v7 - signed commits

[peter-evans]

v7

If anyone is following this development and is willing to test the release candidate, you can find documentation for the sign-commits feature here.

- uses: peter-evans/create-pull-request@v7-rc

TODO:

• Fix for when base input is not supplied
• Fix Invalid character error
• Refactor fileChanges to output from src/create-or-update-branch.ts. (Should fix the push-to-fork cases.)
• Add tests for fileChanges refactor
• Add a buildFileChanges test for binary file types
• Refactor graphql code into github helper class. (Should fix the proxy test.)
• Make signed commits work for all use cases:
  • https://github.com/peter-evans/create-pull-request-tests/actions/runs/10101150705
  • https://github.com/peter-evans/create-pull-request-tests/actions/runs/10126556967
  • https://github.com/peter-evans/create-pull-request-tests/actions/runs/10184429745
  • ✅ https://github.com/peter-evans/create-pull-request-tests/actions/runs/10219067495
• Switch to the REST API
  • GitHub's GraphQL API createCommitOnBranch is designed to be a simplified way to commit. It doesn't support:
    • Rewriting commits and force pushing.
    • File mode changes (git should track executable/non-executable)
  • Fix all use cases:
    • https://github.com/peter-evans/create-pull-request-tests/actions/runs/10306598444
    • ✅ https://github.com/peter-evans/create-pull-request-tests/actions/runs/10307696565
• Investigate strange behaviour where commits are shared between branches
  • (theory) If a commit has no ref pointing to it, a request to create a new commit for an identical tree returns the already created commit's sha. Two create-pull-request processes then create a different ref pointing to the same commit.
  • Fix peter-evans/create-pull-request-tests@322c1d4
• Limit concurrency of blob creation
• Add test for executable file changes
  • Executable renames via REST and GraphQL are not currently supported. The executable file mode is removed and becomes non-executable.
• Check how to handle author/committer
  • Warn when using inputs the action will ignore Can't do this because of the defaults
• signoff? Appears to work fine with signed commits
• Only build file changes when signing commit
• Update test suite to handle signing/non-signing routes
  • Output verification status
  • Fix head sha output
  • Add checks on outputs
• Remove unnecessary dependencies (e.g. @octokit/graphql)
• Check for other behaviour differences and failure modes
• Consider adding retry
• Switch default back to false
• Update docs
• Fix token issues for App auth and fine-grained with push-to-fork
  • Rename git-token to branch-token.
  • Add fine-grained test for push-to-fork
  • Use branch-token for API operations to create/update the branch.
    • push-to-fork with fine-grained or App auth will need to set the branch-token, and leave token as the default.
    • push-to-fork with fine-grained or App auth, where the pull request is being created in a remote repo will not work.
      • (It probably would work just to give the app token scope for both the parent and fork, but then does that defeat the purpose of push-to-fork?)
• Update tests to use app tokens when commit signing
• Document how to use fine-grained PATs and app tokens with push-to-fork (enabling signed commits with app tokens)
• Check verified status when not known
• Test build branch commits with very large diff
  • Support empty commits and check the tree is correct
  • Build large trees incrementally
• Test sign commits with large files
  • Document the 40MiB limit for blobs and trees
• Investigate converting PRs back to draft (true/always-true/false)
• Update docs regarding default permissions for GITHUB_TOKEN on new repos.
  • Resource not accessible by integration #3236 (comment)
• Prepare for a major version release and document breaking changes
  • git-token -> branch-token
  • Removing deprecated features

Fixes: #2062
Fixes: #2848
Fixes: #1791
Fixes: #2443
Fixes: #2778
Fixes: #3159

[github-actions]

Full test suite slash command (repository admin only)

/test repository=peter-evans/create-pull-request ref=signed-commits build=true

[lichao127]

minor rephrase in the feature description

[dushyant-gemini]

Hey, Is the sign-commit feature ready? It is required by the branch protection rule. Anyway, I can assist to boost it up?

[lichao127]

Hey, Is the sign-commit feature ready? It is required by the branch protection rule. Anyway, I can assist to boost it up?

It will be ready when this PR merges. I believe the TODOs are updated in the PR description.

In the current version, the workaround is to generate a GPG key, then import it: https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#gpg-commit-signature-verification