fix(ci): commit bump-excluded via GitHub API for verified signature#199
Merged
Conversation
The bump-excluded step added in #195 used `git commit && git push` which produces unsigned commits on the release PR branch. The repository ruleset requires `required_signatures`; while squash merge re-signs the commit on main, the Unverified badge on the release PR branch itself is undesirable. Replace the git commit/push block with GitHub Git Data API calls: 1. Read branch HEAD SHA 2. Build a new tree (POST /git/trees) with the two modified Cargo.toml files 3. Create the commit via POST /git/commits — GitHub auto-signs API commits 4. Advance the branch ref via PATCH /git/refs/heads/<branch> No new secrets, GitHub App, or GPG keys required; GITHUB_TOKEN is sufficient. The rest of the step (idempotency guard, just bump-excluded, git diff --quiet check) is unchanged. Closes #198 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Updates the release-plz GitHub Actions workflow to create the “bump excluded crates” commit via the GitHub Git Data API so the commit shows as GitHub-verified on the release PR branch (matching release-plz’s own commits).
Changes:
- Replace
git commit/git pushwith Git Data API calls to create a tree, create a commit, and fast-forward the PR branch ref. - Add workflow comments documenting why the API approach is used (to produce verified commits).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
… blobs $(cat ...) command substitution strips trailing newlines per POSIX, causing the API-uploaded blobs to lack the final newline present in Cargo.toml files. Switching to jq --rawfile reads files verbatim and avoids the stripping. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
git commit && git pushin the "Bump excluded crates on release PR" workflow step with GitHub Git Data API callsPOST /git/commits) causes GitHub to auto-sign the commit, producingverified=true— the same mechanism release-plz itself usesGITHUB_TOKEN(already available) is sufficientBackground
PR #197 (
chore: release v0.2.1) revealed that the bump-excluded commit added by #195 shows Unverified in the GitHub UI. The repository ruleset requiresrequired_signatureson the default branch. While squash merge re-signs the commit onmain(so there is no actual regression), the Unverified badge on the release PR branch itself is undesirable and inconsistent with the verified release-plz commits on the same branch.Implementation
The step now:
GET /git/ref/heads/<branch>GET /git/commits/<sha>Cargo.tomlfiles viaPOST /git/trees(usingjq -n --argfor safe JSON construction)POST /git/commits— GitHub auto-signs itPATCH /git/refs/heads/<branch>The idempotency guard,
just bump-excluded, andgit diff --quietcheck are unchanged.Test plan
verified=truevia:Closes #198
🤖 Generated with Claude Code