Introduce an option to use the GitHub API to commit changes, for GPG (#391)

* Create tags on GitHub using API

To allow for signed tags to be created,
rather than use the git CLI to push tags,
manually push each tag using the GitHub API,
which will sign the tag using the built-in GitHub GPG key.

* Use ghcommit to push changes

To allow for all commits to be signed,
use the GitHub API to push changes.

* Add changeset version

* Allow tag publish to fail, assume it was manually published

* Add to changeset

* Update @s0/ghcommit

* Update ghcommit to fix missing ref bug

* Make using GitHub API Optional

Change this to a minor version bump,
with a new feature that allows for using the
GitHub API to create tags and commits.

* Use a strategy pattern for GitHub API vs CLI usage

* refactor git interactions

* fix mock thing

* usechangesets pkg

* switch to `commitMode`

---------

Co-authored-by: Mateusz Burzyński <[email protected]>

Author: s0

.changeset/green-dogs-change.md

@@ -0,0 +1,7 @@
+---
+"@changesets/action": minor
+---
+
+Introduce a new input `commitMode` that allows using the GitHub API for pushing tags and commits instead of the Git CLI.
+
+When used with `"github-api"` value all tags and commits will be attributed to the user whose GITHUB_TOKEN is used, and also signed using GitHub's internal GPG key.

README.md

@@ -1,6 +1,6 @@
 # Changesets Release Action
 
-This action for [Changesets](https://github.com/atlassian/changesets) creates a pull request with all of the package versions updated and changelogs updated and when there are new changesets on [your configured `baseBranch`](https://github.com/changesets/changesets/blob/main/docs/config-file-options.md#basebranch-git-branch-name), the PR will be updated. When you're ready, you can merge the pull request and you can either publish the packages to npm manually or setup the action to do it for you.
+This action for [Changesets](https://github.com/changesets/changesets) creates a pull request with all of the package versions updated and changelogs updated and when there are new changesets on [your configured `baseBranch`](https://github.com/changesets/changesets/blob/main/docs/config-file-options.md#basebranch-git-branch-name), the PR will be updated. When you're ready, you can merge the pull request and you can either publish the packages to npm manually or setup the action to do it for you.
 
 ## Usage
 
@@ -12,6 +12,7 @@ This action for [Changesets](https://github.com/atlassian/changesets) creates a
 - title - The pull request title. Default to `Version Packages`
 - setupGitUser - Sets up the git user for commits as `"github-actions[bot]"`. Default to `true`
 - createGithubReleases - A boolean value to indicate whether to create Github releases after `publish` or not. Default to `true`
+- commitMode - Specifies the commit mode. Use `"git-cli"` to push changes using the Git CLI, or `"github-api"` to push changes via the GitHub API. When using `"github-api"`, all commits and tags are GPG-signed and attributed to the user or app who owns the `GITHUB_TOKEN`. Default to `git-cli`.
 - cwd - Changes node's `process.cwd()` if the project is not located on the root. Default to `process.cwd()`
 
 ### Outputs

action.yml

@@ -28,6 +28,14 @@ inputs:
     description: "A boolean value to indicate whether to create Github releases after `publish` or not"
     required: false
     default: true
+  commitMode:
+    description: >
+      An enum to specify the commit mode. Use "git-cli" to push changes using the Git CLI,
+      or "github-api" to push changes via the GitHub API. When using "github-api",
+      all commits and tags are signed using GitHub's GPG key and attributed to the user
+      or app who owns the GITHUB_TOKEN.
+    required: false
+    default: "git-cli"
   branch:
     description: Sets the branch in which the action will run. Default to `github.ref_name` if not provided
     required: false

package.json

@@ -4,23 +4,23 @@
   "main": "dist/index.js",
   "license": "MIT",
   "devDependencies": {
-    "@changesets/changelog-github": "^0.4.2",
-    "@changesets/cli": "^2.20.0",
-    "@changesets/write": "^0.1.6",
-    "@vercel/ncc": "^0.36.1",
-    "fixturez": "^1.1.0",
-    "prettier": "^2.0.5",
-    "typescript": "^5.0.4",
     "@babel/core": "^7.13.10",
     "@babel/preset-env": "^7.13.10",
     "@babel/preset-typescript": "^7.13.0",
+    "@changesets/changelog-github": "^0.4.2",
+    "@changesets/cli": "^2.20.0",
+    "@changesets/write": "^0.1.6",
     "@types/fs-extra": "^8.0.0",
     "@types/jest": "^29.5.1",
     "@types/node": "^20.11.17",
     "@types/semver": "^7.5.0",
+    "@vercel/ncc": "^0.36.1",
     "babel-jest": "^29.5.0",
+    "fixturez": "^1.1.0",
     "husky": "^3.0.3",
-    "jest": "^29.5.0"
+    "jest": "^29.5.0",
+    "prettier": "^2.0.5",
+    "typescript": "^5.0.4"
   },
   "scripts": {
     "build": "ncc build src/index.ts -o dist --transpile-only --minify",
@@ -37,6 +37,7 @@
     "@actions/core": "^1.10.0",
     "@actions/exec": "^1.1.1",
     "@actions/github": "^5.1.1",
+    "@changesets/ghcommit": "1.3.0",
     "@changesets/pre": "^1.0.9",
     "@changesets/read": "^0.5.3",
     "@manypkg/get-packages": "^1.1.3",
@@ -57,5 +58,6 @@
     "**/@octokit/core": "4.2.0",
     "trim": "^0.0.3",
     "y18n": "^4.0.1"
-  }
+  },
+  "packageManager": "[email protected]+sha512.a6b2f7906b721bba3d67d4aff083df04dad64c399707841b7acf00f6b133b7ac24255f2652fa22ae3534329dc6180534e98d17432037ff6fd140556e2bb3137e"
 }

src/git.ts

@@ -0,0 +1,106 @@
+import * as core from "@actions/core";
+import { exec, getExecOutput } from "@actions/exec";
+import * as github from "@actions/github";
+import { commitChangesFromRepo } from "@changesets/ghcommit/git";
+import { Octokit } from "./octokit";
+
+const push = async (branch: string, { force }: { force?: boolean } = {}) => {
+  await exec(
+    "git",
+    ["push", "origin", `HEAD:${branch}`, force && "--force"].filter<string>(
+      Boolean as any
+    )
+  );
+};
+
+const switchToMaybeExistingBranch = async (branch: string) => {
+  let { stderr } = await getExecOutput("git", ["checkout", branch], {
+    ignoreReturnCode: true,
+  });
+  let isCreatingBranch = !stderr
+    .toString()
+    .includes(`Switched to a new branch '${branch}'`);
+  if (isCreatingBranch) {
+    await exec("git", ["checkout", "-b", branch]);
+  }
+};
+
+const reset = async (
+  pathSpec: string,
+  mode: "hard" | "soft" | "mixed" = "hard"
+) => {
+  await exec("git", ["reset", `--${mode}`, pathSpec]);
+};
+
+const commitAll = async (message: string) => {
+  await exec("git", ["add", "."]);
+  await exec("git", ["commit", "-m", message]);
+};
+
+const checkIfClean = async (): Promise<boolean> => {
+  const { stdout } = await getExecOutput("git", ["status", "--porcelain"]);
+  return !stdout.length;
+};
+
+export class Git {
+  octokit;
+  constructor(octokit?: Octokit) {
+    this.octokit = octokit;
+  }
+
+  async setupUser() {
+    if (this.octokit) {
+      return;
+    }
+    await exec("git", ["config", "user.name", `"github-actions[bot]"`]);
+    await exec("git", [
+      "config",
+      "user.email",
+      `"41898282+github-actions[bot]@users.noreply.github.com"`,
+    ]);
+  }
+
+  async pushTag(tag: string) {
+    if (this.octokit) {
+      return this.octokit.rest.git
+        .createRef({
+          ...github.context.repo,
+          ref: `refs/tags/${tag}`,
+          sha: github.context.sha,
+        })
+        .catch((err) => {
+          // Assuming tag was manually pushed in custom publish script
+          core.warning(`Failed to create tag ${tag}: ${err.message}`);
+        });
+    }
+    await exec("git", ["push", "origin", tag]);
+  }
+
+  async prepareBranch(branch: string) {
+    if (this.octokit) {
+      // Preparing a new local branch is not necessary when using the API
+      return;
+    }
+    await switchToMaybeExistingBranch(branch);
+    await reset(github.context.sha);
+  }
+
+  async pushChanges({ branch, message }: { branch: string; message: string }) {
+    if (this.octokit) {
+      return commitChangesFromRepo({
+        octokit: this.octokit,
+        ...github.context.repo,
+        branch,
+        message,
+        base: {
+          commit: github.context.sha,
+        },
+        force: true,
+      });
+    }
+    if (!(await checkIfClean())) {
+      await commitAll(message);
+    }
+    await push(branch, { force: true });
+  }
+}

src/gitUtils.ts

@@ -1,8 +1,9 @@
 import * as core from "@actions/core";
 import fs from "fs-extra";
-import * as gitUtils from "./gitUtils";
-import { runPublish, runVersion } from "./run";
+import { Git } from "./git";
+import { setupOctokit } from "./octokit";
 import readChangesetState from "./readChangesetState";
+import { runPublish, runVersion } from "./run";
 
 const getOptionalInput = (name: string) => core.getInput(name) || undefined;
 
@@ -20,11 +21,19 @@ const getOptionalInput = (name: string) => core.getInput(name) || undefined;
     process.chdir(inputCwd);
   }
 
+  const octokit = setupOctokit(githubToken);
+  const commitMode = getOptionalInput("commitMode") ?? "git-cli";
+  if (commitMode !== "git-cli" && commitMode !== "github-api") {
+    core.setFailed(`Invalid commit mode: ${commitMode}`);
+    return;
+  }
+  const git = new Git(commitMode === "github-api" ? octokit : undefined);
+
   let setupGitUser = core.getBooleanInput("setupGitUser");
 
   if (setupGitUser) {
     core.info("setting git user");
-    await gitUtils.setupUser();
+    await git.setupUser();
   }
 
   core.info("setting GitHub credentials");
@@ -48,7 +57,9 @@ const getOptionalInput = (name: string) => core.getInput(name) || undefined;
 
   switch (true) {
     case !hasChangesets && !hasPublishScript:
-      core.info("No changesets present or were removed by merging release PR. Not publishing because no publish script found.");
+      core.info(
+        "No changesets present or were removed by merging release PR. Not publishing because no publish script found."
+      );
       return;
     case !hasChangesets && hasPublishScript: {
       core.info(
@@ -86,7 +97,8 @@ const getOptionalInput = (name: string) => core.getInput(name) || undefined;
 
       const result = await runPublish({
         script: publishScript,
-        githubToken,
+        git,
+        octokit,
         createGithubReleases: core.getBooleanInput("createGithubReleases"),
       });
 
@@ -102,10 +114,12 @@ const getOptionalInput = (name: string) => core.getInput(name) || undefined;
     case hasChangesets && !hasNonEmptyChangesets:
       core.info("All changesets are empty; not creating PR");
       return;
-    case hasChangesets:
+    case hasChangesets: {
+      const octokit = setupOctokit(githubToken);
       const { pullRequestNumber } = await runVersion({
         script: getOptionalInput("version"),
-        githubToken,
+        git,
+        octokit,
         prTitle: getOptionalInput("title"),
         commitMessage: getOptionalInput("commit"),
         hasPublishScript,
@@ -115,6 +129,7 @@ const getOptionalInput = (name: string) => core.getInput(name) || undefined;
       core.setOutput("pullRequestNumber", String(pullRequestNumber));
 
       return;
+    }
   }
 })().catch((err) => {
   core.error(err);

src/index.ts

@@ -0,0 +1,39 @@
+import * as core from "@actions/core";
+import { GitHub, getOctokitOptions } from "@actions/github/lib/utils";
+import { throttling } from "@octokit/plugin-throttling";
+
+export const setupOctokit = (githubToken: string) => {
+  return new (GitHub.plugin(throttling))(
+    getOctokitOptions(githubToken, {
+      throttle: {
+        onRateLimit: (retryAfter, options: any, octokit, retryCount) => {
+          core.warning(
+            `Request quota exhausted for request ${options.method} ${options.url}`
+          );
+
+          if (retryCount <= 2) {
+            core.info(`Retrying after ${retryAfter} seconds!`);
+            return true;
+          }
+        },
+        onSecondaryRateLimit: (
+          retryAfter,
+          options: any,
+          octokit,
+          retryCount
+        ) => {
+          core.warning(
+            `SecondaryRateLimit detected for request ${options.method} ${options.url}`
+          );
+
+          if (retryCount <= 2) {
+            core.info(`Retrying after ${retryAfter} seconds!`);
+            return true;
+          }
+        },
+      },
+    })
+  );
+};
+
+export type Octokit = ReturnType<typeof setupOctokit>;