Skip to content

semantic-release plugin to create signed commits using GitHub's gpg keys

License

Notifications You must be signed in to change notification settings

semantic-release-extras/verified-git-commit

Repository files navigation

@semantic-release-extras/verified-git-commit

Build Status

This is a feature-limited alternative to the standard @semantic-release/git plugin. This plugin lets you create gpg-signed verified commits without having to manage your own gpg keys. This is possible since GitHub automatically signs commits made by bots over the REST API.

Commits made by this plugin look like this.

Caveats

Only supports GitHub

This plugin uses the GitHub API, so other git forges are not supported.

Each commit can only update one file

The underlying API endpoint can only update a single file at a time. Consequently, if you update 3 files, each release will create 3 additional commits to your repository.

If you need to commit multiple release assets regularly, consider wrangling your own gpg keys so you can commit all release assets in a single commit.

Cannot create files

Tracked by issue #6

This plugin currently cannot create a new file, it can only update an existing, tracked file.

If you see this error message:

fatal: path '<asset>' exists on disk, but not in 'master'

touch the file and push it upstream before restarting your CI workflow.

This is a low-priority bug because there is a known workaround, and it occurs infrequently and under very specific/reproducible conditions.

Install

npm install --save-dev --save-exact @semantic-release-extras/verified-git-commit

Use

Step Description
assets List of assets to commit back to the release branch. Each asset will be updated in its own commit.

For example:

{
  "plugins": [
    [
      "@semantic-release-extras/verified-git-commit",
      {
        "assets": ["CHANGELOG.md"]
      }
    ]
  ]
}

Acknowledgments

Many thanks to @swinton for documenting the approach in this gist!

Alternatives

One of these tutorials may outline a workflow that works better for your specific needs: