Skip to content

ci: sign commits in bump_version workflow [SEC-2166] #116

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
leifdreizler wants to merge 4 commits into
base: develop
Choose a base branch
from
Open

ci: sign commits in bump_version workflow [SEC-2166] #116

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
000a5d6
chore: replace bespoke JWT exchange with create-github-app-token
leifdreizler May 8, 2026
66ce874
feat: sign commits via peter-evans/create-pull-request
leifdreizler May 8, 2026
806ec96
fix: use client-id input for create-github-app-token
leifdreizler May 8, 2026
89d1671
fix: skip tag step when no bump PR was opened
leifdreizler May 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
84 changes: 27 additions & 57 deletions .github/workflows/bump_version.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,76 +5,46 @@
jobs:
bump-version:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: write
pull-requests: write
checks: write
permissions: {}
env:
NEW_SEMGREP_VERSION: ${{ github.event.inputs.version }}
NEW_SEMGREP_VERSION: ${{ inputs.version }}
steps:
- id: jwt
env:
EXPIRATION: 600
ISSUER: ${{ secrets.SEMGREP_CI_APP_ID }}
PRIVATE_KEY: ${{ secrets.SEMGREP_CI_APP_KEY }}
name: Get JWT for semgrep-ci GitHub App
uses: docker://public.ecr.aws/y9k7q4m1/devops/cicd:latest

- id: token
name: Get token for semgrep-ci GitHub App
run: |
TOKEN="$(curl -X POST \
-H "Authorization: Bearer ${{ steps.jwt.outputs.jwt }}" \
-H "Accept: application/vnd.github.v3+json" \
"https://api.github.com/app/installations/${{ secrets.SEMGREP_CI_APP_INSTALLATION_ID }}/access_tokens" | \
jq -r .token)"
echo "::add-mask::$TOKEN"
echo "token=$TOKEN" >> $GITHUB_OUTPUT
uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
with:
client-id: ${{ secrets.SEMGREP_CI_CLIENT_ID }}
private-key: ${{ secrets.SEMGREP_CI_APP_KEY }}
repositories: pre-commit

- uses: actions/checkout@v4
Copy link
Copy Markdown
Author

@leifdreizler leifdreizler May 8, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

v4 runs on Node 20, which is getting support dropped later this year

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
token: ${{ steps.token.outputs.token }}
persist-credentials: false
Copy link
Copy Markdown
Author

@leifdreizler leifdreizler May 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no need to persist-credentials now that there aren't any local git commands


- name: Bump version in this repo
run: scripts/bump-version.sh "${NEW_SEMGREP_VERSION}"

- name: Commit and push
id: commit
env:
BRANCH: "gha/bump-version-${{ github.event.inputs.version }}-${{ github.run_id }}-${{ github.run_attempt }}"
SUBJECT: "Bump setup to ${{ github.event.inputs.version }}"
run: |
git config user.name ${{ github.actor }}
git config user.email ${{ github.actor }}@users.noreply.github.com
git checkout -b $BRANCH
git commit -am "$SUBJECT"
git tag "v${NEW_SEMGREP_VERSION}" HEAD
git remote -vv
git push --set-upstream origin $BRANCH
git push origin tag "v$NEW_SEMGREP_VERSION"
echo "branch=$BRANCH" >> $GITHUB_OUTPUT
echo "subject=$SUBJECT" >> $GITHUB_OUTPUT
- name: Open bump-version PR
id: cpr
uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
with:
token: ${{ steps.token.outputs.token }}
branch: "gha/bump-version-${{ inputs.version }}-${{ github.run_id }}-${{ github.run_attempt }}"
base: ${{ github.event.repository.default_branch }}
title: "chore: update pre-commit to semgrep ${{ inputs.version }}"
body: "Bump Semgrep Version to ${{ inputs.version }}"
commit-message: "Bump setup to ${{ inputs.version }}"
sign-commits: true

- name: Create PR
id: open-pr
- name: Tag release on bump branch
if: steps.cpr.outputs.pull-request-operation != 'none'
env:
SOURCE: "${{ steps.commit.outputs.branch }}"
TARGET: "${{ github.event.repository.default_branch }}"
TITLE: "chore: update pre-commit to semgrep ${{ inputs.version }}"
GITHUB_TOKEN: ${{ steps.token.outputs.token }}
VERSION: "${{ inputs.version }}"
GH_TOKEN: ${{ steps.token.outputs.token }}
SHA: ${{ steps.cpr.outputs.pull-request-head-sha }}
run: |
# check if the branch already has a pull request open
if gh pr list --head ${SOURCE} | grep -vq "no pull requests"; then
Copy link
Copy Markdown
Author

@leifdreizler leifdreizler May 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if gh pr list --head ${SOURCE} won't happen in practice because SOURCE contains a unique github.run_id

# pull request already open
echo "pull request from SOURCE ${SOURCE} to TARGET ${TARGET} is already open";
echo "cancelling release"
exit 1
fi
# open new pull request with the body of from the local template.
res=$(gh pr create --title "${TITLE}" --body "Bump Semgrep Version to ${VERSION}" \
--base "${TARGET}" --head "${SOURCE}")
gh api -X POST "repos/${{ github.repository }}/git/refs" \
-f ref="refs/tags/v${NEW_SEMGREP_VERSION}" \
-f sha="${SHA}"

name: bump-version
on:
Expand Down
Loading