Conversation
github-actions
bot
added
the
t-infra
jirimoravcik
left a comment
jirimoravcik
left a comment
There was a problem hiding this comment.
Is it possible to move the script into a separate file?
There was a problem hiding this comment.
Pull request overview
Adds a reusable GitHub Actions workflow that applies a pre-generated git patch and then re-creates the commit via the GitHub GraphQL API so the resulting commit is GitHub-signed (useful for automated version bumps / release PR preparation).
Changes:
- Introduces
.github/workflows/commit.yamlreusable workflow (workflow_call) that accepts a base64-encodedgit format-patchpayload and target branch/repo parameters. - Applies the patch locally (
git am), derives file changes + commit message, and creates the commit viacreateCommitOnBranchGraphQL mutation.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Additional checkout of the workflows repo would be needed. I don't think this is worth it for this use case. |
There was a problem hiding this comment.
If I understand it correctly, if we enforce signed commits and pushing through SSH instead of HTTPS, it is still possible to make commits through the API using a token, and they will even get automatically signed?
Great job by GitHub to have a security measure and a publicly available backdoor, wtf 😄
Anyway, two things about this implementation:
- There are still a lot of steps required in the calling workflow. How about making this an action instead of a workflow? Then you could do all the steps inside of the action, and you wouldn't need the passing of the patch through the job output etc.
- The script could use some comments, right now it's just
git magicto me 😄
Well, is it really a backdoor? :D You need to have a token with The action is a nice idea. We probably want to minimize the usage of this as much as possible, so maybe this being so cumbersome to use is a good thing 😅. (probably not) Note that there exist actions to do exactly this, but I feel like we want to own this code and not introduce another way to be vulnerable to a supply chain attack. I'll prototype the action. 👍 |
Does that actually work? When I tried to push commits with |
|
Recent example of this: https://github.com/apify/apify-docs/pull/2289/files#r2864035748 And the subsequent fix here: apify/apify-docs#2296 |
Maybe private/public repos permissions mismatch? E.g. this works: https://github.com/apify/hub/blob/master/.github/workflows/build-custom-apps.yaml#L112 |
This PR introduces a workflow to push a commit through the GitHub API which is then automatically signed. This is useful when bumping package/image versions in applications and automating the creation of release PRs.