From 08ee922813eb90d77b74f712936e7623a5f9dd48 Mon Sep 17 00:00:00 2001
From: Manoel Aranda Neto <marandaneto@gmail.com>
Date: Thu, 16 Apr 2026 14:37:30 +0100
Subject: [PATCH] fix: use signed commits in ruby release workflow

---
 .github/workflows/release.yml | 26 +++++++++++---------------
 1 file changed, 11 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e91437e..cac712b 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -66,7 +66,7 @@ jobs:
     permissions:
       contents: write
     outputs:
-      committed: ${{ steps.commit-version-bump.outputs.committed }}
+      commit-hash: ${{ steps.commit-version-bump.outputs.commit-hash }}
       new-version: ${{ steps.apply-changesets.outputs.new-version }}
     steps:
       - name: Notify Slack - Approved
@@ -127,19 +127,13 @@ jobs:
 
       - name: Commit version bump
         id: commit-version-bump
+        uses: planetscale/ghcommit-action@25309d8005ac7c3bcd61d3fe19b69e0fe47dbdde # v0.2.20
+        with:
+          commit_message: "chore: release ${{ steps.apply-changesets.outputs.new-version }} [version bump]"
+          repo: ${{ github.repository }}
+          branch: main
         env:
           GITHUB_TOKEN: ${{ steps.releaser.outputs.token }}
-          NEW_VERSION: ${{ steps.apply-changesets.outputs.new-version }}
-        run: |
-          git add -A
-          if git diff --staged --quiet; then
-            echo "No changes to commit"
-            echo "committed=false" >> "$GITHUB_OUTPUT"
-          else
-            git commit -m "chore: release v$NEW_VERSION [version bump]"
-            git push origin main
-            echo "committed=true" >> "$GITHUB_OUTPUT"
-          fi
 
       - name: Notify Slack - Failed
         if: ${{ failure() && needs.notify-approval-needed.outputs.slack_ts != '' }}
@@ -194,7 +188,7 @@ jobs:
     name: Release and publish
     needs: [version-bump, notify-approval-needed]
     runs-on: ubuntu-latest
-    if: always() && needs.version-bump.outputs.committed == 'true'
+    if: always() && needs.version-bump.outputs.commit-hash != ''
     permissions:
       contents: write
       id-token: write
@@ -250,9 +244,11 @@ jobs:
         env:
           GH_TOKEN: ${{ steps.releaser.outputs.token }}
           NEW_VERSION: ${{ needs.version-bump.outputs.new-version }}
+          COMMIT_HASH: ${{ needs.version-bump.outputs.commit-hash }}
         run: |
-          git tag -a "$NEW_VERSION" -m "$NEW_VERSION"
-          git push origin "$NEW_VERSION"
+          gh api "repos/${{ github.repository }}/git/refs" \
+            -f "ref=refs/tags/${NEW_VERSION}" \
+            -f "sha=${COMMIT_HASH}"
 
       - name: Create GitHub Release
         env: