tagpr icon indicating copy to clipboard operation
tagpr copied to clipboard
verified publisher icon Songmu

Support signed commit

Open yasu89 opened this issue 8 months ago • 1 comments

Summary

Adds support for Verified commits when tagpr opens a pull request.

Related Issue

Closes #196

Motivation

Users asked that commits generated by tagpr show GitHub’s green Verified badge.
According to GitHub docs, a bot commit is signed when the no custom author information, custom committer information, etc... from the Commits API payload.

Implementation Details

  • Signed commits

    • Commits are created through the GitHub REST API rather than the git CLI.
      By leaving out any custom author, committer fields in POST /repos/{owner}/{repo}/git/commits, GitHub automatically attaches a verified bot signature.

  • git commit -a logic

    • Run git diff --name-status HEAD to detect both staged and unstaged changes (including files staged by tagpr.command).

  • cherry-pick logic

    • Based on the approach described in github-cherry-pick, with minor adjustments for tagpr’s workflow.

⚠️ Caveats

  • When we cherry-pick commits, the Author is set to the tagpr bot rather than the original contributor. Re-writing the author field would invalidate GitHub’s verified signature, so this trade-off is intentional.

FYI

  • https://github.com/yasu89/tagpr-signed-commit-test/pull/1
    • first release scenario
  • https://github.com/yasu89/tagpr-signed-commit-test/pull/2
    • force push scenario
  • https://github.com/yasu89/tagpr-signed-commit-test/pull/4
    • A cherry-pick scenario demonstrating that the author switches to the bot account. (original commit)

yasu89 avatar Apr 27 '25 09:04 yasu89

Great! I'll take a look later.

Songmu avatar Apr 27 '25 15:04 Songmu

Thank you. I will merge this. Please let me know if any additional permissions are required for the token as a result of this change.

Songmu avatar May 15 '25 06:05 Songmu

Thank you for merging!

Here is a list of the APIs used in this implementation:

  • https://docs.github.com/rest/git/trees#create-a-tree
  • https://docs.github.com/rest/git/commits#create-a-commit
  • https://docs.github.com/rest/commits/commits#get-a-commit
  • https://docs.github.com/rest/git/refs#create-a-reference
  • https://docs.github.com/rest/git/refs#get-a-reference
  • https://docs.github.com/rest/git/refs#update-a-reference
  • https://docs.github.com/rest/git/refs#delete-a-reference

To use these APIs, the following permissions are generally sufficient. The requirement for Contents: write has not changed, so no additional permissions are needed.

  • "Contents" repository permissions (read)
  • "Contents" repository permissions (write)

Only when updating a GitHub Actions workflow file using tagpr, the following additional permission is required. However, since this is a special case and has been the behavior for a while, I believe no special consideration is needed.

  • "Workflows" repository permissions (write)

yasu89 avatar May 15 '25 13:05 yasu89