Switch to using the GitHub API to commit changes, for GPG #391
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
fixes #392
Turns out that there wasn't any good TypeScript libraries for making modifications to files directly, let alone one that looks at the files changed locally to determine what needs to be pushed to GitHub, so I went ahead and created one here: https://github.com/s0/ghcommit
I then used this repo as a test-case for the updated actions to see if it all works, and so far so good.
Tags are now signed by default:
And commits are also signed, and attributed to github-actions:
It also works with more complex situations, such as custom
version
commands, like in this repo where it auto-bumps the major version in the README: Version Packages s0/changesets-action#2Would you like this functionality? And if so, do we want to just switch to this behavior by default + have a major version bump? or do we want to hide it behind an action input / argument for now and have it as opt-in?
My thinking is that just switching to this behavior overall makes the most sense, as most people probably want to attribute the commits to the owner of the
GITHUB_TOKEN
, and more and more people are going to require that commits are signed as the industry takes supply-chain-security more and more seriously.