This is a feature-limited alternative to the standard @semantic-release/git plugin. This plugin lets you create gpg-signed verified commits without having to manage your own gpg keys. This is possible since GitHub automatically signs commits made by bots over the REST API.
Commits made by this plugin look like this.
This plugin uses the GitHub API, so other git forges are not supported.
The underlying API endpoint can only update a single file at a time. Consequently, if you update 3 files, each release will create 3 additional commits to your repository.
If you need to commit multiple release assets regularly, consider wrangling your own gpg keys so you can commit all release assets in a single commit.
Tracked by issue #6
This plugin currently cannot create a new file, it can only update an existing, tracked file.
If you see this error message:
fatal: path '<asset>' exists on disk, but not in 'master'
touch the file and push it upstream before restarting your CI workflow.
This is a low-priority bug because there is a known workaround, and it occurs infrequently and under very specific/reproducible conditions.
npm install --save-dev --save-exact @semantic-release-extras/verified-git-commit| Step | Description |
|---|---|
assets |
List of assets to commit back to the release branch. Each asset will be updated in its own commit. |
For example:
{
"plugins": [
[
"@semantic-release-extras/verified-git-commit",
{
"assets": ["CHANGELOG.md"]
}
]
]
}Many thanks to @swinton for documenting the approach in this gist!
One of these tutorials may outline a workflow that works better for your specific needs: