Signing commits made by release-plz bot

Question

Signing commits made by release-plz bot

zvolin opened this issue 7 months ago · comments

Motivations

Hey, I've seen the #956 which added the Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> to the commit message. This however doesn't alone result in verified status on github. We have a repository setting which requires all commits to be signed and thus we cannot merge the release PR.

For comparison bot's commit and my commit

And the merge button is red with a message:

Merging is blocked
The base branch requires all commits to be signed. Learn more about signing commits.

Is there a possibility for getting a verified status for release-plz bot?

Would you like to implement this feature? [y/n]

Solution

It looks like the dependabot has a power to get verified status, but I'm not sure if it isn't kinda specially supported by github.

Maciej Zwoliński · Answer 1 · Thu Jan 11 2024 20:12:19 GMT+0800 (China Standard Time)

I am aware that I could probably create some new github account for bot, then create and add there a new gpg keys, then include them in secrets in ci and set them up to be used instead along with the email. However this sounds like quite a lot of custom steps there and I'm wondering if there can be anything better

Maciej Zwoliński · Answer 2 · Thu Jan 11 2024 20:23:14 GMT+0800 (China Standard Time)

hmmm I'm not sure there is an easy way... dependabot is using support@github.com which probably just have gpg key configured, whereas release-plz has a generated email: 41898282+github-actions[bot]@users.noreply.github.com

Maciej Zwoliński · Answer 3 · Thu Jan 11 2024 20:42:23 GMT+0800 (China Standard Time)

Came around this: https://github.com/planetscale/ghcommit
I'll check if we could support it from under release-plz that with some flag it would use the PAT and ghcommit instead of git commit

Maciej Zwoliński · Answer 4 · Fri Jan 12 2024 03:24:19 GMT+0800 (China Standard Time)

I've managed to get this to work using just a graphql api endpoint of github because the go tool dependency is meh. Please check if you'd like to proceed with that 👍

Marco Ieni · Answer 5 · Thu Jan 25 2024 02:58:39 GMT+0800 (China Standard Time)

I released the new version of the github action 👍
https://github.com/MarcoIeni/release-plz-action/releases/tag/v0.5.37

Now you should see verified commits from release-plz

Robert Chambers · Answer 6 · Thu Jan 25 2024 18:46:09 GMT+0800 (China Standard Time)

FYI a side effect of switching to the GitHub API is that workflow actions are generally not triggered by the release-plz PR: https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#triggering-further-workflow-runs

~~I'm not opening a new issue on this because it's not release-plz's fault, but you may want to make a note of it or mention it in your docs.~~

Edit: I see that you already mention this in the relevant section of the docs!

Thanks for both of your hard work on this update though, it's made a difference for me!