Skip to content

Support signed commit #199

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 15, 2025
Merged

Support signed commit #199

merged 1 commit into from
May 15, 2025

Conversation

yasu89
Copy link
Contributor

@yasu89 yasu89 commented Apr 27, 2025

Summary

Adds support for Verified commits when tagpr opens a pull request.

Related Issue

Closes #196

Motivation

Users asked that commits generated by tagpr show GitHub’s green Verified badge.
According to GitHub docs, a bot commit is signed when the no custom author information, custom committer information, etc... from the Commits API payload.

Implementation Details

  • Signed commits

    • Commits are created through the GitHub REST API rather than the git CLI.
      By leaving out any custom author, committer fields in POST /repos/{owner}/{repo}/git/commits, GitHub automatically attaches a verified bot signature.

  • git commit -a logic

    • Run git diff --name-status HEAD to detect both staged and unstaged changes (including files staged by tagpr.command).

  • cherry-pick logic

    • Based on the approach described in github-cherry-pick, with minor adjustments for tagpr’s workflow.

⚠️ Caveats

  • When we cherry-pick commits, the Author is set to the tagpr bot rather than the original contributor.
    Re-writing the author field would invalidate GitHub’s verified signature, so this trade-off is intentional.

FYI

@Songmu
Copy link
Owner

Songmu commented Apr 27, 2025

Great! I'll take a look later.

@Songmu Songmu added the minor label May 3, 2025
@Songmu Songmu merged commit 53e438a into Songmu:main May 15, 2025
3 checks passed
@temporary-token-issuer-for-tagpr temporary-token-issuer-for-tagpr bot mentioned this pull request May 15, 2025
Merged
@Songmu
Copy link
Owner

Songmu commented May 15, 2025

Thank you. I will merge this. Please let me know if any additional permissions are required for the token as a result of this change.

@yasu89
Copy link
Contributor Author

yasu89 commented May 15, 2025

Thank you for merging!

Here is a list of the APIs used in this implementation:

To use these APIs, the following permissions are generally sufficient.
The requirement for Contents: write has not changed, so no additional permissions are needed.

  • "Contents" repository permissions (read)
  • "Contents" repository permissions (write)

Only when updating a GitHub Actions workflow file using tagpr, the following additional permission is required.
However, since this is a special case and has been the behavior for a while, I believe no special consideration is needed.

  • "Workflows" repository permissions (write)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
minor
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

feature request: commit signing support
2 participants
@yasu89 @Songmu