Skip to content
/ github-api-commit-action Public

Commits changes to the repository through the Github api instead of traditional git commands. Secure drop-in replacement for grafana/github-api-commit-action.

docs.stepsecurity.io/actions/stepsecurity-maintained-actions

License

MIT license
0 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

step-security/github-api-commit-action

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
.github
.github
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
SECURITY.md
SECURITY.md
 
 
action.yml
action.yml
 
 

Repository files navigation

Test

GitHub Api Commit

This action commits to the checked-out repo via the graphql mutation createCommitOnBranch. This mutation supports signing commits automatically for the user. This is useful when using a GitHub App to do committing for bot-related commits, and the repo requires signed commits.

It will build a list of file additions and deletions to commit, and just before committing will fetch the latest commit OID from the remote repo. It will commit to whatever branch is currently checked out in the workflow. For instance, if you create a branch via git checkout -b my-test-branch in one of your steps, it will commit to my-test-branch.

Usage:

  - name: Commit changes
    uses: step-security/github-api-commit-action@v1
    with:
      commit-message: "<commit-message>" # Commit message defaults to "Commit performed by step-security/github-api-commit-action"
      create-branch-on-remote: true | false # Whether to create the branch on the remote if it doesn't exist: Defaults to false
      stage-all-files: true | false # Whether to additionally stage any changed files in the checkout. Defaults to false
      token: ${{ github.token }} # Token you want to authenticate with

Example: Using a GitHub App Installation Token

  - uses: actions/create-github-app-token@v2
    id: get_installation_token
    with:
      app_id: ${{ secrets.GITHUB_APP_ID }}
      private_key: ${{ secrets.GITHUB_APP_PRIVATE_KEY }}

  - name: Commit changes
    uses: step-security/github-api-commit-action@v1
    with:
      commit-message: "<commit-message>" # Commit message defaults to "Commit performed by step-security/github-api-commit-action"
      create-branch-on-remote: true | false # Whether to create the branch on the remote if it doesn't exist already: Defaults to false
      stage-all-files: true | false # Whether to additionally stage any changed files in the checkout. Defaults to false
      token: ${{ steps.get_installation_token.outputs.token }} # Token you want to authenticate with

Committing in your workflow can normally be done using git commands or other actions that perform commits for you. However, if you are using a GitHub App installation token and your repository requires commit signing, there is no way to attach a signing key to your commit, and it must be done through the GitHub API.

The general steps are:

  1. Create a tree
  2. Create a commit
  3. Update the head reference

An example can be found here.

When committing through the GitHub API using a GitHub App installation token, GitHub will recognize the app and add commit signing for you.

About

Commits changes to the repository through the Github api instead of traditional git commands. Secure drop-in replacement for grafana/github-api-commit-action.

docs.stepsecurity.io/actions/stepsecurity-maintained-actions

Topics

step-security-maintained-actions

Resources

Readme

License

MIT license

Security policy

Security policy
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases 1

v1.0.0 Latest
Sep 23, 2025

Packages

No packages published

Contributors 2

  •  
  •