From 0443ce9018f9d5ccd5a88393d05f5f316d5f6ac5 Mon Sep 17 00:00:00 2001 From: Jonathan Suever <653357+suever@users.noreply.github.com> Date: Wed, 8 Jul 2026 12:13:09 -0400 Subject: [PATCH] [DEVREL-144] Use verified-bot-commit action for OpenAPI sync commits Replace the hardcoded justinpolygon identity and GPG signing with the verified-bot-commit action which creates commits through the Git Data API. Commits are automatically marked as verified by GitHub and authored by the GitHub App without needing a separate GPG key. --- .github/workflows/sync-openapi.yml | 25 ++++++++++++------------- scripts/readme.md | 4 +--- 2 files changed, 13 insertions(+), 16 deletions(-) diff --git a/.github/workflows/sync-openapi.yml b/.github/workflows/sync-openapi.yml index 965b39aa..2bd7d67a 100644 --- a/.github/workflows/sync-openapi.yml +++ b/.github/workflows/sync-openapi.yml @@ -73,26 +73,25 @@ jobs: git diff --cached --stat | tail -25 fi - - name: Import GPG signing key - if: steps.diff.outputs.changed == 'true' - uses: crazy-max/ghaction-import-gpg@v6 - with: - gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} - git_user_signingkey: true - git_commit_gpgsign: true - # A unique branch per run (date + run id) so every sync opens a brand-new # PR and never reuses/updates a previous one. - - name: Commit and push + - name: Create sync branch if: steps.diff.outputs.changed == 'true' run: | - git config user.name "justinpolygon" - git config user.email "123573436+justinpolygon@users.noreply.github.com" BRANCH="bot/openapi-sync-$(date -u +'%Y-%m-%d')-${GITHUB_RUN_ID}" echo "BRANCH=$BRANCH" >> "$GITHUB_ENV" git checkout -B "$BRANCH" - git commit -S -m "Sync client-go with OpenAPI spec" - git push origin "$BRANCH" + + - name: Commit and push + if: steps.diff.outputs.changed == 'true' + uses: iarekylew00t/verified-bot-commit@v2 + with: + token: ${{ steps.app-token.outputs.token }} + message: "Sync client-go with OpenAPI spec" + ref: ${{ env.BRANCH }} + files: | + rest/ + scripts/ - name: Open PR if: steps.diff.outputs.changed == 'true' diff --git a/scripts/readme.md b/scripts/readme.md index d492c406..d2cf89f2 100644 --- a/scripts/readme.md +++ b/scripts/readme.md @@ -53,8 +53,7 @@ what's committed it: - mints a short-lived **GitHub App** token (the default `GITHUB_TOKEN` can't open PRs — org policy blocks it), -- makes a **GPG-signed** commit as the bot identity `justinpolygon` - (`123573436+justinpolygon@users.noreply.github.com`), +- commits as the GitHub App's bot identity, - pushes a **unique** branch `bot/openapi-sync--` and opens a brand-new `[bot]`-prefixed PR (never reusing an existing one, so author ≠ reviewer), @@ -66,7 +65,6 @@ what's committed it: | --- | --- | --- | | Variable | `MASSIVE_CLIENT_LIBRARY_AUTOMATION_APP_ID` | GitHub App id (App must be installed on this repo) | | Secret | `MASSIVE_CLIENT_LIBRARY_AUTOMATION_APP_PRIVATE_KEY` | GitHub App private key | -| Secret | `GPG_PRIVATE_KEY` | Signs the bot commit (shared with client-jvm / client-js) | | Secret | `SLACK_CLIENT_LIBRARY_WEBHOOK` | Slack notification (shared; optional — skipped if unset) | ## Per-file reference