Skip to content

IAreKyleW00t/verified-bot-commit

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace

Repository files navigation

✅ Verified Bot Commit

CI Tests Check dist/ CodeQL
GitHub Marketplace GitHub tag (latest SemVer) License Dependabot

A GitHub Action to create signed and verified commits as the github-actions[bot] User with the standard GITHUB_TOKEN. This is accomplished via the GitHub REST API by using the Blob and Tree endpoints to build the commit and update the original Ref to point to it. 1

The resulting commit will be signed and verified using GitHub's public PGP key!

Important

Using this Action with your own Personal Access Token (PAT) is not recommended.
See limitations for more details.

This action supports Linux, macOS and Windows runners (results may vary with self-hosted runners).

Quick Start

- name: Commit changes
  uses: iarekylew00t/verified-bot-commit@v1
  with:
    message: 'feat: Some changes'
    files: |
      README.md
      *.txt
      src/**/tests/*
      test-data/**

Usage

Inputs

List type is a newline-delimited string

files: |
  *.md
  example.txt
Name Type Description Default
ref String The ref to push the commit to ${{ github.ref }}
files List Files/Glob patterns to include with the commit required
message String Message for the commit [1] optional
message-file String File to use for the commit message [1] optional
force-push String Force push the commit false
follow-symlinks String Follow symbolic links when globbing files true
workspace String Directory containing checked out files ${{ github.workspace }}
token String GitHub Token for REST API access [2] ${{ github.token }}
  1. You must include either message or message-file (which takes priority).
  2. This Action is intended to work with the default GITHUB_TOKEN. See the notice and limitations

Outputs

Name Type Description
blobs JSON A JSON list of blob SHAs within the tree
tree String SHA of the underlying tree for the commit
commit String SHA of the commit itself
ref String SHA for the ref that was updated (same as commit)

Token Permissions

This Actions requires the following permissions granted to the GITHUB_TOKEN.

  • contents: write

Limitations

⚠️ As always, the GITHUB_TOKEN cannot push to protected Refs.

⚠️ The Blob API has a 40MiB limit, any files larger than this in your commit will fail.

⚠️ Using your own Personal Access Token (PAT) will result in an unsigned and unverified commit. You should really look into using your own keys and signing commits yourself with the help of Actions like webfactory/ssh-agent and crazy-max/ghaction-import-gpg.

Development

Caution

Since this is a TypeScript action you must transpile it into native JavaScript. This is done for you automatically as part of the npm run all command and will be validated via the check-dist.yml Workflow in any PR.

  1. ⚙️ Install the version of Node.js as defined in the .node-version.
    You can use asdf to help manage your project runtimes.

    asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git
    asdf install
  2. 🛠️ Install dependencies

    npm install
  3. 🏗️ Format, lint, test, and package your code changes.

    npm run all

Releases

For maintainers, the following release process should be used when cutting new versions.

  1. ⏬ Ensure all changes are in the main branch and all necessary Workflows are passing.

    git checkout main
    git pull
  2. ✅ Ensure the package.json and package-lock.json files are updated to with the new version being cut.

    npm update
  3. 🔖 Create a new Tag, push it up, then create a new Release for the version.

    git tag v1.2.3
    git push -u origin v1.2.3

    Alternatively you can create the Tag on the GitHub Release page itself.

    When the tag is pushed it will kick off the Shared Tags Workflows to update the v$MAJOR and v$MAJOR.MINOR tags.

Contributing

Feel free to contribute and make things better by opening an Issue or Pull Request.
Thank you for your contribution! ❤️

License

See LICENSE.

Credits

Special thanks and credits to the following projects for their work and inspiration:

Footnotes

  1. Git Internals - Git Objects