My use case: I need to use GitHub Actions workflow to run a task (which updates a file). If the file has updated, the workflow should open a pull request for human review/merge.
Problem(s):
- I was using
@peter-evans/create-pull-requestwhich worked well but my repo required signed commits before merging. - There’s a doc in
peter-evans/create-pull-requeston how to use GPG to sign commits. But I did not want to manage yet-another-secret, or manage yet-another-bot user. - Since GitHub Actions added the commit, there should be a way to verify a commit is from the real GitHub Actions App. So I found this GitHub doc:
Signature verification for bots will only work if the request is verified and authenticated as the GitHub App or bot and contains no custom author information, custom committer information, and no custom signature information, such as Commits API.
This is not supported in @peter-evans/create-pull-request because git commit is done locally (not over GitHub’s REST API to a remote branch). A local commit requires valid committer or author. i.e. you can’t set empty strings as the committer or author, it will error out.
I found an old issue update related to this, and an example REST API call to achieve the same goal. The API calls allow empty committer and author, so the commits are signed by github-actions.
Example GitHub Actions Workflow: https://github.com/lichao127/actions-pull-request/blob/main/.github/workflows/bot-update.yml
Example Pull Request: https://github.com/lichao127/actions-pull-request/pull/11
