add throttling

Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 18.19.43 to 18.19.44.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

README.md

@@ -57,7 +57,7 @@ All inputs are **optional**. If not set, sensible defaults will be used.
 | `path` | Relative path under `GITHUB_WORKSPACE` to the repository. | `GITHUB_WORKSPACE` |
 | `add-paths` | A comma or newline-separated list of file paths to commit. Paths should follow git's [pathspec](https://git-scm.com/docs/gitglossary#Documentation/gitglossary.txt-aiddefpathspecapathspec) syntax. If no paths are specified, all new and modified files are added. See [Add specific paths](#add-specific-paths). | |
 | `commit-message` | The message to use when committing changes. See [commit-message](#commit-message). | `[create-pull-request] automated change` |
-| `committer` | The committer name and email address in the format `Display Name <email@address.com>`. Defaults to the GitHub Actions bot user. | `github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>` |
+| `committer` | The committer name and email address in the format `Display Name <email@address.com>`. Defaults to the GitHub Actions bot user on github.com. | `github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>` |
 | `author` | The author name and email address in the format `Display Name <email@address.com>`. Defaults to the user who triggered the workflow run. | `${{ github.actor }} <${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com>` |
 | `signoff` | Add [`Signed-off-by`](https://git-scm.com/docs/git-commit#Documentation/git-commit.txt---signoff) line by the committer at the end of the commit log message. | `false` |
 | `branch` | The pull request branch name. | `create-pull-request/patch` |
@@ -65,6 +65,7 @@ All inputs are **optional**. If not set, sensible defaults will be used.
 | `branch-suffix` | The branch suffix type when using the alternative branching strategy. Valid values are `random`, `timestamp` and `short-commit-hash`. See [Alternative strategy](#alternative-strategy---always-create-a-new-pull-request-branch) for details. | |
 | `base` | Sets the pull request base branch. | Defaults to the branch checked out in the workflow. |
 | `push-to-fork` | A fork of the checked-out parent repository to which the pull request branch will be pushed. e.g. `owner/repo-fork`. The pull request will be created to merge the fork's branch into the parent's base. See [push pull request branches to a fork](docs/concepts-guidelines.md#push-pull-request-branches-to-a-fork) for details. | |
+| `sign-commits` | Sign commits as `github-actions[bot]` when using `GITHUB_TOKEN`, or your own bot when using [GitHub App tokens](docs/concepts-guidelines.md#authenticating-with-github-app-generated-tokens). See [commit signing](docs/concepts-guidelines.md#commit-signature-verification-for-bots) for details.  | `false` |
 | `title` | The title of the pull request. | `Changes by create-pull-request action` |
 | `body` | The body of the pull request. | `Automated changes by [create-pull-request](https://github.com/peter-evans/create-pull-request) GitHub action` |
 | `body-path` | The path to a file containing the pull request body. Takes precedence over `body`. | |
@@ -117,6 +118,7 @@ The following outputs can be used by subsequent workflow steps.
 - `pull-request-url` - The URL of the pull request.
 - `pull-request-operation` - The pull request operation performed by the action, `created`, `updated` or `closed`.
 - `pull-request-head-sha` - The commit SHA of the pull request branch.
+- `pull-request-branch` - The branch name of the pull request.
 
 Step outputs can be accessed as in the following example.
 Note that in order to read the step outputs the action step must have an id.

__test__/create-or-update-branch.int.test.ts

@@ -1,7 +1,8 @@
 import {
   createOrUpdateBranch,
   tryFetch,
-  getWorkingBaseAndType
+  getWorkingBaseAndType,
+  buildBranchCommits
 } from '../lib/create-or-update-branch'
 import * as fs from 'fs'
 import {GitCommandManager} from '../lib/git-command-manager'
@@ -210,8 +211,8 @@ describe('create-or-update-branch tests', () => {
   }
 
   it('tests if a branch exists and can be fetched', async () => {
-    expect(await tryFetch(git, REMOTE_NAME, NOT_BASE_BRANCH)).toBeTruthy()
-    expect(await tryFetch(git, REMOTE_NAME, NOT_EXIST_BRANCH)).toBeFalsy()
+    expect(await tryFetch(git, REMOTE_NAME, NOT_BASE_BRANCH, 1)).toBeTruthy()
+    expect(await tryFetch(git, REMOTE_NAME, NOT_EXIST_BRANCH, 1)).toBeFalsy()
   })
 
   it('tests getWorkingBaseAndType on a checked out ref', async () => {
@@ -229,6 +230,77 @@ describe('create-or-update-branch tests', () => {
     expect(workingBaseType).toEqual('commit')
   })
 
+  it('tests buildBranchCommits with no diff', async () => {
+    await git.checkout(BRANCH, BASE)
+    const branchCommits = await buildBranchCommits(git, BASE, BRANCH)
+    expect(branchCommits.length).toEqual(0)
+  })
+
+  it('tests buildBranchCommits with addition and modification', async () => {
+    await git.checkout(BRANCH, BASE)
+    await createChanges()
+    const UNTRACKED_EXE_FILE = 'a/script.sh'
+    const filepath = path.join(REPO_PATH, UNTRACKED_EXE_FILE)
+    await fs.promises.writeFile(filepath, '#!/usr/bin/env bash', {mode: 0o755})
+    await git.exec(['add', '-A'])
+    await git.commit(['-m', 'Test changes'])
+
+    const branchCommits = await buildBranchCommits(git, BASE, BRANCH)
+
+    expect(branchCommits.length).toEqual(1)
+    expect(branchCommits[0].subject).toEqual('Test changes')
+    expect(branchCommits[0].changes.length).toEqual(3)
+    expect(branchCommits[0].changes).toEqual([
+      {mode: '100755', path: UNTRACKED_EXE_FILE, status: 'A'},
+      {mode: '100644', path: TRACKED_FILE, status: 'M'},
+      {mode: '100644', path: UNTRACKED_FILE, status: 'A'}
+    ])
+  })
+
+  it('tests buildBranchCommits with addition and deletion', async () => {
+    await git.checkout(BRANCH, BASE)
+    await createChanges()
+    const TRACKED_FILE_NEW_PATH = 'c/tracked-file.txt'
+    const filepath = path.join(REPO_PATH, TRACKED_FILE_NEW_PATH)
+    await fs.promises.mkdir(path.dirname(filepath), {recursive: true})
+    await fs.promises.rename(path.join(REPO_PATH, TRACKED_FILE), filepath)
+    await git.exec(['add', '-A'])
+    await git.commit(['-m', 'Test changes'])
+
+    const branchCommits = await buildBranchCommits(git, BASE, BRANCH)
+
+    expect(branchCommits.length).toEqual(1)
+    expect(branchCommits[0].subject).toEqual('Test changes')
+    expect(branchCommits[0].changes.length).toEqual(3)
+    expect(branchCommits[0].changes).toEqual([
+      {mode: '100644', path: TRACKED_FILE, status: 'D'},
+      {mode: '100644', path: UNTRACKED_FILE, status: 'A'},
+      {mode: '100644', path: TRACKED_FILE_NEW_PATH, status: 'A'}
+    ])
+  })
+
+  it('tests buildBranchCommits with multiple commits', async () => {
+    await git.checkout(BRANCH, BASE)
+    for (let i = 0; i < 3; i++) {
+      await createChanges()
+      await git.exec(['add', '-A'])
+      await git.commit(['-m', `Test changes ${i}`])
+    }
+
+    const branchCommits = await buildBranchCommits(git, BASE, BRANCH)
+
+    expect(branchCommits.length).toEqual(3)
+    for (let i = 0; i < 3; i++) {
+      expect(branchCommits[i].subject).toEqual(`Test changes ${i}`)
+      expect(branchCommits[i].changes.length).toEqual(2)
+      const untrackedFileStatus = i == 0 ? 'A' : 'M'
+      expect(branchCommits[i].changes).toEqual([
+        {mode: '100644', path: TRACKED_FILE, status: 'M'},
+        {mode: '100644', path: UNTRACKED_FILE, status: untrackedFileStatus}
+      ])
+    }
+  })
+
   it('tests no changes resulting in no new branch being created', async () => {
     const commitMessage = uuidv4()
     const result = await createOrUpdateBranch(

__test__/entrypoint.sh

@@ -13,7 +13,7 @@ git daemon --verbose --enable=receive-pack --base-path=/git/remote --export-all
 # Give the daemon time to start
 sleep 2
 
-# Create a local clone and make an initial commit
+# Create a local clone and make initial commits
 mkdir -p /git/local/repos
 git clone git://127.0.0.1/repos/test-base.git /git/local/repos/test-base
 cd /git/local/repos/test-base
@@ -22,6 +22,10 @@ git config --global user.name "Your Name"
 echo "#test-base" > README.md
 git add .
 git commit -m "initial commit"
+echo "#test-base :sparkles:" > README.md
+git add .
+git commit -m "add sparkles" -m "Change description:
+- updates README.md to add sparkles to the title"
 git push -u
 git log -1 --pretty=oneline
 git config --global --unset user.email

__test__/git-command-manager.int.test.ts

@@ -0,0 +1,26 @@
+import {GitCommandManager, Commit} from '../lib/git-command-manager'
+
+const REPO_PATH = '/git/local/repos/test-base'
+
+describe('git-command-manager integration tests', () => {
+  let git: GitCommandManager
+
+  beforeAll(async () => {
+    git = await GitCommandManager.create(REPO_PATH)
+    await git.checkout('main')
+  })
+
+  it('tests getCommit', async () => {
+    const parent = await git.getCommit('HEAD^')
+    const commit = await git.getCommit('HEAD')
+    expect(parent.subject).toEqual('initial commit')
+    expect(parent.changes).toEqual([
+      {mode: '100644', status: 'A', path: 'README.md'}
+    ])
+    expect(commit.subject).toEqual('add sparkles')
+    expect(commit.parents[0]).toEqual(parent.sha)
+    expect(commit.changes).toEqual([
+      {mode: '100644', status: 'M', path: 'README.md'}
+    ])
+  })
+})

__test__/git-config-helper.int.test.ts

@@ -7,7 +7,6 @@ const extraheaderConfigKey = 'http.https://127.0.0.1/.extraheader'
 
 describe('git-config-helper integration tests', () => {
   let git: GitCommandManager
-  let gitConfigHelper: GitConfigHelper
 
   beforeAll(async () => {
     git = await GitCommandManager.create(REPO_PATH)

action.yml

@@ -51,6 +51,9 @@ inputs:
       A fork of the checked out parent repository to which the pull request branch will be pushed.
       e.g. `owner/repo-fork`.
       The pull request will be created to merge the fork's branch into the parent's base.
+  sign-commits:
+    description: 'Sign commits as `github-actions[bot]` when using `GITHUB_TOKEN`, or your own bot when using GitHub App tokens.'
+    default: true
   title:
     description: 'The title of the pull request.'
     default: 'Changes by create-pull-request action'
@@ -83,6 +86,8 @@ outputs:
     description: 'The pull request operation performed by the action, `created`, `updated` or `closed`.'
   pull-request-head-sha:
     description: 'The commit SHA of the pull request branch.'
+  pull-request-branch:
+    description: 'The pull request branch name'
 runs:
   using: 'node20'
   main: 'dist/index.js'

docs/common-issues.md

@@ -35,7 +35,12 @@ The reason is that I'm trying very hard to keep the interface for this action to
 Git hooks must be installed after a repository is checked out in order for them to work.
 So the straightforward solution is to just not install them during the workflow where this action is used.
 
-- If hooks are automatically enabled by a framework, use an option provided by the framework to disable them. For example, for Husky users, they can be disabled with the `--ignore-scripts` flag.
+- If hooks are automatically enabled by a framework, use an option provided by the framework to disable them. For example, for Husky users, they can be disabled with the `--ignore-scripts` flag, or by setting the `HUSKY` environment variable when the action runs.
+  ```yml
+  uses: peter-evans/create-pull-request@v6
+  env:
+    HUSKY: '0'
+  ```
 - If hooks are installed in a script, then add a condition checking if the `CI` environment variable exists.
    ```sh
    #!/bin/sh

docs/concepts-guidelines.md

@@ -16,7 +16,9 @@ This document covers terminology, how the action works, general usage guidelines
   - [Push using SSH (deploy keys)](#push-using-ssh-deploy-keys)
   - [Push pull request branches to a fork](#push-pull-request-branches-to-a-fork)
   - [Authenticating with GitHub App generated tokens](#authenticating-with-github-app-generated-tokens)
-  - [GPG commit signature verification](#gpg-commit-signature-verification)
+  - [Commit signing](#commit-signing)
+    - [Commit signature verification for bots](#commit-signature-verification-for-bots)
+    - [GPG commit signature verification](#gpg-commit-signature-verification)
   - [Running in a container or on self-hosted runners](#running-in-a-container-or-on-self-hosted-runners)
 
 ## Terminology
@@ -260,17 +262,17 @@ GitHub App generated tokens are more secure than using a PAT because GitHub App
 
 4. Set secrets on your repository containing the GitHub App ID, and the private key you created in step 2. e.g. `APP_ID`, `APP_PRIVATE_KEY`.
 
-5. The following example workflow shows how to use [tibdex/github-app-token](https://github.com/tibdex/github-app-token) to generate a token for use with this action.
+5. The following example workflow shows how to use [actions/create-github-app-token](https://github.com/actions/create-github-app-token) to generate a token for use with this action.
 
 ```yaml
     steps:
       - uses: actions/checkout@v4
 
-      - uses: tibdex/github-app-token@v1
+      - uses: actions/create-github-app-token@v1
         id: generate-token
         with:
-          app_id: ${{ secrets.APP_ID }}
-          private_key: ${{ secrets.APP_PRIVATE_KEY }}
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
 
       # Make changes to pull request here
 
@@ -280,7 +282,54 @@ GitHub App generated tokens are more secure than using a PAT because GitHub App
           token: ${{ steps.generate-token.outputs.token }}
 ```
 
-### GPG commit signature verification
+### Commit signing
+
+[Commit signature verification](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) is a feature where GitHub will mark signed commits as "verified" to give confidence that changes are from a trusted source. Some organizations require commit signing, and enforce it with branch protection rules.
+
+The action supports two methods to sign commits, [commit signature verification for bots](#commit-signature-verification-for-bots), and [GPG commit signature verification](#gpg-commit-signature-verification).
+
+#### Commit signature verification for bots
+
+The action can sign commits as `github-actions[bot]` when using the repository's default `GITHUB_TOKEN`, or your own bot when using [GitHub App tokens](#authenticating-with-github-app-generated-tokens).
+
+> [!IMPORTANT]  
+> - When setting `sign-commits: true` the action will ignore the `committer` and `author` inputs.
+> - If you attempt to use a [Personal Access Token (PAT)](https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token) the action will create the pull request, but commits will not be signed. Commit signing is only supported with bot generated tokens.
+
+In this example the `token` input is not supplied, so the action will use the repository's default `GITHUB_TOKEN`. This will sign commits as `github-actions[bot]`.
+```yaml
+    steps:
+      - uses: actions/checkout@v4
+
+      # Make changes to pull request here
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v6
+        with:
+          sign-commits: true
+```
+
+In this example, the `token` input is generated using a GitHub App. This will sign commits as `<application-name>[bot]`.
+```yaml
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/create-github-app-token@v1
+        id: generate-token
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
+      # Make changes to pull request here
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v6
+        with:
+          token: ${{ steps.generate-token.outputs.token }}
+          sign-commits: true
+```
+
+#### GPG commit signature verification
 
 The action can use GPG to sign commits with a GPG key that you generate yourself.
 

package.json

@@ -31,30 +31,33 @@
   "dependencies": {
     "@actions/core": "^1.10.1",
     "@actions/exec": "^1.1.1",
-    "@octokit/core": "^4.2.4",
-    "@octokit/plugin-paginate-rest": "^5.0.1",
-    "@octokit/plugin-rest-endpoint-methods": "^6.8.1",
-    "https-proxy-agent": "^5.0.1",
+    "@octokit/core": "^6.1.2",
+    "@octokit/plugin-paginate-rest": "^11.3.3",
+    "@octokit/plugin-rest-endpoint-methods": "^13.2.4",
+    "@octokit/plugin-throttling": "^9.3.1",
+    "p-limit": "^6.1.0",
     "proxy-from-env": "^1.1.0",
+    "undici": "^6.19.7",
     "uuid": "^9.0.1"
   },
   "devDependencies": {
     "@types/jest": "^29.5.12",
-    "@types/node": "^18.19.31",
-    "@typescript-eslint/parser": "^5.62.0",
+    "@types/node": "^18.19.44",
+    "@typescript-eslint/eslint-plugin": "^7.17.0",
+    "@typescript-eslint/parser": "^7.17.0",
     "@vercel/ncc": "^0.38.1",
     "eslint": "^8.57.0",
     "eslint-import-resolver-typescript": "^3.6.1",
     "eslint-plugin-github": "^4.10.2",
     "eslint-plugin-import": "^2.29.1",
     "eslint-plugin-jest": "^27.9.0",
-    "eslint-plugin-prettier": "^5.1.3",
+    "eslint-plugin-prettier": "^5.2.1",
     "jest": "^29.7.0",
     "jest-circus": "^29.7.0",
     "jest-environment-jsdom": "^29.7.0",
     "js-yaml": "^4.1.0",
-    "prettier": "^3.2.5",
-    "ts-jest": "^29.1.2",
-    "typescript": "^4.9.5"
+    "prettier": "^3.3.3",
+    "ts-jest": "^29.2.4",
+    "typescript": "^5.5.4"
   }
 }

src/create-or-update-branch.ts

@@ -1,11 +1,13 @@
 import * as core from '@actions/core'
-import {GitCommandManager} from './git-command-manager'
+import {GitCommandManager, Commit} from './git-command-manager'
 import {v4 as uuidv4} from 'uuid'
 
 const CHERRYPICK_EMPTY =
   'The previous cherry-pick is now empty, possibly due to conflict resolution.'
 const NOTHING_TO_COMMIT = 'nothing to commit, working tree clean'
 
+const FETCH_DEPTH_MARGIN = 10
+
 export enum WorkingBaseType {
   Branch = 'branch',
   Commit = 'commit'
@@ -31,11 +33,13 @@ export async function getWorkingBaseAndType(
 export async function tryFetch(
   git: GitCommandManager,
   remote: string,
-  branch: string
+  branch: string,
+  depth: number
 ): Promise<boolean> {
   try {
     await git.fetch([`${branch}:refs/remotes/${remote}/${branch}`], remote, [
-      '--force'
+      '--force',
+      `--depth=${depth}`
     ])
     return true
   } catch {
@@ -43,6 +47,24 @@ export async function tryFetch(
   }
 }
 
+export async function buildBranchCommits(
+  git: GitCommandManager,
+  base: string,
+  branch: string
+): Promise<Commit[]> {
+  const output = await git.exec(['log', '--format=%H', `${base}..${branch}`])
+  const shas = output.stdout
+    .split('\n')
+    .filter(x => x !== '')
+    .reverse()
+  const commits: Commit[] = []
+  for (const sha of shas) {
+    const commit = await git.getCommit(sha)
+    commits.push(commit)
+  }
+  return commits
+}
+
 // Return the number of commits that branch2 is ahead of branch1
 async function commitsAhead(
   git: GitCommandManager,
@@ -110,7 +132,9 @@ interface CreateOrUpdateBranchResult {
   action: string
   base: string
   hasDiffWithBase: boolean
+  baseSha: string
   headSha: string
+  branchCommits: Commit[]
 }
 
 export async function createOrUpdateBranch(
@@ -120,7 +144,8 @@ export async function createOrUpdateBranch(
   branch: string,
   branchRemoteName: string,
   signoff: boolean,
-  addPaths: string[]
+  addPaths: string[],
+  signCommits: boolean = false
 ): Promise<CreateOrUpdateBranchResult> {
   // Get the working base.
   // When a ref, it may or may not be the actual base.
@@ -140,7 +165,9 @@ export async function createOrUpdateBranch(
     action: 'none',
     base: base,
     hasDiffWithBase: false,
-    headSha: ''
+    baseSha: '',
+    headSha: '',
+    branchCommits: []
   }
 
   // Save the working base changes to a temporary branch
@@ -215,8 +242,15 @@ export async function createOrUpdateBranch(
     await git.fetch([`${base}:${base}`], baseRemote, fetchArgs)
   }
 
+  // Determine the fetch depth for the pull request branch (best effort)
+  const tempBranchCommitsAhead = await commitsAhead(git, base, tempBranch)
+  const fetchDepth =
+    tempBranchCommitsAhead > 0
+      ? tempBranchCommitsAhead + FETCH_DEPTH_MARGIN
+      : FETCH_DEPTH_MARGIN
+
   // Try to fetch the pull request branch
-  if (!(await tryFetch(git, branchRemoteName, branch))) {
+  if (!(await tryFetch(git, branchRemoteName, branch, fetchDepth))) {
     // The pull request branch does not exist
     core.info(`Pull request branch '${branch}' does not exist yet.`)
     // Create the pull request branch
@@ -250,7 +284,6 @@ export async function createOrUpdateBranch(
     //   temp branch. This catches a case where the base branch has been force pushed to
     //   a new commit.
     // For changes on base this reset is equivalent to a rebase of the pull request branch.
-    const tempBranchCommitsAhead = await commitsAhead(git, base, tempBranch)
     const branchCommitsAhead = await commitsAhead(git, base, branch)
     if (
       (await git.hasDiff([`${branch}..${tempBranch}`])) ||
@@ -279,8 +312,15 @@ export async function createOrUpdateBranch(
     result.hasDiffWithBase = await isAhead(git, base, branch)
   }
 
-  // Get the pull request branch SHA
-  result.headSha = await git.revParse('HEAD')
+  // Get the base and head SHAs
+  result.baseSha = await git.revParse(base)
+  result.headSha = await git.revParse(branch)
+
+  // NOTE: This could always be built and returned. Maybe remove when there is confidence in buildBranchCommits.
+  if (signCommits) {
+    // Build the branch commits
+    result.branchCommits = await buildBranchCommits(git, base, branch)
+  }
 
   // Delete the temporary branch
   await git.exec(['branch', '--delete', '--force', tempBranch])

src/create-pull-request.ts

@@ -23,6 +23,7 @@ export interface Inputs {
   branchSuffix: string
   base: string
   pushToFork: string
+  signCommits: boolean
   title: string
   body: string
   bodyPath: string
@@ -183,8 +184,11 @@ export async function createPullRequest(inputs: Inputs): Promise<void> {
       inputs.branch,
       branchRemoteName,
       inputs.signoff,
-      inputs.addPaths
+      inputs.addPaths,
+      inputs.signCommits
     )
+    // Set the base. It would have been '' if not specified as an input
+    inputs.base = result.base
     core.endGroup()
 
     if (['created', 'updated'].includes(result.action)) {
@@ -192,17 +196,31 @@ export async function createPullRequest(inputs: Inputs): Promise<void> {
       core.startGroup(
         `Pushing pull request branch to '${branchRemoteName}/${inputs.branch}'`
       )
-      await git.push([
-        '--force-with-lease',
-        branchRemoteName,
-        `${inputs.branch}:refs/heads/${inputs.branch}`
-      ])
+      if (inputs.signCommits) {
+        // Create signed commits via the GitHub API
+        const stashed = await git.stashPush(['--include-untracked'])
+        await git.checkout(inputs.branch)
+        await githubHelper.pushSignedCommits(
+          result.branchCommits,
+          result.baseSha,
+          repoPath,
+          branchRepository,
+          inputs.branch
+        )
+        await git.checkout('-')
+        if (stashed) {
+          await git.stashPop()
+        }
+      } else {
+        await git.push([
+          '--force-with-lease',
+          branchRemoteName,
+          `${inputs.branch}:refs/heads/${inputs.branch}`
+        ])
+      }
       core.endGroup()
     }
 
-    // Set the base. It would have been '' if not specified as an input
-    inputs.base = result.base
-
     if (result.hasDiffWithBase) {
       // Create or update the pull request
       core.startGroup('Create or update the pull request')
@@ -223,6 +241,7 @@ export async function createPullRequest(inputs: Inputs): Promise<void> {
         core.setOutput('pull-request-operation', 'updated')
       }
       core.setOutput('pull-request-head-sha', result.headSha)
+      core.setOutput('pull-request-branch', inputs.branch)
       // Deprecated
       core.exportVariable('PULL_REQUEST_NUMBER', pull.number)
       core.endGroup()

src/git-command-manager.ts

@@ -5,6 +5,19 @@ import * as path from 'path'
 
 const tagsRefSpec = '+refs/tags/*:refs/tags/*'
 
+export type Commit = {
+  sha: string
+  tree: string
+  parents: string[]
+  subject: string
+  body: string
+  changes: {
+    mode: string
+    status: 'A' | 'M' | 'D'
+    path: string
+  }[]
+}
+
 export class GitCommandManager {
   private gitPath: string
   private workingDirectory: string
@@ -138,6 +151,43 @@ export class GitCommandManager {
     await this.exec(args)
   }
 
+  async getCommit(ref: string): Promise<Commit> {
+    const endOfBody = '###EOB###'
+    const output = await this.exec([
+      'show',
+      '--raw',
+      '--cc',
+      '--diff-filter=AMD',
+      `--format=%H%n%T%n%P%n%s%n%b%n${endOfBody}`,
+      ref
+    ])
+    const lines = output.stdout.split('\n')
+    const endOfBodyIndex = lines.lastIndexOf(endOfBody)
+    const detailLines = lines.slice(0, endOfBodyIndex)
+
+    return <Commit>{
+      sha: detailLines[0],
+      tree: detailLines[1],
+      parents: detailLines[2].split(' '),
+      subject: detailLines[3],
+      body: detailLines.slice(4, endOfBodyIndex).join('\n'),
+      changes: lines.slice(endOfBodyIndex + 2, -1).map(line => {
+        const change = line.match(
+          /^:(\d{6}) (\d{6}) \w{7} \w{7} ([AMD])\s+(.*)$/
+        )
+        if (change) {
+          return {
+            mode: change[3] === 'D' ? change[1] : change[2],
+            status: change[3],
+            path: change[4]
+          }
+        } else {
+          throw new Error(`Unexpected line format: ${line}`)
+        }
+      })
+    }
+  }
+
   async getConfigValue(configKey: string, configValue = '.'): Promise<string> {
     const output = await this.exec([
       'config',

src/github-helper.ts

@@ -1,11 +1,15 @@
 import * as core from '@actions/core'
 import {Inputs} from './create-pull-request'
-import {Octokit, OctokitOptions} from './octokit-client'
+import {Commit} from './git-command-manager'
+import {Octokit, OctokitOptions, throttleOptions} from './octokit-client'
+import pLimit from 'p-limit'
 import * as utils from './utils'
 
 const ERROR_PR_REVIEW_TOKEN_SCOPE =
   'Validation Failed: "Could not resolve to a node with the global id of'
 
+const blobCreationLimit = pLimit(8)
+
 interface Repository {
   owner: string
   repo: string
@@ -17,6 +21,13 @@ interface Pull {
   created: boolean
 }
 
+type TreeObject = {
+  path: string
+  mode: '100644' | '100755' | '040000' | '160000' | '120000'
+  sha: string | null
+  type: 'blob'
+}
+
 export class GitHubHelper {
   private octokit: InstanceType<typeof Octokit>
 
@@ -30,6 +41,7 @@ export class GitHubHelper {
     } else {
       options.baseUrl = 'https://api.github.com'
     }
+    options.throttle = throttleOptions
     this.octokit = new Octokit(options)
   }
 
@@ -184,4 +196,114 @@ export class GitHubHelper {
 
     return pull
   }
+
+  async pushSignedCommits(
+    branchCommits: Commit[],
+    baseSha: string,
+    repoPath: string,
+    branchRepository: string,
+    branch: string
+  ): Promise<void> {
+    let headSha = baseSha
+    for (const commit of branchCommits) {
+      headSha = await this.createCommit(
+        commit,
+        [headSha],
+        repoPath,
+        branchRepository
+      )
+    }
+    await this.createOrUpdateRef(branchRepository, branch, headSha)
+  }
+
+  private async createCommit(
+    commit: Commit,
+    parents: string[],
+    repoPath: string,
+    branchRepository: string
+  ): Promise<string> {
+    const repository = this.parseRepository(branchRepository)
+    let treeSha = commit.tree
+    if (commit.changes.length > 0) {
+      core.info(`Creating tree objects for local commit ${commit.sha}`)
+      const treeObjects = await Promise.all(
+        commit.changes.map(async ({path, mode, status}) => {
+          let sha: string | null = null
+          if (status === 'A' || status === 'M') {
+            core.info(`Creating blob for file '${path}'`)
+            const {data: blob} = await blobCreationLimit(() =>
+              this.octokit.rest.git.createBlob({
+                ...repository,
+                content: utils.readFileBase64([repoPath, path]),
+                encoding: 'base64'
+              })
+            )
+            sha = blob.sha
+          }
+          return <TreeObject>{
+            path,
+            mode,
+            sha,
+            type: 'blob'
+          }
+        })
+      )
+      core.info(`Creating tree for local commit ${commit.sha}`)
+      const {data: tree} = await this.octokit.rest.git.createTree({
+        ...repository,
+        base_tree: parents[0],
+        tree: treeObjects
+      })
+      treeSha = tree.sha
+      core.info(`Created tree ${treeSha} for local commit ${commit.sha}`)
+    }
+
+    const {data: remoteCommit} = await this.octokit.rest.git.createCommit({
+      ...repository,
+      parents: parents,
+      tree: treeSha,
+      message: `${commit.subject}\n\n${commit.body}`
+    })
+    core.info(
+      `Created commit ${remoteCommit.sha} for local commit ${commit.sha}`
+    )
+    core.info(
+      `Commit verified: ${remoteCommit.verification.verified}; reason: ${remoteCommit.verification.reason}`
+    )
+    return remoteCommit.sha
+  }
+
+  private async createOrUpdateRef(
+    branchRepository: string,
+    branch: string,
+    newHead: string
+  ) {
+    const repository = this.parseRepository(branchRepository)
+    const branchExists = await this.octokit.rest.repos
+      .getBranch({
+        ...repository,
+        branch: branch
+      })
+      .then(
+        () => true,
+        () => false
+      )
+
+    if (branchExists) {
+      core.info(`Branch ${branch} exists; Updating ref`)
+      await this.octokit.rest.git.updateRef({
+        ...repository,
+        sha: newHead,
+        ref: `heads/${branch}`,
+        force: true
+      })
+    } else {
+      core.info(`Branch ${branch} does not exist; Creating ref`)
+      await this.octokit.rest.git.createRef({
+        ...repository,
+        sha: newHead,
+        ref: `refs/heads/${branch}`
+      })
+    }
+  }
 }

src/main.ts

@@ -19,6 +19,7 @@ async function run(): Promise<void> {
       branchSuffix: core.getInput('branch-suffix'),
       base: core.getInput('base'),
       pushToFork: core.getInput('push-to-fork'),
+      signCommits: core.getBooleanInput('sign-commits'),
       title: core.getInput('title'),
       body: core.getInput('body'),
       bodyPath: core.getInput('body-path'),

src/octokit-client.ts

@@ -1,23 +1,54 @@
-import {Octokit as Core} from '@octokit/core'
+import * as core from '@actions/core'
+import {Octokit as OctokitCore} from '@octokit/core'
 import {paginateRest} from '@octokit/plugin-paginate-rest'
 import {restEndpointMethods} from '@octokit/plugin-rest-endpoint-methods'
-import {HttpsProxyAgent} from 'https-proxy-agent'
+import {throttling} from '@octokit/plugin-throttling'
 import {getProxyForUrl} from 'proxy-from-env'
+import {ProxyAgent, fetch as undiciFetch} from 'undici'
 export {RestEndpointMethodTypes} from '@octokit/plugin-rest-endpoint-methods'
+// eslint-disable-next-line import/no-unresolved
 export {OctokitOptions} from '@octokit/core/dist-types/types'
 
-export const Octokit = Core.plugin(
+export const Octokit = OctokitCore.plugin(
   paginateRest,
   restEndpointMethods,
+  throttling,
   autoProxyAgent
 )
 
+export const throttleOptions = {
+  onRateLimit: (retryAfter, options, _, retryCount) => {
+    core.debug(`Hit rate limit for request ${options.method} ${options.url}`)
+    // Retries twice for a total of three attempts
+    if (retryCount < 2) {
+      core.debug(`Retrying after ${retryAfter} seconds!`)
+      return true
+    }
+  },
+  onSecondaryRateLimit: (_, options) => {
+    core.warning(
+      `Hit secondary rate limit for request ${options.method} ${options.url}`
+    )
+  }
+}
+
+const proxyFetch =
+  (proxyUrl: string): typeof undiciFetch =>
+  (url, opts) => {
+    return undiciFetch(url, {
+      ...opts,
+      dispatcher: new ProxyAgent({
+        uri: proxyUrl
+      })
+    })
+  }
+
 // Octokit plugin to support the standard environment variables http_proxy, https_proxy and no_proxy
-function autoProxyAgent(octokit: Core) {
+function autoProxyAgent(octokit: OctokitCore) {
   octokit.hook.before('request', options => {
     const proxy = getProxyForUrl(options.baseUrl)
     if (proxy) {
-      options.request.agent = new HttpsProxyAgent(proxy)
+      options.request.fetch = proxyFetch(proxy)
     }
   })
 }

src/utils.ts

@@ -126,6 +126,10 @@ export function readFile(path: string): string {
   return fs.readFileSync(path, 'utf-8')
 }
 
+export function readFileBase64(pathParts: string[]): string {
+  return fs.readFileSync(path.resolve(...pathParts)).toString('base64')
+}
+
 /* eslint-disable  @typescript-eslint/no-explicit-any */
 function hasErrorCode(error: any): error is {code: string} {
   return typeof (error && error.code) === 'string'