Introduce an option to use the GitHub API to commit changes, for GPG #391
Conversation
🦋 Changeset detectedLatest commit: 313b693 The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
s0
changed the title
|
This is a clever solution but tbh... I'm not sure if I like it for this project. It feels less maintainable - with git itself we have certain freedom in how we interact with it. I'm also worried that this would result in hitting rate limits more often (which already is an issue that this action hits from time to time). |
|
Hmm rate limits is a fair concern. Would you support having this as an opt-in feature then rather than replacing the existing git functionality for those of us that require signed commits? 🤔 |
|
I don't like having options like this but then I also see the value in this approach 😅 cc @emmatown thoughts? |
|
I was looking into the rate-limit issue again, and I realize I actually experienced it here: https://github.com/s0/ghcommit/actions/runs/10548632928/job/29222763569 (and can see from #192 that it's the same rate-limit as I faced). My guess is that we can probably improve things a lot by avoiding the search APIs, which typically have higher rate-limit costs (at least 5x according to https://docs.github.com/en/rest/using-the-rest-api/rate-limits-for-the-rest-api?apiVersion=2022-11-28#calculating-points-for-the-secondary-rate-limit). But beyond that, primary rate limits for the search API are tracked separately to other REST endpoints, so it wouldn't surprise me if there's some conflict / interference with other tokens / repos based on e.g. which runners these are executed on? Given that, at least with the primary rate limits, the GitHub Actions I imagine that we'll be able to avoid hitting the limits at all if we switch from the search API to the pull request list API, which provides filters for everything you use the search API for: https://docs.github.com/en/rest/pulls/pulls?apiVersion=2022-11-28#list-pull-requests I could open a separate PR for this change if you like? |
|
PR opened :) #393 |
|
Hi @dalmena |
|
+1 |
|
Any more thoughts on this PR? I could update the PR to make this method opt-in or opt-out and allow the user to choose between the 2 methods? |
To allow for signed tags to be created, rather than use the git CLI to push tags, manually push each tag using the GitHub API, which will sign the tag using the built-in GitHub GPG key.
To allow for all commits to be signed, use the GitHub API to push changes.
s0
force-pushed
the
github-api-tag-push
branch
from
a369cc5 to
50b4be2
Compare
|
Hmm looks like I've just started experiencing some errors with this test branch: https://github.com/arcanejs/arcanejs/actions/runs/11418428423 Going to convert this back to draft now until I can investigate. |
|
I could consider making this an opt-in - once you resolve the issues you found |
|
+1 for this feature. I would opt-in to it |
|
Issue resolved in changesets/ghcommit#23, so latest update fixes things. Converting this to be opt-in now |
Change this to a minor version bump, with a new feature that allows for using the GitHub API to create tags and commits.
s0
force-pushed
the
github-api-tag-push
branch
from
06a6067 to
893ba16
Compare
|
Okay comments addressed, this is now opt-in via the input |
|
@Andarist okay, comments addressed. Have tested using this functionality against my fork here:
|
package.json
Outdated
| "@changesets/read": "^0.5.3", | ||
| "@manypkg/get-packages": "^1.1.3", | ||
| "@octokit/plugin-throttling": "^5.2.1", | ||
| "@s0/ghcommit": "^1.2.1", |
There was a problem hiding this comment.
I could swear I commented on this last time - but it seems I have not 😅 I think we need to inline this package here so we have full control over this code.
There was a problem hiding this comment.
Hmm, are you sure? It would involve quite a lot of code, and also include having to add things like codegen for GraphQL queries (or a reduction of Type Safety). There are also a bunch of integration tests that would significantly complicate the CI for this repo:
See:
- https://github.com/s0/ghcommit/blob/main/src/github/codegen.ts
- https://github.com/s0/ghcommit/blob/main/src/github/graphql/queries.ts
- https://github.com/s0/ghcommit/tree/main/src/test/integration
Seems like a lot of stuff to inline for something that has quite a nice abstraction boundary & test coverage.
I'm also pretty responsive to PRs and maintenance etc... but if you insist on ownership then perhaps we should consider transferring ownership of the repository & NPM package instead? (which I'm happy to do).
There was a problem hiding this comment.
Or perhaps you could also just fork this repo, and publish to a different NPM package too and use that?
There was a problem hiding this comment.
I'm usually very keen on using external packages - but this is a crucial piece of software that interacts with tokens and whatnot. So having a dependency on a package that is not well-established in the ecosystem makes me uneasy here.
I certainly don't really want to maintain it... 😅 but it feels like a necessity in this case.
perhaps we should consider transferring ownership of the repository & NPM package instead? (which I'm happy to do).
That sounds like the easiest option if you are willing to do that 👍
There was a problem hiding this comment.
Yeah happy to do that. Would you be happy for me to continue to maintain it under the changesets org?
There was a problem hiding this comment.
Invite sent: https://github.com/s0/ghcommit/invitations (you will need to accept before I can make you Admin I think)
There was a problem hiding this comment.
Hmm looks like I can only add you as a collaborator and can't make you an Admin (probably as it's a user repo not org repo) 🙃. So I think adding me to the org is the only way, can deffo be temporary though.
There was a problem hiding this comment.
Repo transferred, I'll work on re-publishing to new NPM package later on this week.
There was a problem hiding this comment.
Repo has been updated and ready to publish to @changests/ghcommit. Could you set up an NPM_TOKEN secret for the repo, so that CI can start publishing: https://github.com/changesets/ghcommit/actions/runs/14663639483/job/41153344520
You may need to manually build & publish an older version (i.e. the previous one) to be able to create a token with the appropriate scopes, and so that the build & publish workflow succeeds. (Definitely avoid publishing main/ the current version manually though, as it would mean provenance won't be included and we'll need to bump the version again)
|
@s0 I pushed out a slight refactor here, could you double-check if this makes sense to you? |
|
I just tried to use
I realise this was only merged yesterday and I came looking for it today, so happy to help with any testing 👍 |
@dpnova you need to wait until #463 is merged and the new version released, then you will be able to use it by referring to specific tags. You can't use |
|
Thanks @s0 Side note, you have a very enviable job 😁 |
* Remove unused variable (changesets#460) * unused variable * double negative var * Revert "double negative var" This reverts commit 13cd17e. * Introduce an option to use the GitHub API to commit changes, for GPG (changesets#391) * Create tags on GitHub using API To allow for signed tags to be created, rather than use the git CLI to push tags, manually push each tag using the GitHub API, which will sign the tag using the built-in GitHub GPG key. * Use ghcommit to push changes To allow for all commits to be signed, use the GitHub API to push changes. * Add changeset version * Allow tag publish to fail, assume it was manually published * Add to changeset * Update @s0/ghcommit * Update ghcommit to fix missing ref bug * Make using GitHub API Optional Change this to a minor version bump, with a new feature that allows for using the GitHub API to create tags and commits. * Use a strategy pattern for GitHub API vs CLI usage * refactor git interactions * fix mock thing * usechangesets pkg * switch to `commitMode` --------- Co-authored-by: Mateusz Burzyński <mateuszburzynski@gmail.com> * Version Packages (changesets#463) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --------- Co-authored-by: Changwan <47740690+WooWan@users.noreply.github.com> Co-authored-by: Sam Lanning <sam@samlanning.com> Co-authored-by: Mateusz Burzyński <mateuszburzynski@gmail.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
|
(I hate to comment on a closed issue) but I just tried this out, and it doesn't work for us. I didn't dig into it yet, but I get an error:
It's coming from some kind of restriction set on our GitHub organization at my company. I don't know exactly what it's detecting, or if it's a false positive or something. But I'm guessing this could be a problem for other people as well. Maybe @s0 might have an idea what might trigger this? If not I can look into it later and open a new issue when I have something figured out. 🙇 |
Hmm sounds like it's including some files / content that weren't being added before. Does your CI workflow create files with secret values within your repository? And are they correctly excluded in Edit: actually was this working before for you at all with the previous method, or it was blocking it for not being signed? My guess is that this maybe wasn't ever working for you, and adding the relevant file to .gitignore will probably fix things. |
Nope. It just builds the packages, and then runs this action.
It is working. We want to completely block unsigned commits, but currently don't for the repos that use |
|
@s0 I just tried v1.5.2 and it's working great now! Thanks!!! |
13 participants
fixes #392
Turns out that there wasn't any good TypeScript libraries for making modifications to files directly, let alone one that looks at the files changed locally to determine what needs to be pushed to GitHub, so I went ahead and created one here: https://github.com/s0/ghcommit
I then used this repo as a test-case for the updated actions to see if it all works, and so far so good.
Tags are now signed by default:
And commits are also signed, and attributed to github-actions:
It also works with more complex situations, such as custom
versioncommands, like in this repo where it auto-bumps the major version in the README: Version Packages s0/changesets-action#2Would you like this functionality? And if so, do we want to just switch to this behavior by default + have a major version bump? or do we want to hide it behind an action input / argument for now and have it as opt-in?
My thinking is that just switching to this behavior overall makes the most sense, as most people probably want to attribute the commits to the owner of the
GITHUB_TOKEN, and more and more people are going to require that commits are signed as the industry takes supply-chain-security more and more seriously.