Use verified commits for GitHub apps

[alvarezfr]

Hi @BetaHuhn, I have to say that I have been playing with this Action and I'm loving it!

I would like to make a PR to include/replace the current behavior of making commits when using a GitHub app token to be able to create signed commits when doing the syncs with this kind of authentication.

I have been making some tests with your action locally and I have a version working but it is very disruptive with your current work, so please tell me if you are interested in this kind of feature and I will take some time to adapt better the functionality to your code before making the pull request.

Please, take in mind that to be able of doing this we will need to make the commits using the GitHub API, we cannot make use of the local git for pushing the changes. The flow of making the commit basically consists of these steps:

• Create the branch (this can be done with local git)
• Identify the branch git tree and last commit sha (probably these values can be obtained using the git cli, but I was using the API)
• Create a git tree with the files changes and upload it (using the API. I have it currently working only for adding files, but I could make it work for deleting too)
• Commit and update the branch ref to the last commit (using the API)

Also, I would ask you a stupid question, how do you see the core.debug locally? I have replaced them with console.log when playing with your action locally, but I'm sure that it must be an easier way to get them locally.

This is my proposal, thanks for reading! 😁

[BetaHuhn]

Hey @alvarezfr,

thanks for the nice words and for taking the time to create this discussion!

So your goal is to essentially sign all commits made by this action?

If so, please first take a look at the import-gpg, it might solve your problem without any changes to the repo-file-sync-action. It allows you to specify a GPG key and the action will setup git to use that key to sign commits automatically. Since repo-file-sync-action uses git under the hood all its commits would be signed as well.

Regarding the debug logs, if you run the action locally it should output the debug logs already, at least it does for me. How are you running the action locally?

[alvarezfr]

Thanks for taking the time to review this request.

I totally understand your concern, but what I'm proposing is not a full replacement. I think that this change is only useful when using the GH_INSTALLATION_TOKEN as authentication (because of the automatic commit verification only for bots), so for this, I only want a replacement of the way of making commits only in this scenario.

I have been working on a version that is cleaner than before and less disruptive with your original code (the previous one was just a quick proof of concept). In this version, the code follows your git workflow but before making the push, I review the commits pending of pushing and recreate all the commits using the GitHub API to be as close to your code as possible.

I will upload the PR in a few minutes, maybe you find this version more interesting.

[alvarezfr]

Created the PR 😃

[BetaHuhn]

Great, thanks! Will take a look 😄

[BetaHuhn]

Thanks again @alvarezfr! Merged and released in v1.17.0 🎉

Sorry it took so long for me to review and merge this :/

[alvarezfr]

Thanks @BetaHuhn!