Skip to content

feat: allow using graphql API to get signed commits #459

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
adbutterfield wants to merge 2 commits into from
Closed

feat: allow using graphql API to get signed commits #459

adbutterfield wants to merge 2 commits into from

Conversation

@adbutterfield
Copy link

@adbutterfield adbutterfield commented Apr 14, 2025

Potentially closes #427

Adds apiProtocol input that can be set to either rest (default) or graphql to use GitHub's graphql API to make the commit for the release PR. When used in combination with setting setupGitUser to false the commit will use the user of the provided GITHUB_TOKEN.

This solves an issue we have at my company where the security team wants us to enforce signed commits on all of our repositories. With this change, the commits are signed with the service account user associated with the GITHUB_TOKEN.

Related change is #391 . However we can't use this approach at my company, as the security team wants us to only use our service account, and to not use GPG keys.

@changeset-bot
Copy link

changeset-bot bot commented Apr 14, 2025
edited
Loading

🦋 Changeset detected

Latest commit: 042a1b8

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@changesets/action Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@adbutterfield
Copy link
Author

adbutterfield commented Apr 14, 2025

Please let me know if this is something that makes sense for this project. If not, I think we'll just maintain this as a private fork. 🙇

adbutterfield
adbutterfield commented Apr 14, 2025
View reviewed changes
@s0
Copy link
Member

s0 commented Apr 15, 2025
edited
Loading

Related change is #391 . However we can't use this approach at my company, as the security team wants us to only use our service account, and to not use GPG keys.

FTR, that mentioned PR (#391) also uses your GitHub token to commit using the API, and doesn't require you to manually set up GPG Keys. 🙂

(You can see linked examples that have committed using the github-actions user and are signed, which is only possible from the API)

@s0 s0 mentioned this pull request Apr 15, 2025
Merged
@adbutterfield
Copy link
Author

adbutterfield commented Apr 15, 2025

Related change is #391 . However we can't use this approach at my company, as the security team wants us to only use our service account, and to not use GPG keys.

FTR, that mentioned PR (#391) also uses your GitHub token to commit using the API, and doesn't require you to manually set up GPG Keys. 🙂

(You can see linked examples that have committed using the github-actions user and are signed, which is only possible from the API)

(I'm a bit of a noob to all of this), but if #391 can get the job done, SGTM.

@adbutterfield
Copy link
Author

adbutterfield commented May 3, 2025

Closing as #391 got merged in.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Recommendation for signing changeset PR commits

2 participants

@adbutterfield @s0