Slipstream/eventcore
3
0
Fork 0
Code Issues 1 Pull requests Releases 98 Activity Actions

fix(ci): sign release PR commits so they pass branch protection #388

Merged
jwilger merged 1 commit from fix/release-plz-signed-commits into main 2026-06-12 18:06:50 -07:00
Conversation 1 Commits 1 Files changed 3 +203 -24
jwilger commented 2026-06-12 18:05:22 -07:00
Owner
Copy link

Summary

Second follow-up to the Forgejo migration. After the auth fix (#387), the release-plz run on main authenticated and pushed successfully but was rejected by the pre-receive hook:

remote: Forgejo: branch release-plz-... is protected from unverified commit dd5c12a
! [remote rejected] (pre-receive hook declined)

main requires verified (signed) commits, and release-plz's own release-PR commit is unsigned.

Fix

Adopt the pattern the other Slipstream repos (emc) use:

  • Run release-plz update to produce the version/changelog file changes only.
  • Create and push an explicitly SSH-signed commit ourselves, asserting the gpgsig header is present before pushing.
  • Signing key comes from the org-level RELEASE_SIGNING_KEY secret; committer identity matches emc's verified-by-Forgejo bot identity.

Ported configure-release-plz-git-signing.sh and create-release-plz-release-pr.sh verbatim from emc, and restructured the release-pr job to source the auth + signing helpers and run the create script instead of calling release-plz release-pr directly.

publish.yml is unchanged — release-plz release only pushes tags pointing at already-verified commits, so it doesn't hit the signed-commit gate.

CI/infra only; no library changes.

## Summary Second follow-up to the Forgejo migration. After the auth fix (#387), the release-plz run on main authenticated and pushed successfully but was rejected by the pre-receive hook: ``` remote: Forgejo: branch release-plz-... is protected from unverified commit dd5c12a ! [remote rejected] (pre-receive hook declined) ``` `main` requires **verified (signed) commits**, and release-plz's own release-PR commit is unsigned. ### Fix Adopt the pattern the other Slipstream repos (emc) use: - Run `release-plz update` to produce the version/changelog file changes only. - Create and push an explicitly **SSH-signed** commit ourselves, asserting the `gpgsig` header is present before pushing. - Signing key comes from the org-level `RELEASE_SIGNING_KEY` secret; committer identity matches emc's verified-by-Forgejo bot identity. Ported `configure-release-plz-git-signing.sh` and `create-release-plz-release-pr.sh` verbatim from emc, and restructured the release-pr job to source the auth + signing helpers and run the create script instead of calling `release-plz release-pr` directly. `publish.yml` is unchanged — `release-plz release` only pushes tags pointing at already-verified commits, so it doesn't hit the signed-commit gate. CI/infra only; no library changes.
fix(ci): sign release PR commits so they pass branch protection
All checks were successful
CI / Detect Changes (pull_request) Successful in 3s
Details
CI / Request auto_review semantic review (pull_request) Successful in 1s
Details
CI / Test (pull_request) Has been skipped
Details
CI / Clippy (pull_request) Has been skipped
Details
auto_review auto_review: no findings
CI / Security Audit (pull_request) Has been skipped
Details
CI / Mutation (pull_request) Has been skipped
Details
CI / Format (pull_request) Successful in 15s
Details
CI / CI Gate (pull_request) Successful in 1s
Details
fbd3fdd12f
 
main rejects unverified commits ("branch ... is protected from
unverified commit"), and release-plz's own release-PR commit is
unsigned, so its push was rejected by the pre-receive hook.

Adopt the pattern the other Slipstream repos (emc) use: run
`release-plz update` to produce the version/changelog file changes,
then create and push an explicitly SSH-signed commit ourselves. The
RELEASE_SIGNING_KEY org secret holds the bot's signing key; the
commit is asserted to carry a gpgsig header before it is pushed.

- Add configure-release-plz-git-signing.sh (SSH or GPG signing from
  RELEASE_SIGNING_KEY) and create-release-plz-release-pr.sh, ported
  verbatim from the emc repo.
- Restructure the release-pr job to source the auth + signing helpers,
  set the bot identity, and run the create script instead of calling
  release-plz release-pr directly.
- Gate the job on RELEASE_PLZ_TOKEN and RELEASE_SIGNING_KEY being set.

publish.yml is unchanged: `release-plz release` only pushes tags that
point at already-verified commits on main, so it does not hit the
signed-commit gate.
auto-review approved these changes 2026-06-12 18:05:33 -07:00
auto-review left a comment
Copy link

This PR introduces scripts to sign release PR commits, ensuring compliance with branch protection rules requiring verified commits. The changes appear safe to merge, focusing on CI improvements without affecting the library code.

Walkthrough

  • Scripts for Signing Commits
    • Added configure-release-plz-git-signing.sh to configure SSH or GPG signing based on the provided key.
    • Added create-release-plz-release-pr.sh to create or update release PRs with signed commits.
  • CI Workflow Changes
    • Updated release-plz.yml to use the new scripts for signing and creating release PRs.
    • Introduced environment variable checks to ensure necessary secrets are available before proceeding with the release process.

LLM usage and cost

This PR introduces scripts to sign release PR commits, ensuring compliance with branch protection rules requiring verified commits. The changes appear safe to merge, focusing on CI improvements without affecting the library code. ## Walkthrough - **Scripts for Signing Commits** - Added `configure-release-plz-git-signing.sh` to configure SSH or GPG signing based on the provided key. - Added `create-release-plz-release-pr.sh` to create or update release PRs with signed commits. - **CI Workflow Changes** - Updated `release-plz.yml` to use the new scripts for signing and creating release PRs. - Introduced environment variable checks to ensure necessary secrets are available before proceeding with the release process. ## LLM usage and cost - Reasoning (gpt-4o) in=3989 out=323 cost=$0.024790 - Cheap (gpt-4o-mini) in=573 out=48 cost=$0.000115 Estimated total USD: $0.024905 via https://api.openai.com and https://api.openai.com
jwilger deleted branch fix/release-plz-signed-commits 2026-06-12 18:06:50 -07:00
Sign in to join this conversation.
Reviewers
No reviewers
auto-review
Labels
Clear labels   
adr
Architecture Decision Record

  
automated

   
bug
Something isn't working

  
chore
Maintenance (audits, cleanup)

  
dependencies

   
documentation
Improvements or additions to documentation

  
enhancement
New feature or request

  
epic
Large feature with sub-issues

  
github-actions

   
P1-high

   
P2-medium
Default priority

  
P3-low
Polish, optimization

  
release

   
research
Investigation / spike

  
rust
  
bug
Something is not working

  
duplicate
This issue or pull request already exists

  
enhancement
New feature

  
help wanted
Need some help

  
invalid
Something is wrong

  
question
More information is needed

  
wontfix
This won't be fixed

No labels
adr
automated
bug
chore
dependencies
documentation
enhancement
epic
github-actions
P1-high
P2-medium
P3-low
release
research
rust
bug
duplicate
enhancement
help wanted
invalid
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
Slipstream/eventcore!388
No description provided.