need to sign commits

[derekmisler]

Related Issues

Closes: https://github.com/docker/gordon/issues/403

Summary

Replaces all git commit + git push calls with the GraphQL createCommitOnBranch mutation so every CI-generated commit is cryptographically signed by GitHub's web-flow GPG key. This prepares the repo for the org-wide mandatory commit signing rollout (May 4 target).

What changed

New: src/signed-commit.ts + src/signed-commit-cli.ts
Core TypeScript module and CLI wrapper that create signed commits via the GraphQL createCommitOnBranch mutation. Accepts file paths via --add flags or piped through --add-stdin. Supports --force for create-or-update branch semantics and --delete for file removals. 14 unit tests in src/__tests__/signed-commit.test.ts.

release.yml — 3 commit points converted

• Release commit + tag (Pass 1 & 2): Replaced git commit-tree + git tag + git push with two createCommitOnBranch calls on a staging branch, then API-based tag creation and staging branch cleanup.
• Self-ref update (update-self-refs job): Replaced git checkout -B + git commit + git push --force with the CLI. Added pnpm/Node.js setup since this job didn't previously need a build step. File list passed between steps via /tmp/updated-files.txt.
• Consumer repo updates (update-consumers job): Replaced git commit -s + git push --force with the CLI inside the existing loop. Added graceful error handling (|| { warning + continue }) for repos without write access.
• Removed dead Configure git step (no more git push).
• Added --head to all gh pr create calls (local HEAD stays on main with API commits).

update-docker-agent-version.yml — 1 commit point converted
Replaced git checkout -B + git commit + git push --force with the CLI. Added pnpm/Node.js setup steps.

rollup.config.mjs
Refactored to multi-target build: setup-credentials + signed-commit-cli.

Housekeeping

• Added **/dist/ to .gitignore and biome.json excludes.
• Deleted scripts/update-consumers.sh (dead code — the release workflow has its own inline implementation).

---

Tip

Comment /review to trigger the PR Reviewer agent for automated feedback.
Comment /describe to generate a PR description.

[docker-agent]

Assessment: 🟡 NEEDS ATTENTION

Two medium-severity issues found in the new signed-commit infrastructure. Verification was attempted but returned inconclusive; findings are surfaced from the drafter for author evaluation.