ci: sign commits in bump_version workflow [SEC-2166]#116
Merged
Conversation
Switches token minting to actions/create-github-app-token@v3.1.1 (pinned by SHA), uses SEMGREP_CI_CLIENT_ID, scopes the token to this repo via `repositories:`, and drops the now-unused permissions block since the workflow no longer relies on secrets.GITHUB_TOKEN. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Replaces local `git commit -am` (unsigned) with peter-evans/create-pull-request using `sign-commits: true`, which creates the commit through the GitHub Contents API so the App installation token signs it. Also collapses the manual `gh pr create` step (peter-evans handles PR creation) and switches the tag to `gh api .../git/refs`, pointing at the new commit SHA returned by peter-evans rather than the now-stale local HEAD. Pins actions/checkout to v6.0.2 by SHA and drops its write token in favor of `persist-credentials: false` since nothing pushes via local git anymore. Normalizes input access on `inputs.*`. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
leifdreizler
commented
May 8, 2026
app-id is deprecated in v3.1.1 with a "Use 'client-id' instead" deprecation message. The secret is already SEMGREP_CI_CLIENT_ID, so swap the input name to match. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
When the dispatched version is already on develop, bump-version.sh is a no-op and peter-evans sets pull-request-operation=none with pull-request-head-sha pointing at develop's existing HEAD. The tag step then tried to create refs/tags/vX.Y.Z at that already-tagged commit and failed with 422 "Reference already exists". Gate the tag step on a PR actually being created/updated so no-op dispatches exit cleanly. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
leifdreizler
commented
May 8, 2026
leifdreizler
commented
May 8, 2026
leifdreizler
changed the title
bump_version workflowbump_version workflow [SEC-2166]
yosefAlsuhaibani
approved these changes
May 11, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Makes the
bump_versionworkflow produce signed commitsgit commit -am(unsigned, the cause of the "Require Signed Commits" Fails in Rule Insights) withpeter-evans/create-pull-request@v8.1.1gh pr createstep and the unreachablegh pr list | grep"PR exists" guard are gone.gh api .../git/refsagainstpull-request-head-shafrom peter-evans, since local HEAD doesn't advance after an API commit. Result is the same lightweight tag as before.actions/create-github-app-token@v3.1.1permissions: {}since the workflow no longer touchessecrets.GITHUB_TOKEN.Testing
This run successfully opened this PR. Tagging correctly skipped for existing version on this run.
🤖 Generated with Claude Code