Add custom commit message and commit signing support to deploy action

[Copilot]

Organizations with branch rulesets requiring specific commit message formats or signed commits had no way to configure the deploy action's hardcoded "deploy opentelemetry" commit message or enable commit signing.

Changes

• New commit_message input — replaces hardcoded "deploy opentelemetry" in both the direct push and pull request fallback paths; defaults to the existing string for backward compatibility
• New ssh_signing_key input — SSH private key for signing commits using git's built-in SSH signing support (available on all GitHub-hosted runners with git 2.34+); mutually exclusive with gpg_private_key
• New gpg_private_key input — armored GPG private key for signing commits; mutually exclusive with ssh_signing_key
• New gpg_passphrase input — optional passphrase for the GPG private key (only used when gpg_private_key is set)
• Early validation — the workflow fails immediately with a clear error if both ssh_signing_key and gpg_private_key are set at the same time
• "Configure commit signing (SSH)" step — writes the SSH key to ~/.ssh/signing_key, sets git config gpg.format ssh and git config user.signingkey, and enables commit.gpgsign
• "Configure commit signing (GPG)" step — imports the GPG key, extracts the key ID and keygrip, configures git signing, and pre-caches the passphrase via gpg-preset-passphrase for non-interactive use

Only one of ssh_signing_key or gpg_private_key may be set; setting both is an error.

Usage

# SSH signing
- uses: plengauer/Thoth/actions/instrument/deploy@v5
  with:
    commit_message: 'chore(otel): deploy instrumentation'
    ssh_signing_key: ${{ secrets.SSH_SIGNING_KEY }}

# GPG signing
- uses: plengauer/Thoth/actions/instrument/deploy@v5
  with:
    commit_message: 'chore(otel): deploy instrumentation'
    gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
    gpg_passphrase: ${{ secrets.GPG_PASSPHRASE }}

Note: Commit signing applies to the direct push path. The pull request fallback path (peter-evans/create-pull-request) uses the custom commit message but does not sign commits.

[plengauer]

Hello, thanks for contributing for the first time!

[plengauer]

@copilot are the gpg parameters really necessary? Cant this commit signing be simplified considering we know we run on a github hosted runner?

[Copilot]

@copilot are the gpg parameters really necessary? Cant this commit signing be simplified considering we know we run on a github hosted runner?

Simplified in 7a0b56c. Replaced the two GPG inputs (gpg_private_key + gpg_passphrase) with a single ssh_signing_key input that uses git's SSH signing support (available on all GitHub-hosted runners with git 2.34+). This drops all GPG agent setup, passphrase caching, and key fingerprint extraction — the signing step is now just writing the key to a file and setting two git config options.

[plengauer]

@copilot should we do bith the sdh thing and yhe gpg depending on whats available? Specify in the desc that onky obe group of input vats may be set and fail early in the workflow if all are set

[Copilot]

@copilot should we do bith the sdh thing and yhe gpg depending on whats available? Specify in the desc that onky obe group of input vats may be set and fail early in the workflow if all are set

Done in 2af099f. Both ssh_signing_key and gpg_private_key/gpg_passphrase are now available. A dedicated validation step runs first and exits with a clear error (::error::Only one of ssh_signing_key or gpg_private_key may be set, not both.) if both are supplied. The SSH and GPG signing steps are mutually exclusive via their if: conditions. The input descriptions also note the mutual exclusivity.

[Copilot]

Pull request overview

This PR enhances the actions/instrument/deploy composite action to support configurable deployment commit messages and optional commit signing, addressing org policies that require specific commit formats and/or signed commits.

Changes:

• Add a commit_message input and use it for both the direct push and PR fallback commit messages (defaulting to the prior "deploy opentelemetry" for compatibility).
• Add optional commit signing configuration via either ssh_signing_key (SSH signing) or gpg_private_key (+ optional gpg_passphrase) with early mutual-exclusion validation.