Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Coexist with branch-protection: use Github App for pushing commits #26

Merged
merged 1 commit into from
Feb 27, 2024
Merged

Coexist with branch-protection: use Github App for pushing commits #26

merged 1 commit into from
Feb 27, 2024

Commits on Feb 23, 2024

  1. Use GitHub App & REST PUT API for updating version.sbt 

    This changes the way we authenticate and make the 1 or 2 updates to `version.sbt`
required for a release.

Before:

* Authenticate as: default `github-actions` bot
* version.sbt update method: Cherry-pick the commits created by sbt-release, then push
  them to GitHub using `git push`, with the default `github-actions` bot using its
  credentials to make the push

After:

* Authenticate as: `gu-scala-library-release` GitHub App - https://github.com/apps/gu-scala-library-release
* version.sbt update method: GitHub REST API for Repository Contents (PUT /repos/{owner}/{repo}/contents/{path})
  https://docs.github.com/en/rest/repos/contents?apiVersion=2022-11-28#create-or-update-file-contents
  Now we're not really specifying the whole commit, just the content change to one file.

This has a few different benefits:

* Addresses the need to coexist with our branch-protection rulesets, because GitHub Apps
  can be exempted from rules, as discussed in issue #5
* Produces `Verified` commits - the commits show up as `Verified` in the GitHub UI, and have a
  `gpgsig` header entry that is signed by GitHub itself, essentially GitHub attesting that
  the author of the commit authenticated with GitHub to perform the file update.
  https://git-scm.com/docs/signature-format#_commit_signatures
  https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification#signature-verification-for-bots
  https://blog.gitbutler.com/signing-commits-in-git-explained/#github-verification

The commits now appear to be attributed to `gu-scala-library-release`, rather than, eg,
'@rtyley using gha-scala-library-release-workflow' - it's a bit of shame that the person
triggering the release is no longer so clearly visible, but it's probably less confusing.
To compensate for that, the commit message itself has been updated to specifically state
the responsible user.
    @rtyley
    rtyley committed Feb 23, 2024
    Configuration menu
    Copy the full SHA
    26bf362 View commit details
    Browse the repository at this point in the history