ghcommit

README

ghcommit

Use GitHub's GraphQL API createCommitOnBranch mutation to commit files to a GitHub repository.

Why?

Enable keyless signing.

Commits made within a CI environment like GitHub Actions using the git cli line will not be signed. By using the API, commits are signed with GitHub's GPG key.

This method allows for signed commits in a CI environment without needing to manage private GPG keys. This is important for repositories that require signed commits as part of their branch protection.

It is possible to sign commits with GPG, however managing GPG keys can be cumbersome, especially when maintainers leave a project. Using the API eliminates the need for key management.

Install

TODO

Usage

TODO

Alternatives

As mentioned above, it is possible to sign commits with GPG.

Another option which uses a form of keyless signing is the sigstore/gitsign project. However, as of April 2023, GitHub does not recognize signatures created by gitsign so these commits will not be identified as "verified" by GitHub.

Releasing

Releases are generated automatically on all successful main branch builds. This project uses autotag and goreleaser to automate this process.

Semver (vMajor.Minor.Patch) is used for versioning and releases. By default, autotag will bump the patch version on a successful main build, eg: v1.0.0 -> v1.0.1.

To bump the major or minor release instead, include [major] or [minor] in the commit message. Refer to the autotag docs for more details.

Include [skip ci] in the commit message to prevent a new version from being released. Only use this for things like documentation updates.