External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-06-25 08:28:03 -02:30
Code Issues Packages Projects Releases Wiki Activity

fix: use GitHub API for signed commits in spec sync workflow

Browse Source 
The aap-openapi-specs repo requires commit signatures via org ruleset.
Switch from git commit+push to the GitHub Git Data API which
automatically signs commits, satisfying the required_signatures rule.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Rodrigo Horie
2026-06-16 16:56:52 -03:00
parent 34f34e058b
commit 05a514f2b2
1 changed files with 30 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
.github/workflows/spec-sync-on-merge.yml vendored
View File

@@ -113,19 +113,11 @@ jobs:
env: env:
GH_TOKEN: ${{ secrets.OPENAPI_SPEC_SYNC_TOKEN }} GH_TOKEN: ${{ secrets.OPENAPI_SPEC_SYNC_TOKEN }}
COMMIT_MESSAGE: ${{ github.event.head_commit.message }} COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
SPEC_REPO: ansible-automation-platform/aap-openapi-specs
run: | run: |
# Configure git
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
# Create branch for PR
SHORT_SHA="${{ github.sha }}" SHORT_SHA="${{ github.sha }}"
SHORT_SHA="${SHORT_SHA:0:7}" SHORT_SHA="${SHORT_SHA:0:7}"
BRANCH_NAME="update-Controller-${{ github.ref_name }}-${SHORT_SHA}" BRANCH_NAME="update-Controller-${{ github.ref_name }}-${SHORT_SHA}"
git checkout -b "$BRANCH_NAME"
# Add and commit changes
git add "controller.json"
if [ "${{ steps.compare.outputs.is_new_file }}" == "true" ]; then if [ "${{ steps.compare.outputs.is_new_file }}" == "true" ]; then
COMMIT_MSG="Add Controller OpenAPI spec for ${{ github.ref_name }}" COMMIT_MSG="Add Controller OpenAPI spec for ${{ github.ref_name }}"
@@ -133,15 +125,38 @@ jobs:
COMMIT_MSG="Update Controller OpenAPI spec for ${{ github.ref_name }}" COMMIT_MSG="Update Controller OpenAPI spec for ${{ github.ref_name }}"
fi fi
git commit -m "$COMMIT_MSG COMMIT_MSG="${COMMIT_MSG}
Synced from ${{ github.repository }}@${{ github.sha }} Synced from ${{ github.repository }}@${{ github.sha }}
Source branch: ${{ github.ref_name }} Source branch: ${{ github.ref_name }}"
Co-Authored-By: github-actions[bot] <github-actions[bot]@users.noreply.github.com>" # Create branch via API
BASE_SHA=$(gh api "repos/${SPEC_REPO}/git/ref/heads/${{ github.ref_name }}" --jq '.object.sha')
gh api "repos/${SPEC_REPO}/git/refs" \
-f "ref=refs/heads/${BRANCH_NAME}" \
-f "sha=${BASE_SHA}"
# Push branch # Create blob and commit via API (commits created through the API are automatically signed by GitHub)
git push origin "$BRANCH_NAME" BLOB_SHA=$(gh api "repos/${SPEC_REPO}/git/blobs" \
-f "content=$(base64 -w 0 controller.json)" \
-f "encoding=base64" \
--jq '.sha')
TREE_SHA=$(gh api "repos/${SPEC_REPO}/git/trees" \
-f "base_tree=${BASE_SHA}" \
--input <(jq -n --arg blob "$BLOB_SHA" '{tree: [{path: "controller.json", mode: "100644", type: "blob", sha: $blob}]}') \
--jq '.sha')
NEW_COMMIT_SHA=$(gh api "repos/${SPEC_REPO}/git/commits" \
-f "message=${COMMIT_MSG}" \
-f "tree=${TREE_SHA}" \
-f "parents[]=${BASE_SHA}" \
--jq '.sha')
# Update branch ref to point to the new signed commit
gh api "repos/${SPEC_REPO}/git/refs/heads/${BRANCH_NAME}" \
-X PATCH \
-f "sha=${NEW_COMMIT_SHA}"
# Create PR # Create PR
PR_TITLE="[${{ github.ref_name }}] Update Controller spec from merged commit" PR_TITLE="[${{ github.ref_name }}] Update Controller spec from merged commit"
@@ -165,6 +180,7 @@ jobs:
🤖 This PR was automatically generated by the OpenAPI spec sync workflow." 🤖 This PR was automatically generated by the OpenAPI spec sync workflow."
gh pr create \ gh pr create \
--repo "${SPEC_REPO}" \
--title "$PR_TITLE" \ --title "$PR_TITLE" \
--body "$PR_BODY" \ --body "$PR_BODY" \
--base "${{ github.ref_name }}" \ --base "${{ github.ref_name }}" \