✅ Verified Bot Commit

A GitHub Action to create signed and verified commits as the github-actions[bot] User with the standard GITHUB_TOKEN. This is accomplished via the GitHub REST API by using the Blob and Tree endpoints to build the commit and update the original Ref to point to it. ¹

The resulting commit will be signed and verified using GitHub's public PGP key!

Important

Using this Action with your own Personal Access Token (PAT) is not recommended.
See limitations for more details.

This action supports Linux, macOS and Windows runners (results may vary with self-hosted runners).

Quick Start

- name: Commit changes
  uses: iarekylew00t/verified-bot-commit@v1
  with:
    message: 'feat: Some changes'
    files: |
      README.md
      *.txt
      src/**/tests/*
      test-data/**

Usage

Inputs

List type is a newline-delimited string

files: |
  *.md
  example.txt

Name	Type	Description	Default
ref	String	The ref to push the commit to	${{ github.ref }}
files	List	Files/Glob patterns to include with the commit	required
message	String	Message for the commit [1]	optional
message-file	String	File to use for the commit message [1]	optional
force-push	String	Force push the commit	false
follow-symlinks	String	Follow symbolic links when globbing files	true
workspace	String	Directory containing checked out files	${{ github.workspace }}
token	String	GitHub Token for REST API access [2]	${{ github.token }}

1. You must include either message or message-file (which takes priority).
2. This Action is intended to work with the default GITHUB_TOKEN. See the notice and limitations

Outputs

Name	Type	Description
blobs	JSON	A JSON list of blob SHAs within the tree
tree	String	SHA of the underlying tree for the commit
commit	String	SHA of the commit itself
ref	String	SHA for the ref that was updated (same as commit)

Token Permissions

This Actions requires the following permissions granted to the GITHUB_TOKEN.

• contents: write

Limitations

⚠️ As always, the GITHUB_TOKEN cannot push to protected Refs.

⚠️ The Blob API has a 40MiB limit, any files larger than this in your commit will fail.

⚠️ Using your own Personal Access Token (PAT) will result in an unsigned and unverified commit. You should really look into using your own keys and signing commits yourself with the help of Actions like webfactory/ssh-agent and crazy-max/ghaction-import-gpg.

Development

Caution

Since this is a TypeScript action you must transpile it into native JavaScript. This is done for you automatically as part of the npm run all command and will be validated via the check-dist.yml Workflow in any PR.

1. ⚙️ Install the version of Node.js as defined in the .node-version.
   You can use asdf to help manage your project runtimes.

   asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git
   asdf install

2. 🛠️ Install dependencies

   npm install

3. 🏗️ Format, lint, test, and package your code changes.

   npm run all

Releases

For maintainers, the following release process should be used when cutting new versions.

1. ⏬ Ensure all changes are in the main branch and all necessary Workflows are passing.

   git checkout main
   git pull

2. ✅ Ensure the package.json and package-lock.json files are updated to with the new version being cut.

   npm update

3. 🔖 Create a new Tag, push it up, then create a new Release for the version.

   git tag v1.2.3
   git push -u origin v1.2.3

   Alternatively you can create the Tag on the GitHub Release page itself.

   When the tag is pushed it will kick off the Shared Tags Workflows to update the v$MAJOR and v$MAJOR.MINOR tags.

Contributing

Feel free to contribute and make things better by opening an Issue or Pull Request.
Thank you for your contribution! ❤️

License

See LICENSE.

Credits

Special thanks and credits to the following projects for their work and inspiration:

• swinton/commit
• ChromeQ/commit

Footnotes

1. Git Internals - Git Objects ↩