feat: signed commits (v7) (#3057)

* Add support for signed commits (#3055)

* formatting

* fix eslint and lint errors

* shift setting the base to before the push

* sign commits by default for testing

* add debug lines

* read to buffer not string and use non-legacy method to base64

* debug payload without contents

* disable linter for debug code

* fix filepath when using path input

* try to fix head repo

* remove commented code

* Try refactor of file changes

* add tests for building file changes

* add build file changes test for binary files

* refactor graphql code into github helper class

* build file changes even when there is no diff

* add function to get commit detail

* fix format

* build branch commits

* use source mode for deleted files

* try rest api route

* fix check for branch existence

* force push

* try fix base tree

* debug commit verification

* debug commit verification

* fix format and cleanup

* add executable mode file to test

* limit blob creation concurrency

* only build commits when feature enabled

* remove unused code

* update readme link

* update docs for commit signing

* fix capital letter

* update docs

* add throttling

* set default back to false

* output head sha and verified status

* log outputs

* fix head sha output

* default the operation output to none

* output retryafter for secondary rate limit

* use separate client for branch and pull operations

* add maintainer-can-modify input

* rename git-token to branch-token

* fix branch token input

* remove deprecated env output

* update docs

* fix doc

* update docs

* build branch commits when there is a diff with the base

* check verification status of head commit when not known

* fix verified output when no commit signing is being used

* draft always-true

* convert to draft on branch updates when there is a diff with base

* update docs with blob size limit

* catch errors during blob creation for debugging

* parse empty commits

* pass base commit to push signed commits

* use parent commit details in create commit

* use parent tree for base_tree

* multipart tree creation

* update docs

* update readme about the permissions of the default token

* fix edge case where changes are partially merged

* add updating documentation

* fix typo

* update major version

---------

Co-authored-by: Ravi <1299606+rustycl0ck@users.noreply.github.com>

README.md

@@ -32,10 +32,10 @@ Create Pull Request action will:
       # Make changes to pull request here
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v7
 ```
 
-You can also pin to a [specific release](https://github.com/peter-evans/create-pull-request/releases) version in the format `@v6.x.x`
+You can also pin to a [specific release](https://github.com/peter-evans/create-pull-request/releases) version in the format `@v7.x.x`
 
 ### Workflow permissions
 
@@ -131,7 +131,7 @@ If you want branches to be deleted immediately on merge then you should use GitH
 For self-hosted runners behind a corporate proxy set the `https_proxy` environment variable.
 ```yml
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v7
         env:
           https_proxy: http://<proxy_address>:<port>
 ```
@@ -153,7 +153,7 @@ Note that in order to read the step outputs the action step must have an id.
 ```yml
       - name: Create Pull Request
         id: cpr
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v7
       - name: Check outputs
         if: ${{ steps.cpr.outputs.pull-request-number }}
         run: |
@@ -216,7 +216,7 @@ File changes that do not match one of the paths will be stashed and restored aft
 
 ```yml
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v7
         with:
           add-paths: |
             *.java
@@ -243,7 +243,7 @@ Note that the repository must be checked out on a branch with a remote, it won't
       - name: Uncommitted change
         run: date +%s > report.txt
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v7
 ```
 
 ### Create a project card
@@ -253,7 +253,7 @@ To create a project card for the pull request, pass the `pull-request-number` st
 ```yml
       - name: Create Pull Request
         id: cpr
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v7
 
       - name: Create or Update Project Card
         if: ${{ steps.cpr.outputs.pull-request-number }}
@@ -288,7 +288,7 @@ jobs:
 
       - name: Create Pull Request
         id: cpr
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v7
         with:
           token: ${{ secrets.PAT }}
           commit-message: Update report

docs/common-issues.md

@@ -37,7 +37,7 @@ So the straightforward solution is to just not install them during the workflow
 
 - If hooks are automatically enabled by a framework, use an option provided by the framework to disable them. For example, for Husky users, they can be disabled with the `--ignore-scripts` flag, or by setting the `HUSKY` environment variable when the action runs.
   ```yml
-  uses: peter-evans/create-pull-request@v6
+  uses: peter-evans/create-pull-request@v7
   env:
     HUSKY: '0'
   ```

docs/concepts-guidelines.md

@@ -92,7 +92,7 @@ In these cases, you *must supply* the `base` input so the action can rebase chan
 Workflows triggered by [`pull_request`](https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull_request) events will by default check out a merge commit. Set the `base` input as follows to base the new pull request on the current pull request's branch.
 
 ```yml
-      - uses: peter-evans/create-pull-request@v6
+      - uses: peter-evans/create-pull-request@v7
         with:
           base: ${{ github.head_ref }}
 ```
@@ -100,7 +100,7 @@ Workflows triggered by [`pull_request`](https://docs.github.com/en/actions/refer
 Workflows triggered by [`release`](https://docs.github.com/en/actions/reference/events-that-trigger-workflows#release) events will by default check out a tag. For most use cases, you will need to set the `base` input to the branch name of the tagged commit.
 
 ```yml
-      - uses: peter-evans/create-pull-request@v6
+      - uses: peter-evans/create-pull-request@v7
         with:
           base: main
 ```
@@ -186,7 +186,7 @@ Checking out a branch from a different repository from where the workflow is exe
 
       # Make changes to pull request here
 
-      - uses: peter-evans/create-pull-request@v6
+      - uses: peter-evans/create-pull-request@v7
         with:
           token: ${{ secrets.PAT }}
 ```
@@ -216,7 +216,7 @@ How to use SSH (deploy keys) with create-pull-request action:
       # Make changes to pull request here
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v7
 ```
 
 ### Push pull request branches to a fork
@@ -241,7 +241,7 @@ It will use their own fork to push code and create the pull request.
 
       # Make changes to pull request here
 
-      - uses: peter-evans/create-pull-request@v6
+      - uses: peter-evans/create-pull-request@v7
         with:
           token: ${{ secrets.MACHINE_USER_PAT }}
           push-to-fork: machine-user/fork-of-repository
@@ -284,7 +284,7 @@ The following is an example of pushing to a fork using GitHub App tokens.
       # Make changes to pull request here
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v7
         with:
           branch-token: ${{ steps.generate-token.outputs.token }}
           push-to-fork: owner/fork-of-repo
@@ -329,7 +329,7 @@ GitHub App generated tokens can be configured with fine-grained permissions and
       # Make changes to pull request here
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v7
         with:
           token: ${{ steps.generate-token.outputs.token }}
 ```
@@ -357,7 +357,7 @@ In the following example, a pull request is being created in remote repo `owner/
       # Make changes to pull request here
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v7
         with:
           token: ${{ steps.generate-token.outputs.token }}
 ```
@@ -386,7 +386,7 @@ In this example the `token` input is not supplied, so the action will use the re
       # Make changes to pull request here
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v7
         with:
           sign-commits: true
 ```
@@ -405,7 +405,7 @@ In this example, the `token` input is generated using a GitHub App. This will si
       # Make changes to pull request here
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v7
         with:
           token: ${{ steps.generate-token.outputs.token }}
           sign-commits: true
@@ -448,7 +448,7 @@ The action can use GPG to sign commits with a GPG key that you generate yourself
       # Make changes to pull request here
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v7
         with:
           token: ${{ secrets.PAT }}
           committer: example <email@example.com>
@@ -478,7 +478,7 @@ jobs:
       # Make changes to pull request here
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v7
 ```
 
 **Ubuntu container example:**
@@ -501,5 +501,5 @@ jobs:
       # Make changes to pull request here
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v7
 ```

docs/examples.md

@@ -49,7 +49,7 @@ jobs:
         run: |
           git log --format='%aN <%aE>%n%cN <%cE>' | sort -u > AUTHORS
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v7
         with:
           commit-message: update authors
           title: Update AUTHORS
@@ -81,7 +81,7 @@ jobs:
           git fetch origin main:main
           git reset --hard main
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v7
         with:
           branch: production-promotion
 ```
@@ -116,7 +116,7 @@ jobs:
           ./git-chglog -o CHANGELOG.md
           rm git-chglog
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v7
         with:
           commit-message: update changelog
           title: Update Changelog
@@ -153,7 +153,7 @@ jobs:
           npx -p npm-check-updates ncu -u
           npm install
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v7
         with:
             token: ${{ secrets.PAT }}
             commit-message: Update dependencies
@@ -214,7 +214,7 @@ jobs:
       - name: Perform dependency resolution and write new lockfiles
         run: ./gradlew dependencies --write-locks
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v7
         with:
             token: ${{ secrets.PAT }}
             commit-message: Update dependencies
@@ -249,7 +249,7 @@ jobs:
           cargo update
           cargo upgrade --to-lockfile
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v7
         with:
             token: ${{ secrets.PAT }}
             commit-message: Update dependencies
@@ -307,7 +307,7 @@ jobs:
           # Update current release
           echo ${{ steps.swagger-ui.outputs.release_tag }} > swagger-ui.version
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v7
         with:
           commit-message: Update swagger-ui to ${{ steps.swagger-ui.outputs.release_tag }}
           title: Update SwaggerUI to ${{ steps.swagger-ui.outputs.release_tag }}
@@ -351,7 +351,7 @@ jobs:
           git fetch upstream main:upstream-main
           git reset --hard upstream-main
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v7
         with:
           token: ${{ secrets.PAT }}
           branch: upstream-changes
@@ -384,7 +384,7 @@ jobs:
             --domains quotes.toscrape.com \
             http://quotes.toscrape.com/
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v7
         with:
           commit-message: update local website copy
           title: Automated Updates to Local Website Copy
@@ -481,7 +481,7 @@ jobs:
           echo "branch-name=$branch-name" >> $GITHUB_OUTPUT
       - name: Create Pull Request
         if: steps.autopep8.outputs.exit-code == 2
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v7
         with:
           commit-message: autopep8 action fixes
           title: Fixes by autopep8 action
@@ -540,7 +540,7 @@ Note that the step where output variables are defined must have an id.
           echo "pr_title=$pr_title" >> $GITHUB_OUTPUT
           echo "pr_body=$pr_body" >> $GITHUB_OUTPUT
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v7
         with:
           title: ${{ steps.vars.outputs.pr_title }}
           body: ${{ steps.vars.outputs.pr_body }}
@@ -566,7 +566,7 @@ The template is rendered using the [render-template](https://github.com/chuhlomi
             bar: that
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v7
         with:
           body: ${{ steps.template.outputs.result }}
 ```

docs/updating.md

@@ -1,3 +1,19 @@
+## Updating from `v6` to `v7`
+
+### Behaviour changes
+
+- Action input `git-token` has been renamed `branch-token`, to be more clear about its purpose. The `branch-token` is the token that the action will use to create and update the branch.
+- The action now handles requests that have been rate-limited by GitHub. Requests hitting a primary rate limit will retry twice, for a total of three attempts. Requests hitting a secondary rate limit will not be retried.
+- The `pull-request-operation` output now returns `none` when no operation was executed.
+- Removed deprecated output environment variable `PULL_REQUEST_NUMBER`. Please use the `pull-request-number` action output instead.
+
+### What's new
+
+- The action can now sign commits as `github-actions[bot]` when using `GITHUB_TOKEN`, or your own bot when using [GitHub App tokens](concepts-guidelines.md#authenticating-with-github-app-generated-tokens). See [commit signing](concepts-guidelines.md#commit-signature-verification-for-bots) for details.
+- Action input `draft` now accepts a new value `always-true`. This will set the pull request to draft status when the pull request is updated, as well as on creation.
+- A new action input `maintainer-can-modify` indicates whether [maintainers can modify](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/allowing-changes-to-a-pull-request-branch-created-from-a-fork) the pull request. The default is `true`, which retains the existing behaviour of the action.
+- A new output `pull-request-commits-verified` returns `true` or `false`, indicating whether GitHub considers the signature of the branch's commits to be verified.
+
 ## Updating from `v5` to `v6`
 
 ### Behaviour changes

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "create-pull-request",
-  "version": "6.0.0",
+  "version": "7.0.0",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "create-pull-request",
-      "version": "6.0.0",
+      "version": "7.0.0",
       "license": "MIT",
       "dependencies": {
         "@actions/core": "^1.10.1",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-pull-request",
-  "version": "6.0.0",
+  "version": "7.0.0",
   "private": true,
   "description": "Creates a pull request for changes to your repository in the actions workspace",
   "main": "lib/main.js",