✅ GitHub Action for creating signed and verified bot commits
MIT License
A GitHub Action to create signed and verified commits as the
github-actions[bot]
User with the standard GITHUB_TOKEN
. This is
accomplished via the GitHub REST API by using the Blob and Tree endpoints to
build the commit and update the original Ref to point to it. [^1]
The resulting commit will be signed and verified using GitHub's public PGP key!
[!IMPORTANT]
Using this Action with your own Personal Access Token (PAT) is not recommended. See limitations for more details.
This action supports Linux, macOS and Windows runners (results may vary with self-hosted runners).
- name: Commit changes
uses: iarekylew00t/verified-bot-commit@v1
with:
message: 'feat: Some changes'
files: |
README.md
*.txt
src/**/tests/*
test-data/**
List
type is a newline-delimited stringfiles: | *.md example.txt
Name | Type | Description | Default |
---|---|---|---|
ref |
String | The ref to push the commit to | ${{ github.ref }} |
files |
List | Files/Glob patterns to include with the commit | required |
message |
String | Message for the commit [1] | optional |
message-file |
String | File to use for the commit message [1] | optional |
force-push |
String | Force push the commit | false |
follow-symlinks |
String | Follow symbolic links when globbing files | true |
workspace |
String | Directory containing checked out files | ${{ github.workspace }} |
token |
String | GitHub Token for REST API access [2] | ${{ github.token }} |
- You must include either
message
ormessage-file
(which takes priority).- This Action is intended to work with the default
GITHUB_TOKEN
. See the
notice and limitations
Name | Type | Description |
---|---|---|
blobs |
JSON | A JSON list of blob SHAs within the tree |
tree |
String | SHA of the underlying tree for the commit |
commit |
String | SHA of the commit itself |
ref |
String | SHA for the ref that was updated (same as commit) |
This Actions requires the following permissions granted to the GITHUB_TOKEN
.
contents: write
⚠️ As always, the GITHUB_TOKEN
cannot push to protected Refs.
⚠️ The Blob API has a 40MiB limit, any files larger than this in your commit will fail.
⚠️ Using your own Personal Access Token (PAT) will result in an unsigned and unverified commit. You should really look into using your own keys and signing commits yourself with the help of Actions like webfactory/ssh-agent and crazy-max/ghaction-import-gpg.
[!CAUTION]
Since this is a TypeScript action you must transpile it into native JavaScript. This is done for you automatically as part of the
npm run all
command and will be validated via thecheck-dist.yml
Workflow in any PR.
⚙️ Install the version of Node.js as defined in the
.node-version
.
You can use asdf to help manage your
project runtimes.
asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git
asdf install
🛠️ Install dependencies
npm install
🏗️ Format, lint, test, and package your code changes.
npm run all
For maintainers, the following release process should be used when cutting new versions.
⏬ Ensure all changes are in the main
branch and all necessary
Workflows are
passing.
git checkout main
git pull
✅ Ensure the package.json
and
package-lock.json
files are updated to with the new
version being cut.
npm update
🔖 Create a new Tag, push it up, then create a new Release for the version.
git tag v1.2.3
git push -u origin v1.2.3
Alternatively you can create the Tag on the GitHub Release page itself.
When the tag is pushed it will kick off the
Shared Tags
Workflows to update the v$MAJOR
and v$MAJOR.MINOR
tags.
Feel free to contribute and make things better by opening an Issue or Pull Request. Thank you for your contribution! ❤️
See LICENSE.
Special thanks and credits to the following projects for their work and inspiration: