ESR: Use GitHub REST API for verified commits with submodule support#43
Merged
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
klutchell
force-pushed
the
kyle/verified-commit
branch
from
a1fcfe8 to
a813d18
Compare
Signed-off-by: Kyle Harding <kyle@balena.io>
Update actions/checkout Changelog-entry: Update actions/checkout to v6
Update actions/setup-python Changelog-entry: Update actions/setup-python to v6
klutchell
force-pushed
the
kyle/verified-commit
branch
from
a813d18 to
b74c147
Compare
There was a problem hiding this comment.
Pull request overview
This pull request updates the balenaOS GitHub workflows to use signed commits from the GitHub App bot by replacing manual git commit/push operations with the verified-bot-commit action. It also updates several GitHub Actions to newer versions and adds Renovate bot configuration for automated dependency updates.
Changes:
- Replaced
tibdex/github-app-tokenwith the officialactions/create-github-app-tokenaction for generating GitHub App tokens - Refactored the ESR branch creation workflow to use
iarekylew00t/verified-bot-commitfor signed commits instead of manual git commands - Updated
actions/checkoutandactions/setup-pythonto newer versions with commit SHA pinning - Added Renovate bot configuration file to enable automated dependency updates
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| .github/workflows/esr.yml | Refactored to use verified-bot-commit action for signed commits, updated GitHub App token generation action, and updated action versions |
| .github/workflows/build_and_deploy.yml | Updated actions/checkout to v6 with commit SHA pinning |
| .github/renovate.json | Added Renovate bot configuration extending balena-io's shared config |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
auto-merge was automatically disabled
January 16, 2026 17:38
Pull request was converted to draft
klutchell
force-pushed
the
kyle/verified-commit
branch
3 times, most recently
from
808e17d to
9767fd5
Compare
klutchell
changed the title
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Replace local git commands with GitHub REST API calls to create verified (signed) commits from the GitHub App bot. This approach properly handles the meta-balena submodule which requires mode 160000 and type commit in tree entries. Changes: - Switch to actions/create-github-app-token for token generation - Use GitHub API for all git operations: - getRef with 404 handling to check branch existence - createRef to create branch before committing - createBlob/createTree for files and submodule - createCommit and updateRef for the versioned commit - createTag and createRef for the annotated tag - Remove GIT_AUTHOR/COMMITTER env vars (API uses app identity) - Add ESR_BOT_PRIVATE_KEY as required workflow secret - Split monolithic step into focused, documented steps Change-type: minor Signed-off-by: Kyle Harding <kyle@balena.io>
klutchell
force-pushed
the
kyle/verified-commit
branch
from
105136d to
141cc22
Compare
rcooke-warwick
approved these changes
Jan 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Replace local git commands with GitHub REST API calls to create verified
(signed) commits from the GitHub App bot. This approach properly handles
the meta-balena submodule which requires mode 160000 and type commit in
tree entries.
Changes:
Change-type: minor
See: https://balena.fibery.io/Work/Improvement/Update-balena-os-github-workflows-to-sign-commits-3628
__
Tested on a fork here