Signed commits and github-actions[bot]

ministryofjustice / modernisation-platform

A place for the core work of the Modernisation Platform • This repository is defined and managed in Terraform

https://user-guide.modernisation-platform.service.justice.gov.uk

MIT License

680 stars 290 forks source link

Signed commits and github-actions[bot] #7689

Open dms1981 opened 4 weeks ago

dms1981 commented 4 weeks ago

User Story

As a Modernisation Platform Engineer I want to find a way for github-actions[bot] to sign its commits So that we can continue to require signed commits in our repositories

Value / Purpose

In a recent PR it was observed that the github-actions[bot] pushed a linting change into the branch. This commit was no signed, causing the PR to fail to meet our branch protection rules for signed commits.

Therefore we need to research and, if sensible, implement a way for the github-actions[bot] to sign its commits.

Useful Contacts

No response

Additional Information

No response

Definition of Done

[x] Options for signing commits by github-actions[bot] identified
[ ] Best option implemented across MP repositories
[ ] Solution tested successfully
[ ] Solution demonstrated to team

ASTRobinson commented 3 weeks ago

Example bot PR: https://github.com/ministryofjustice/modernisation-platform/pull/7709

jacobwoffenden commented 3 weeks ago

FWIW we use this https://github.com/planetscale/ghcommit-action

https://github.com/ministryofjustice/analytical-platform/blob/fc64a650265ec6cf3ff6f8b62e72784fed09a936/.github/workflows/repository-dependabot-configuration-generator.yml#L39-L48

markgov commented 3 weeks ago

https://github.com/Nautilus-Cyberneering/pygithub/blob/main/docs/how_to_sign_automatic_commits_in_github_actions.md found this while looking up some information

mikereiddigital commented 3 weeks ago

There are two workflows in scope:

A scheduled workflow that runs daily on week days and which sweeps the existing code and generates a PR with any identified changes - ministryofjustice/modernisation-platform/blob/main/.github/workflows/format-code.yml
A workflow that runs on any PR which calls the action ministryofjustice/github-actions/code-formatter which scans the code of the PR generates required changes and updates the PR with them. It is this workflow that the above description refers to.

mikereiddigital commented 3 weeks ago

The suggested approach is to use planetscale/gscommit-action as set out in @jacobwoffenden's example above. This allows us to avoid maintaining gpg keys as secrets & sharing them between workflows. The first step will be to implement this in the code-formatter action and to test it via a commit ref from one of the formatter workflows in a lesser-used module.

mikereiddigital commented 2 weeks ago

Testing the use of this in one of my personal repos, this shows an result where a the action is called with a new change added to the local branch. The result is the commit for that change is verified and accepted by github.

This is the workflow in question - https://github.com/mikereiddigital/test/blob/main/.github/workflows/test-commit-signing.yml

The goal now is the work this functionality into the code-formatter action and test as a local copy.

jacobwoffenden commented 2 weeks ago

I forgot to mention actually, when using our robot's token, its allows GitHub Actions to trigger workflows, when using GitHub Actions' token this is not allowed

See https://github.com/ministryofjustice/analytical-platform/pull/5000/commits/b942f4e29cb301440682a828ad2ddf98c4db1c3e

mikereiddigital commented 2 weeks ago

Completed testing.

mikereiddigital commented 2 weeks ago

Thanks for the info @jacobwoffenden.

mikereiddigital commented 2 weeks ago

This PR was applied for the scheduled formatter workflow in modernisation-platform. I will check the run this afternoon for issues.

For the change to the ministryofjustice/github-actions/code-formatter I will prepare a PR using the same 3rd party workflow and will offer it to Ops Engineering for review. If it is not approved & a new release ready then this ticket cannot be completed by me before cop tomorrow.

mikereiddigital commented 2 weeks ago

PR reverted (via this https://github.com/ministryofjustice/modernisation-platform/pull/7798) as the use of planetscale/gscommit-action is considered too risky for bot-generated PRs.

mikereiddigital commented 2 weeks ago

The suggested solution now is to following a similar approach to how it is set out here - https://github.com/planetscale/ghcommit and to use the GraphQL API createCommitOnBranch mutation to generate signed commits that are created via a workflow.

More information can be found here - https://github.blog/changelog/2021-09-13-a-simpler-api-for-authoring-commits/

robertsweetman commented 1 week ago

👍 for this please

ep-93 commented 2 days ago

https://github.com/ep-93/house-of-fun/commit/2dbb54f99183c2afa407f0883f506e793d614f5f

Workflow that worked

https://github.com/ep-93/house-of-fun/actions/runs/10795145787/job/29941105329

https://github.com/ep-93/house-of-fun/actions/runs/10795145787/workflow

Now need to put this into the two jobs Mike mentioned.

ep-93 commented 1 day ago

Editing this today https://github.com/ministryofjustice/modernisation-platform/blob/main/.github/workflows/format-code.yml#L77