileChanges refactor
  • Add a buildFileChanges test for binary file types
  • Refactor graphql code into github helper class. (Should fix the proxy test.)
  • Make signed commits work for all use cases:
  • Switch to the REST API
  • Investigate strange behaviour where commits are shared between branches
    • (theory) If a commit has no ref pointing to it, a request to create a new commit for an identical tree returns the already created commit's sha. Two create-pull-request processes then create a different ref pointing to the same commit.
    • Fix peter-evans/create-pull-request-tests@322c1d4
  • Limit concurrency of blob creation
  • Add test for executable file changes
    • Executable renames via REST and GraphQL are not currently supported. The executable file mode is removed and becomes non-executable.
  • Check how to handle author/committer
    • Warn when using inputs the action will ignore Can't do this because of the defaults
  • signoff? Appears to work fine with signed commits
  • Only build file changes when signing commit
  • Update test suite to handle signing/non-signing routes
    • Output verification status
    • Fix head sha output
    • Add checks on outputs
  • Remove unnecessary dependencies (e.g. @octokit/graphql)
  • Check for other behaviour differences and failure modes
  • Consider adding retry
  • Switch default back to false
  • Update docs
  • Fix token issues for App auth and fine-grained with push-to-fork
    • Rename git-token to branch-token.
    • Add fine-grained test for push-to-fork
    • Use branch-token for API operations to create/update the branch.
      • push-to-fork with fine-grained or App auth will need to set the branch-token, and leave token as the default.
      • push-to-fork with fine-grained or App auth, where the pull request is being created in a remote repo will not work.
        • (It probably would work just to give the app token scope for both the parent and fork, but then does that defeat the purpose of push-to-fork?)
  • Update tests to use app tokens when commit signing
  • Document how to use fine-grained PATs and app tokens with push-to-fork (enabling signed commits with app tokens)
  • Check verified status when not known
  • Test build branch commits with very large diff
    • Support empty commits and check the tree is correct
    • Build large trees incrementally
  • Test sign commits with large files
    • Document the 40MiB limit for blobs and trees
  • Investigate converting PRs back to draft (true/always-true/false)
  • Update docs regarding default permissions for GITHUB_TOKEN on new repos.
  • Prepare for a major version release and document breaking changes
    • git-token -> branch-token
    • Removing deprecated features

Fixes: #2062
Fixes: #2848
Fixes: #1791
Fixes: #2443
Fixes: #2778
Fixes: #3159

Copy link
Contributor

Full test suite slash command (repository admin only)

/test repository=peter-evans/create-pull-request ref=signed-commits build=true

Copy link

@lichao127 lichao127 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

minor rephrase in the feature description

README.md Outdated Show resolved Hide resolved
action.yml Outdated Show resolved Hide resolved
@dushyant-gemini
Copy link

Hey, Is the sign-commit feature ready? It is required by the branch protection rule. Anyway, I can assist to boost it up?

@lichao127
Copy link

Hey, Is the sign-commit feature ready? It is required by the branch protection rule. Anyway, I can assist to boost it up?

It will be ready when this PR merges. I believe the TODOs are updated in the PR description.

In the current version, the workaround is to generate a GPG key, then import it: https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#gpg-commit-signature-verification

@peter-evans peter-evans force-pushed the signed-commits branch 3 times, most recently from 44e8de5 to 6c1922b Compare August 7, 2024 14:31
@peter-evans peter-evans marked this pull request as ready for review August 15, 2024 14:57
@peter-evans

This comment was marked as outdated.

@peter-evans peter-evans marked this pull request as ready for review September 3, 2024 07:53
@peter-evans peter-evans merged commit 4320041 into main Sep 3, 2024
6 checks passed
trindadedev13 referenced this pull request in Robok-Engine/Robok-Engine Sep 3, 2024
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
|
[peter-evans/create-pull-request](https://redirect.github.com/peter-evans/create-pull-request)
| action | major | `v6.1.0` -> `v7.0.0` |

---

### Release Notes

<details>
<summary>peter-evans/create-pull-request
(peter-evans/create-pull-request)</summary>

###
[`v7.0.0`](https://redirect.github.com/peter-evans/create-pull-request/releases/tag/v7.0.0)

[Compare
Source](https://redirect.github.com/peter-evans/create-pull-request/compare/v6.1.0...v7.0.0)

:sparkles: Now supports commit signing with bot-generated tokens! See
"What's new" below. :writing_hand::robot:

##### Behaviour changes

- Action input `git-token` has been renamed `branch-token`, to be more
clear about its purpose. The `branch-token` is the token that the action
will use to create and update the branch.
- The action now handles requests that have been rate-limited by GitHub.
Requests hitting a primary rate limit will retry twice, for a total of
three attempts. Requests hitting a secondary rate limit will not be
retried.
- The `pull-request-operation` output now returns `none` when no
operation was executed.
- Removed deprecated output environment variable `PULL_REQUEST_NUMBER`.
Please use the `pull-request-number` action output instead.

##### What's new

- The action can now sign commits as `github-actions[bot]` when using
`GITHUB_TOKEN`, or your own bot when using [GitHub App
tokens](docs/concepts-guidelines.md#authenticating-with-github-app-generated-tokens).
See [commit
signing](docs/concepts-guidelines.md#commit-signature-verification-for-bots)
for details.
- Action input `draft` now accepts a new value `always-true`. This will
set the pull request to draft status when the pull request is updated,
as well as on creation.
- A new action input `maintainer-can-modify` indicates whether
[maintainers can
modify](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/allowing-changes-to-a-pull-request-branch-created-from-a-fork)
the pull request. The default is `true`, which retains the existing
behaviour of the action.
- A new output `pull-request-commits-verified` returns `true` or
`false`, indicating whether GitHub considers the signature of the
branch's commits to be verified.

#### What's Changed

- build(deps-dev): bump
[@&#8203;types/node](https://redirect.github.com/types/node) from
18.19.36 to 18.19.39 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/peter-evans/create-pull-request/pull/3000](https://redirect.github.com/peter-evans/create-pull-request/pull/3000)
- build(deps-dev): bump ts-jest from 29.1.5 to 29.2.0 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/peter-evans/create-pull-request/pull/3008](https://redirect.github.com/peter-evans/create-pull-request/pull/3008)
- build(deps-dev): bump prettier from 3.3.2 to 3.3.3 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/peter-evans/create-pull-request/pull/3018](https://redirect.github.com/peter-evans/create-pull-request/pull/3018)
- build(deps-dev): bump ts-jest from 29.2.0 to 29.2.2 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/peter-evans/create-pull-request/pull/3019](https://redirect.github.com/peter-evans/create-pull-request/pull/3019)
- build(deps-dev): bump eslint-plugin-prettier from 5.1.3 to 5.2.1 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/peter-evans/create-pull-request/pull/3035](https://redirect.github.com/peter-evans/create-pull-request/pull/3035)
- build(deps-dev): bump
[@&#8203;types/node](https://redirect.github.com/types/node) from
18.19.39 to 18.19.41 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/peter-evans/create-pull-request/pull/3037](https://redirect.github.com/peter-evans/create-pull-request/pull/3037)
- build(deps): bump undici from 6.19.2 to 6.19.4 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/peter-evans/create-pull-request/pull/3036](https://redirect.github.com/peter-evans/create-pull-request/pull/3036)
- build(deps-dev): bump ts-jest from 29.2.2 to 29.2.3 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/peter-evans/create-pull-request/pull/3038](https://redirect.github.com/peter-evans/create-pull-request/pull/3038)
- build(deps-dev): bump
[@&#8203;types/node](https://redirect.github.com/types/node) from
18.19.41 to 18.19.42 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/peter-evans/create-pull-request/pull/3070](https://redirect.github.com/peter-evans/create-pull-request/pull/3070)
- build(deps): bump undici from 6.19.4 to 6.19.5 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/peter-evans/create-pull-request/pull/3086](https://redirect.github.com/peter-evans/create-pull-request/pull/3086)
- build(deps-dev): bump
[@&#8203;types/node](https://redirect.github.com/types/node) from
18.19.42 to 18.19.43 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/peter-evans/create-pull-request/pull/3087](https://redirect.github.com/peter-evans/create-pull-request/pull/3087)
- build(deps-dev): bump ts-jest from 29.2.3 to 29.2.4 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/peter-evans/create-pull-request/pull/3088](https://redirect.github.com/peter-evans/create-pull-request/pull/3088)
- build(deps): bump undici from 6.19.5 to 6.19.7 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/peter-evans/create-pull-request/pull/3145](https://redirect.github.com/peter-evans/create-pull-request/pull/3145)
- build(deps-dev): bump
[@&#8203;types/node](https://redirect.github.com/types/node) from
18.19.43 to 18.19.44 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/peter-evans/create-pull-request/pull/3144](https://redirect.github.com/peter-evans/create-pull-request/pull/3144)
- Update distribution by
[@&#8203;actions-bot](https://redirect.github.com/actions-bot) in
[https://github.com/peter-evans/create-pull-request/pull/3154](https://redirect.github.com/peter-evans/create-pull-request/pull/3154)
- build(deps): bump undici from 6.19.7 to 6.19.8 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/peter-evans/create-pull-request/pull/3213](https://redirect.github.com/peter-evans/create-pull-request/pull/3213)
- build(deps-dev): bump
[@&#8203;types/node](https://redirect.github.com/types/node) from
18.19.44 to 18.19.45 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/peter-evans/create-pull-request/pull/3214](https://redirect.github.com/peter-evans/create-pull-request/pull/3214)
- Update distribution by
[@&#8203;actions-bot](https://redirect.github.com/actions-bot) in
[https://github.com/peter-evans/create-pull-request/pull/3221](https://redirect.github.com/peter-evans/create-pull-request/pull/3221)
- build(deps-dev): bump eslint-import-resolver-typescript from 3.6.1 to
3.6.3 by [@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/peter-evans/create-pull-request/pull/3255](https://redirect.github.com/peter-evans/create-pull-request/pull/3255)
- build(deps-dev): bump
[@&#8203;types/node](https://redirect.github.com/types/node) from
18.19.45 to 18.19.46 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/peter-evans/create-pull-request/pull/3254](https://redirect.github.com/peter-evans/create-pull-request/pull/3254)
- build(deps-dev): bump ts-jest from 29.2.4 to 29.2.5 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/peter-evans/create-pull-request/pull/3256](https://redirect.github.com/peter-evans/create-pull-request/pull/3256)
- v7 - signed commits by
[@&#8203;peter-evans](https://redirect.github.com/peter-evans) in
[https://github.com/peter-evans/create-pull-request/pull/3057](https://redirect.github.com/peter-evans/create-pull-request/pull/3057)

#### New Contributors

- [@&#8203;rustycl0ck](https://redirect.github.com/rustycl0ck) made
their first contribution in
[https://github.com/peter-evans/create-pull-request/pull/3057](https://redirect.github.com/peter-evans/create-pull-request/pull/3057)

**Full Changelog**:
peter-evans/create-pull-request@v6.1.0...v7.0.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/robok-inc/Robok-Engine).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC41OS4yIiwidXBkYXRlZEluVmVyIjoiMzguNTkuMiIsInRhcmdldEJyYW5jaCI6ImRldiIsImxhYmVscyI6W119-->

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Aquiles Trindade <devsuay@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment