Open 0nary opened 1 year ago
To give more details, the executed command was:
dotnet-version increment-version-with-git -g "." --branch-name main --author-email actions@github.com
See https://github.com/neuroglia-io/framework/actions/runs/3135533373/jobs/5091322057 for instance
From what I understood from the IncrementVersionWithGitIntegrationCommand
handling
https://github.com/cbcrouse/Versioning.NET/blob/4f37fb0fc8b68ce610e9e5ac5ba4e054c8d260eb/src/Application/GitVersioning/Handlers/IncrementVersionWithGitIntegrationHandler.cs#L90
The commit should have been pushed to main
.
Both main
branches of the said projects are "protected", not allowing unsigned commit. The GitHub action bot doesn't sign the commits so they are not attached to main
I guess.
Trying to sign commits/tags/pushes with crazy-max/ghaction-import-gpg@v4
doesn't seem to work so far.
Here is a sample (secret BOT_GPG_PRIVATE_KEY
is required for the pipeline to "work"):
name: auto-version
on:
push:
branches: [ main ]
jobs:
build:
runs-on: ubuntu-18.04
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Import GPG key
id: import-gpg
uses: crazy-max/ghaction-import-gpg@v4
with:
gpg_private_key: ${{ secrets.BOT_GPG_PRIVATE_KEY }}
git_config_global: true
git_user_signingkey: true
git_commit_gpgsign: true
git_tag_gpgsign: true
- name: Reset Origin
run: |
git remote set-url origin "https://${{ steps.import-gpg.outputs.name }}:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git"
git checkout ${{ github.ref_name }}
- name: Install Versioning.NET
run: |
dotnet tool install --global Versioning.NET
- name: Increment Version
run: |
dotnet-version increment-version-with-git -g "." --branch-name ${{ github.ref_name }} --author-email ${{ steps.import-gpg.outputs.email }}
I had to work around, attach my personal repo to an organisation, set the bot as admin and allow the admins to bypass the protected branch restrictions (signed commits & approved PRs only).
Here is the resulting pipeline:
# IMPORTANT NOTES:
# For a repo using "protected branches" strategies (approved PR & signed commits or other checks),
# it is mandatory to use a "power" account PAT because the default git action bot/token
# doesn't have the required permissions to bypass the aforementioned conditions.
# To bypass those conditions, "Do not allow bypassing the above settings" must be unchecked
# in the repo > Settings > Branches > main .
#
# In the case of a personal repo, the repo owner will have to give a PAT of its own account
# as there is no other "admin" possible for the repo, only "collaborators."
#
# In the case of an organization repo, an other account can be used. If the org have a free plan, that
# account will have to be given the "admin" role. If the org have a paid plan, a more restrictive
# "custom role" could be forged and assigned to that user.
#
# In any case, 3 secrets will have to be added to the repo > Settings > Secrets > Actions
# - BOT_USERNAME : the GitHub username of the "power account"
# - BOT_EMAIL : the GitHub email address of the "power account"
# - BOT_PAT : the personal access token of the "power account" with enough permissions associated
#
# For now, `dotnet-version` doesn't seem to support signing commits/tags but, in the future
# `BOT_USERNAME` and `BOT_EMAIL` could be replaced by `BOT_GPG_PRIVATE_KEY` instead.
# In that case, when generating the GPG key, use the bot username and email when asked
# for a name and email (https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key)
# After exporting the public key and associating it to the GH account, export the private key using (and set the repo's secret):
# `gpg --armor --export-secret-key bot@email.com`
# where `bot@email.com` is the email configured in the previous step. (you might need to add `-w0` to the command).
name: Auto versioning .NET
on:
push:
branches: [ main ]
jobs:
version:
runs-on: ubuntu-18.04
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ secrets.BOT_PAT }}
- name: Reset Origin
run: |
git remote set-url origin "https://${{ secrets.BOT_USERNAME }}:${{ secrets.BOT_PAT }}@github.com/${{ github.repository }}.git"
git checkout ${{ github.ref_name }}
- name: Install Versioning.NET
run: |
dotnet tool install --global Versioning.NET
- name: Increment Version
run: |
dotnet-version increment-version-with-git -g "." --branch-name ${{ github.ref_name }} --author-email ${{ secrets.BOT_EMAIL }}
# The following could be used to sign the commit/tag but `dotnet-version` doesn't seem to sign the said commit.
# It could also be used to infer the bot user name (${{ steps.import-gpg.outputs.name }}) and
# email address (${{ steps.import-gpg.outputs.email }}) from the private key ${{ secrets.BOT_GPG_PRIVATE_KEY }}.
# For now, instead of the private key, two secrets will be used, ${{ secrets.BOT_USERNAME }} and ${{ secrets.BOT_EMAIL }}
# In the future, if `dotnet-version` support signing commits/tags, it would be better to use the following.
# - name: Import GPG key
# id: import-gpg
# uses: crazy-max/ghaction-import-gpg@v4
# with:
# gpg_private_key: ${{ secrets.BOT_GPG_PRIVATE_KEY }}
# git_config_global: true
# git_user_signingkey: true
# git_commit_gpgsign: true
# git_tag_gpgsign: true
# - name: Reset Origin
# run: |
# git remote set-url origin "https://${{ steps.import-gpg.outputs.name }}:${{ secrets.BOT_PAT }}@github.com/${{ github.repository }}.git"
# git checkout ${{ github.ref_name }}
## + git config user/email/signkey ???
# - name: Install Versioning.NET
# run: |
# dotnet tool install --global Versioning.NET
# - name: Increment Version
# run: |
# dotnet-version increment-version-with-git -g "." --branch-name ${{ github.ref_name }} --author-email ${{ steps.import-gpg.outputs.email }}
@cbcrouse I still didn't figure out why I wasn't able to sign the commit/tag after importing the GPG key and enabling it "globally". If you could investigate, that would be great.
@JBBianchi Sorry to get back to you so late on this, I have been quite busy. It looks like there may be a couple reasons for this not working.
-S
must be supplied with the git commit command to actually sign the commit.I will work on getting commit signing supported which will start showing up as Verified
in the commit history for validation.
I will also write up some documentation in the Wiki regarding signing after I do the investigation and get it working so you'll know exactly what you need to do.
This will be nice once GitHub supports something like what is suggested here: https://github.com/actions/runner/issues/667
I had to work around, attach my personal repo to an organisation, set the bot as admin and allow the admins to bypass the protected branch restrictions (signed commits & approved PRs only).
Signing commits appears to not be supported by LibGit2Sharp in any convenient way. Someone did add a contribution that shows how it can read a signed commit, but no explicit instruction on how to utilize those APIs within the library to create a GPG signed commit. Unfortunately, this may take some time to support, so you will have to continue using your workaround.
Describe the bug When I use this tool on some repository, I can see the commit for the versioning. And when I check the commit of the tag I have this message display : "This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository."
To Reproduce Steps to reproduce the behavior: Don't know. Can be see at :