ci(release): fix unsigned commits by creating version commits via GitHub API#73
Merged
JamesLawton merged 1 commit intomainfrom Apr 14, 2026
Merged
Conversation
…Hub API Fixes https://github.com/0xPolygon/polygon-agent-cli/actions/runs/24392931926/job/71243420384 The release workflow was failing with GH013: lerna's local git commit was unsigned and rejected by main's "require signed commits" rule. Instead of pushing lerna's commit, .github/scripts/lerna-signed-release.sh runs lerna version --no-push, captures the resulting tree/parent/message, then re-creates the commit via POST /repos/.../git/commits. GitHub signs API-created commits with its web-flow GPG key, satisfying the rule. The branch ref and version tags are then advanced entirely through the GitHub API — no git push involved. npm publish is split into a separate tag-triggered workflow (npm-publish.yml) so a failed publish can be retried in the GitHub Actions UI without any risk of double-versioning. Changes: - .github/scripts/lerna-signed-release.sh (new): runs lerna version --no-push, creates a signed commit and version tags via the GitHub API, creates GitHub releases. Each remote step is idempotent (checks before creating). Supports --dry-run for local verification. - .github/workflows/release.yml: simplified to call the script. - .github/workflows/npm-publish.yml (new): triggered by @polygonlabs/** tag pushes; runs lerna publish from-package with OIDC trusted-publisher auth, matching the existing setup. - lerna.json: removed createRelease — lerna would fail trying to create releases before tags exist on GitHub when run with --no-push. The script now owns that step explicitly.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes https://github.com/0xPolygon/polygon-agent-cli/actions/runs/24392931926/job/71243420384 — GH013, unsigned commit rejected by main's signed-commits rule.
POST /repos/.../git/commits(REST) creates raw git objects and does not sign them. The GraphQLcreateCommitOnBranchmutation is the only GitHub API that produces a verified commit. The script runslerna version --no-push, captures the resulting file changes, then replays them viacreateCommitOnBranchto create a signed commit that atomically advances the branch. Nogit pushinvolved.Verified locally:
createCommitOnBranchreturnedverified=true, reason=validagainst the real repo before pushing to CI.npm publish is split into
npm-publish.yml, triggered by@polygonlabs/**tag pushes, so a failed publish can be retried in the Actions UI without re-versioning.