-
Notifications
You must be signed in to change notification settings - Fork 0
153 lines (130 loc) · 5.74 KB
/
commit-sign.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
name: commit sign
on:
workflow_dispatch:
push:
permissions: read-all
jobs:
app-sign-commit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Write GitHub context to log
env:
GITHUB_CONTEXT: ${{ toJSON(github) }}
run: echo "$GITHUB_CONTEXT"
- uses: actions/create-github-app-token@v1
id: app-token
with:
app-id: ${{ vars.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
owner: ${{ github.repository_owner }}
- run: |
echo "" >> README.md && echo ${{ github.sha }} >> README.md
echo "${{ github.sha }}" >> shas.txt
# # UNSIGNED COMMIT # #
# - uses: actions/checkout@v4
# with:
# token: ${{ steps.app-token.outputs.token }}
# repository: joshjohanning-org/commit-sign-app-other-repo
# path: other-repo
# - name: push to git repo
# env:
# GH_TOKEN: ${{ steps.app-token.outputs.token }}
# run: |
# cd other-repo
# git config --global gpg.format ssh
# git config --global user.name 'josh-terraform-app[bot]'
# # you get this via https://api.github.com/users/josh-terraform-app[bot]
# # see more: https://github.com/orgs/community/discussions/24664#discussioncomment-3880274
# git config --global user.email '145150012+josh-terraform-app[bot]@users.noreply.github.com'
# git add .
# git commit -m "updating readme" -S
# git push
#
# # UNSIGNED COMMIT # #
- name: push to repo with commit single file (not signed)
run: |
#!/bin/bash
set -euxo pipefail
# Variables
repo_user="${{ github.repository_owner }}"
repo_name="commit-sign-app-other-repo"
token="${{ steps.app-token.outputs.token }}"
FILE_PATH="single-file.txt"
# Step 1: Encode new content in Base64
NEW_CONTENT="${{ github.sha }}"
ENCODED_CONTENT=$(echo -n "${NEW_CONTENT}" | base64)
# Step 2: Get the SHA of the existing file
SHA=$(curl -H "Authorization: token $token" \
-H "Accept: application/vnd.github.v3+json" \
"https://api.github.com/repos/$repo_user/$repo_name/contents/${FILE_PATH}" | jq -r '.sha')
# Step 3: Update the file
curl -X PUT -H "Authorization: token $token" \
-H "Accept: application/vnd.github.v3+json" \
-d "{\"message\": \"update single file\", \"committer\": {\"name\": \"josh-terraform-app[bot]\", \"email\": \"145150012+josh-terraform-app[bot]@users.noreply.github.com\"}, \"content\": \"${ENCODED_CONTENT}\", \"sha\": \"${SHA}\"}" \
"https://api.github.com/repos/$repo_user/$repo_name/contents/${FILE_PATH}"
# # SIGNED COMMIT # #
- name: push to repo with signed commit multiple files
run: |
#!/bin/bash
set -euxo pipefail
# Variables
repo_user="${{ github.repository_owner }}"
repo_name="commit-sign-app-other-repo"
token="${{ steps.app-token.outputs.token }}"
file1_path="README.md"
file2_path="shas.txt"
file3_path=".github/dependabot.yml"
# Get the contents of the files; jq -Rs escapes new lines and quotes
file1_content=$(jq -Rs '.' $file1_path)
file2_content=$(jq -Rs '.' $file2_path)
file3_content=$(jq -Rs '.' $file3_path)
# Get the latest commit
latest_commit=$(curl -s -H "Authorization: token $token" \
https://api.github.com/repos/$repo_user/$repo_name/git/refs/heads/main \
| jq -r '.object.sha')
# Get the tree of the latest commit
base_tree=$(curl -s -H "Authorization: token $token" \
https://api.github.com/repos/$repo_user/$repo_name/git/commits/$latest_commit \
| jq -r '.tree.sha')
# Create a new tree with the new files
tree=$(curl -s -H "Authorization: token $token" -X POST \
-d '{
"base_tree": "'"$base_tree"'",
"tree": [
{
"path": "'"$file1_path"'",
"mode": "100644",
"type": "blob",
"content": '"$file1_content"'
},
{
"path": "'"$file2_path"'",
"mode": "100644",
"type": "blob",
"content": '"$file2_content"'
},
{
"path": "'"$file3_path"'",
"mode": "100644",
"type": "blob",
"content": '"$file3_content"'
}
]
}' https://api.github.com/repos/$repo_user/$repo_name/git/trees)
# Get the SHA of the new tree
new_tree_sha=$(echo $tree | jq -r '.sha')
# Create a new commit pointing to the new tree
commit=$(curl -sf -H "Authorization: token $token" -X POST \
-d '{
"message": "Add multiple files",
"tree": "'"$new_tree_sha"'",
"parents": ["'"$latest_commit"'"]
}' https://api.github.com/repos/$repo_user/$repo_name/git/commits)
# Get the SHA of the new commit
new_commit_sha=$(echo $commit | jq -r '.sha')
# Update the reference of the branch to point to the new commit
curl -s -H "Authorization: token $token" -X PATCH \
-d '{
"sha": "'"$new_commit_sha"'"
}' https://api.github.com/repos/$repo_user/$repo_name/git/refs/heads/main