rebase icon indicating copy to clipboard operation
rebase copied to clipboard

Published 20 hours ago verified publisher icon peter-evans

Signed commits

Open EmilioHerreraSoukup opened this issue 2 years ago • 5 comments

Hi, currently I'm using peter-evans/rebase@v2 to rebase some PRS, but after they rebased they are not GPG signed anymore. I couldn't figure it out from the docs. Is this something supported, maybe? Any help is appreciated. Thank you!

EmilioHerreraSoukup avatar Oct 26 '23 10:10 EmilioHerreraSoukup

Hi @EmilioHerreraSoukup

I've not tested it, but I think following this documentation to use your own GPG key for signing might work for this action, too. https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#gpg-commit-signature-verification

The committer used to commit must match the email address used in the GPG key. Currently, this action takes the committer of the last commit to perform the rebase. If there are some issues with matching the committer email address because of this logic, what I might be able to do is provide an override input for the committer. https://github.com/peter-evans/rebase/blob/8c87ad86ea2a849918f07feb987b08ed61e145fa/src/rebase-helper.ts#L37-L45

Please try this and let me know if it works for you.

peter-evans avatar Oct 30 '23 09:10 peter-evans

"@peter-evans, I tried using the action and encountered the following error:

Unexpected input(s) 'github-token', 'committer', valid inputs are ['token', 'repository', 'head', 'base', 'include-labels', 'exclude-labels', 'exclude-drafts'].

I'm not sure if I followed the instructions correctly. Essentially, I'm attempting to rebase all my Dependabot PRs using rebase. Dependabot should already have a valid GPG signature, right? This left me a bit confused.

I was considering adding a command like

git rebase --exec 'git commit --amend --no-edit -n -S' -i main

in the script here: https://github.com/peter-evans/rebase/blob/8c87ad86ea2a849918f07feb987b08ed61e145fa/src/rebase-helper.ts#L89

EmilioHerreraSoukup avatar Nov 02 '23 13:11 EmilioHerreraSoukup

@EmilioHerreraSoukup Please show me your workflow so I can help you.

peter-evans avatar Nov 02 '23 14:11 peter-evans

@peter-evans thank you!, its pretty straight forward

name: Rebase Pull Requests
on:
  push:
    branches: [main]
jobs:
  rebase:
    runs-on: ubuntu-latest
    steps:
      - uses: peter-evans/rebase@v2
        with:
          include-labels: |
            dependabot

EmilioHerreraSoukup avatar Nov 02 '23 16:11 EmilioHerreraSoukup

@EmilioHerreraSoukup Your workflow only includes the rebase action. Did you try updating your workflow to follow this example? https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#gpg-commit-signature-verification

You need to follow the instructions in the example I linked and update your workflow.

name: Rebase Pull Requests
on:
  push:
    branches: [main]
jobs:
  rebase:
    runs-on: ubuntu-latest
    steps:
      - uses: crazy-max/ghaction-import-gpg@v5
        with:
          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.GPG_PASSPHRASE }}
          git_user_signingkey: true
          git_commit_gpgsign: true

      - uses: peter-evans/rebase@v2
        with:
          include-labels: |
            dependabot

peter-evans avatar Nov 03 '23 09:11 peter-evans