Creating signed tags in a Github action. #27016
-
Hello, I have a question of how to handle the Github Actions environment. In one of my repos, I am trying to automate the creation of release tags when merging to master. My current approach consists of using octokit/rest.js to access Github when an action is triggered: When a pull request to master has been closed and merged, the action executes a Node file which, using a personal Github token, calls git.createTag and git.createRef, which creates the Tags. In a nutshell: My Github action:
My js file:
This works. However, I would like the Tags to be signed (verified) as well. Is it there any approach where tags (or any action in general) clould be signed within a Github action environment? How can/should I provide a PGP key to octokit/rest.js to sign? Should I use some bash commands instead/before? Thank you! |
Beta Was this translation helpful? Give feedback.
Replies: 7 comments
-
Hi @jmonguilo , I tested this action : mathieudutour/github-tag-action . I can automatically bump and tag master, on merge, with the latest SemVer formatted version. And the tag created by this action has “Verified” tag. The workflow is triggered by pull_request not push event. There is the ts file of the action: https://github.com/mathieudutour/github-tag-action/blob/master/src/main.ts If this could not help, could you share your action here? |
Beta Was this translation helpful? Give feedback.
-
Hi @yanjingzhu, thank you for your reply!. I am trying to use a personal access token instead of Github’s token. I still need to figure out how to pass signature information as well. Nevertheless, I have also tried to use GITHUB_TOKEN instead of MY_TOKEN, and could not get the verified tag. Perhaps something different in my approach with respect? Here is the complete code I am using to test the action (putting manually tag names fot the moment, but the interaction with octokit at the end is the same as mathieudutour/github-tag-action): ./.github/workflows/release.yml
./tag/index.js action:
|
Beta Was this translation helpful? Give feedback.
-
Hi @jmonguilo , Thank you for sharing your index.js file . I have tested it in my action. The tag created by this action doesn’t have a verified symbol. I am trying to ask for help from github engineering team. This may take sometime. Appreciate your patience. |
Beta Was this translation helpful? Give feedback.
-
@jmonguilo I got response from engineering team. In your action, new tag is created using REST API, there is no method to create a signed tag using REST API. The action mathieudutour/github-tag-action I provided before , it does the signing of the commit on the command line and then pushes it up. We would encourage you to customize github-tag-action instead of using octokit directly. |
Beta Was this translation helpful? Give feedback.
-
nice, now actions can do that now. Sweet. |
Beta Was this translation helpful? Give feedback.
-
Hi @yanjingzhu Thank you very much, indeed I think I will use this approach in the future. On the mean time, I have used Octokit’s create release
which for this particular case its acceptable and creates a signed tag with the committer signature. |
Beta Was this translation helpful? Give feedback.
-
I recommend this. |
Beta Was this translation helpful? Give feedback.
@jmonguilo I got response from engineering team.
In your action, new tag is created using REST API, there is no method to create a signed tag using REST API.
The action mathieudutour/github-tag-action I provided before , it does the signing of the commit on the command line and then pushes it up.
We would encourage you to customize github-tag-action instead of using octokit directly.