Open dms1981 opened 4 weeks ago
https://github.com/Nautilus-Cyberneering/pygithub/blob/main/docs/how_to_sign_automatic_commits_in_github_actions.md found this while looking up some information
There are two workflows in scope:
A scheduled workflow that runs daily on week days and which sweeps the existing code and generates a PR with any identified changes - ministryofjustice/modernisation-platform/blob/main/.github/workflows/format-code.yml
A workflow that runs on any PR which calls the action ministryofjustice/github-actions/code-formatter which scans the code of the PR generates required changes and updates the PR with them. It is this workflow that the above description refers to.
The suggested approach is to use planetscale/gscommit-action as set out in @jacobwoffenden's example above. This allows us to avoid maintaining gpg keys as secrets & sharing them between workflows. The first step will be to implement this in the code-formatter action and to test it via a commit ref from one of the formatter workflows in a lesser-used module.
Testing the use of this in one of my personal repos, this shows an result where a the action is called with a new change added to the local branch. The result is the commit for that change is verified and accepted by github.
This is the workflow in question - https://github.com/mikereiddigital/test/blob/main/.github/workflows/test-commit-signing.yml
The goal now is the work this functionality into the code-formatter action and test as a local copy.
I forgot to mention actually, when using our robot's token, its allows GitHub Actions to trigger workflows, when using GitHub Actions' token this is not allowed
Completed testing.
Thanks for the info @jacobwoffenden.
This PR was applied for the scheduled formatter workflow in modernisation-platform. I will check the run this afternoon for issues.
For the change to the ministryofjustice/github-actions/code-formatter I will prepare a PR using the same 3rd party workflow and will offer it to Ops Engineering for review. If it is not approved & a new release ready then this ticket cannot be completed by me before cop tomorrow.
PR reverted (via this https://github.com/ministryofjustice/modernisation-platform/pull/7798) as the use of planetscale/gscommit-action is considered too risky for bot-generated PRs.
The suggested solution now is to following a similar approach to how it is set out here - https://github.com/planetscale/ghcommit and to use the GraphQL API createCommitOnBranch mutation to generate signed commits that are created via a workflow.
More information can be found here - https://github.blog/changelog/2021-09-13-a-simpler-api-for-authoring-commits/
👍 for this please
https://github.com/ep-93/house-of-fun/commit/2dbb54f99183c2afa407f0883f506e793d614f5f
Workflow that worked
https://github.com/ep-93/house-of-fun/actions/runs/10795145787/job/29941105329
https://github.com/ep-93/house-of-fun/actions/runs/10795145787/workflow
Now need to put this into the two jobs Mike mentioned.
User Story
As a Modernisation Platform Engineer I want to find a way for
github-actions[bot]
to sign its commits So that we can continue to require signed commits in our repositoriesValue / Purpose
In a recent PR it was observed that the
github-actions[bot]
pushed a linting change into the branch. This commit was no signed, causing the PR to fail to meet our branch protection rules for signed commits.Therefore we need to research and, if sensible, implement a way for the
github-actions[bot]
to sign its commits.Useful Contacts
No response
Additional Information
No response
Definition of Done
github-actions[bot]
identified