create-pull-request icon indicating copy to clipboard operation
create-pull-request copied to clipboard

Published 20 hours ago verified publisher icon peter-evans

v7 - signed commits

Open peter-evans opened this issue 1 year ago • 4 comments
trafficstars

v7

If anyone is following this development and is willing to test the release candidate, you can find documentation for the sign-commits feature here.

- uses: peter-evans/create-pull-request@v7-rc

TODO:

  • [x] Fix for when base input is not supplied
  • [x] Fix Invalid character error
  • [x] Refactor fileChanges to output from src/create-or-update-branch.ts. (Should fix the push-to-fork cases.)
  • [x] Add tests for fileChanges refactor
  • [x] Add a buildFileChanges test for binary file types
  • [x] Refactor graphql code into github helper class. (Should fix the proxy test.)
  • [x] Make signed commits work for all use cases:
    • ~~https://github.com/peter-evans/create-pull-request-tests/actions/runs/10101150705~~
    • ~~https://github.com/peter-evans/create-pull-request-tests/actions/runs/10126556967~~
    • ~~https://github.com/peter-evans/create-pull-request-tests/actions/runs/10184429745~~
    • ✅ https://github.com/peter-evans/create-pull-request-tests/actions/runs/10219067495
  • [x] Switch to the REST API
    • GitHub's GraphQL API createCommitOnBranch is designed to be a simplified way to commit. It doesn't support:
      • Rewriting commits and force pushing.
      • File mode changes (git should track executable/non-executable)
    • Fix all use cases:
      • ~~https://github.com/peter-evans/create-pull-request-tests/actions/runs/10306598444~~
      • ✅ https://github.com/peter-evans/create-pull-request-tests/actions/runs/10307696565
  • [x] Investigate strange behaviour where commits are shared between branches
    • (theory) If a commit has no ref pointing to it, a request to create a new commit for an identical tree returns the already created commit's sha. Two create-pull-request processes then create a different ref pointing to the same commit.
    • Fix https://github.com/peter-evans/create-pull-request-tests/commit/322c1d4031d8a9f0fe3e4e1c072625cd8094c086
  • [x] Limit concurrency of blob creation
  • [x] Add test for executable file changes
    • Executable renames via REST and GraphQL are not currently supported. The executable file mode is removed and becomes non-executable.
  • [x] Check how to handle author/committer
    • [x] ~~Warn when using inputs the action will ignore~~ Can't do this because of the defaults
  • [x] signoff? Appears to work fine with signed commits
  • [x] Only build file changes when signing commit
  • [x] Update test suite to handle signing/non-signing routes
    • [x] Output verification status
    • [x] Fix head sha output
    • [x] Add checks on outputs
  • [x] Remove unnecessary dependencies (e.g. @octokit/graphql)
  • [x] Check for other behaviour differences and failure modes
  • [x] Consider adding retry
  • [x] Switch default back to false
  • [x] Update docs
  • [x] Fix token issues for App auth and fine-grained with push-to-fork
    • [x] Rename git-token to branch-token.
    • [x] Add fine-grained test for push-to-fork
    • [x] Use branch-token for API operations to create/update the branch.
      • push-to-fork with fine-grained or App auth will need to set the branch-token, and leave token as the default.
      • push-to-fork with fine-grained or App auth, where the pull request is being created in a remote repo will not work.
        • (It probably would work just to give the app token scope for both the parent and fork, but then does that defeat the purpose of push-to-fork?)
  • [x] Update tests to use app tokens when commit signing
  • [x] Document how to use fine-grained PATs and app tokens with push-to-fork (enabling signed commits with app tokens)
  • [x] Check verified status when not known
  • [x] Test build branch commits with very large diff
    • [x] Support empty commits and check the tree is correct
    • [x] Build large trees incrementally
  • [x] Test sign commits with large files
    • [x] Document the 40MiB limit for blobs and trees
  • [x] Investigate converting PRs back to draft (true/always-true/false)
  • [x] Update docs regarding default permissions for GITHUB_TOKEN on new repos.
    • https://github.com/peter-evans/create-pull-request/issues/3236#issuecomment-2304769745
  • [ ] Prepare for a major version release and document breaking changes
    • git-token -> branch-token
    • Removing deprecated features

Fixes: https://github.com/peter-evans/create-pull-request/issues/2062 Fixes: https://github.com/peter-evans/create-pull-request/issues/2848 Fixes: https://github.com/peter-evans/create-pull-request/issues/1791 Fixes: https://github.com/peter-evans/create-pull-request/issues/2443 Fixes: https://github.com/peter-evans/create-pull-request/issues/2778

peter-evans avatar Jul 26 '24 08:07 peter-evans

Full test suite slash command (repository admin only)

/test repository=peter-evans/create-pull-request ref=signed-commits build=true

github-actions[bot] avatar Jul 26 '24 12:07 github-actions[bot]

Hey, Is the sign-commit feature ready? It is required by the branch protection rule. Anyway, I can assist to boost it up?

dushyant-gemini avatar Jul 29 '24 18:07 dushyant-gemini

Hey, Is the sign-commit feature ready? It is required by the branch protection rule. Anyway, I can assist to boost it up?

It will be ready when this PR merges. I believe the TODOs are updated in the PR description.

In the current version, the workaround is to generate a GPG key, then import it: https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#gpg-commit-signature-verification

lichao127 avatar Jul 29 '24 19:07 lichao127

If anyone is following this development and is willing to test it, you can find documentation here.

Just replace the version of the action with the branch name of this PR:

- uses: peter-evans/create-pull-request@signed-commits

peter-evans avatar Aug 15 '24 15:08 peter-evans