{"id":15090064,"url":"https://github.com/iarekylew00t/verified-bot-commit","last_synced_at":"2026-04-03T00:42:05.684Z","repository":{"id":255608980,"uuid":"851264189","full_name":"IAreKyleW00t/verified-bot-commit","owner":"IAreKyleW00t","description":"✅ GitHub Action for creating signed and verified bot commits","archived":false,"fork":false,"pushed_at":"2025-08-26T13:23:53.000Z","size":4566,"stargazers_count":14,"open_issues_count":3,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-08-26T16:02:13.626Z","etag":null,"topics":["actions","commit","git","git-commit","github-actions","github-actions-bot","github-api","rest-api","signed-commits","signing","typescript-action","verification","verified-commits"],"latest_commit_sha":null,"homepage":"https://github.com/marketplace/actions/verified-bot-commit","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/IAreKyleW00t.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":".github/SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2024-09-02T18:44:36.000Z","updated_at":"2025-08-20T21:40:46.000Z","dependencies_parsed_at":"2024-09-10T01:38:11.791Z","dependency_job_id":"11b06de2-5999-4b1c-87e9-ebe80fc116c5","html_url":"https://github.com/IAreKyleW00t/verified-bot-commit","commit_stats":{"total_commits":53,"total_committers":2,"mean_commits":26.5,"dds":"0.30188679245283023","last_synced_commit":"220a2a43646bb1883b3effa14b08f485af8af1fa"},"previous_names":["iarekylew00t/verified-bot-commit"],"tags_count":45,"template":false,"template_full_name":null,"purl":"pkg:github/IAreKyleW00t/verified-bot-commit","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/IAreKyleW00t%2Fverified-bot-commit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/IAreKyleW00t%2Fverified-bot-commit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/IAreKyleW00t%2Fverified-bot-commit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/IAreKyleW00t%2Fverified-bot-commit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/IAreKyleW00t","download_url":"https://codeload.github.com/IAreKyleW00t/verified-bot-commit/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/IAreKyleW00t%2Fverified-bot-commit/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":273552222,"owners_count":25125922,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-04T02:00:08.968Z","response_time":61,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["actions","commit","git","git-commit","github-actions","github-actions-bot","github-api","rest-api","signed-commits","signing","typescript-action","verification","verified-commits"],"created_at":"2024-09-25T09:04:24.058Z","updated_at":"2026-04-03T00:42:05.676Z","avatar_url":"https://github.com/IAreKyleW00t.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ✅ Verified Bot Commit\n\n[![CI](https://github.com/IAreKyleW00t/verified-bot-commit/actions/workflows/ci.yml/badge.svg)](https://github.com/IAreKyleW00t/verified-bot-commit/actions/workflows/ci.yml)\n[![Tests](https://github.com/IAreKyleW00t/verified-bot-commit/actions/workflows/test.yml/badge.svg)](https://github.com/IAreKyleW00t/verified-bot-commit/actions/workflows/test.yml)\n[![Check dist/](https://github.com/IAreKyleW00t/verified-bot-commit/actions/workflows/check-dist.yml/badge.svg)](https://github.com/IAreKyleW00t/verified-bot-commit/actions/workflows/check-dist.yml)\n[![CodeQL](https://github.com/IAreKyleW00t/verified-bot-commit/actions/workflows/codeql.yml/badge.svg)](https://github.com/IAreKyleW00t/verified-bot-commit/actions/workflows/codeql.yml)  \n[![GitHub Marketplace](https://img.shields.io/badge/Marketplace-Verified%20Bot%20Commit-blue?style=flat\u0026logo=github)](https://github.com/marketplace/actions/verified-bot-commit)\n[![GitHub tag (latest SemVer)](https://img.shields.io/github/v/tag/IAreKyleW00t/verified-bot-commit?style=flat\u0026label=Latest%20Version\u0026color=blue\u0026filter=v*)](https://github.com/IAreKyleW00t/verified-bot-commit/tags)\n[![License](https://img.shields.io/github/license/IAreKyleW00t/verified-bot-commit?label=License)](https://github.com/IAreKyleW00t/verified-bot-commit/blob/main/LICENSE)\n[![Dependabot](https://img.shields.io/badge/Dependabot-0366d6?style=flat\u0026logo=dependabot\u0026logoColor=white)](.github/dependabot.yml)\n\nA GitHub Action to create signed and verified commits as the\n`github-actions[bot]` User with the standard `GITHUB_TOKEN`, or with your own\n[GitHub App Token](#github-app-token). This is accomplished via the GitHub [REST\nAPI] by using the [Blob] and [Tree] endpoints to build the commit and update the\noriginal Ref to point to it. [^1]\n\nThis Action will stage all changed files in your local branch and add those that\nmatch your file patterns to the commit. Afterwards, your local branch will be\nupdated to point to the newly created commit, which will be signed and verified\nusing [GitHub's public PGP key](https://github.com/web-flow.gpg)! Files that\nwere not committed by the Action will be left staged.\n\n\u003e [!IMPORTANT]\n\u003e\n\u003e Using this Action with your own [Personal Access Token (PAT)] is **not**\n\u003e recommended.  \n\u003e See [limitations](#limitations) for more details.\n\n\u003e This action supports Linux, macOS and Windows runners (results may vary with\n\u003e self-hosted runners).\n\n## Quick Start\n\n```yaml\n- name: Commit changes\n  uses: iarekylew00t/verified-bot-commit@v2\n  with:\n    message: 'feat: Some changes'\n    files: |\n      README.md\n      *.txt\n      src/**/tests/*\n      !test-data/dont-include-this\n      test-data/**\n```\n\n## Usage\n\n### Inputs\n\n\u003e `List` type is a newline-delimited string\n\u003e\n\u003e ```yaml\n\u003e files: |\n\u003e   *.md\n\u003e   example.txt\n\u003e ```\n\n| Name                 | Type    | Description                                            | Default                    |\n| -------------------- | ------- | ------------------------------------------------------ | -------------------------- |\n| `repository`         | String  | The target repository [1]                              | `${{ github.repository }}` |\n| `ref`                | String  | The ref to push the commit to                          | `${{ github.ref }}`        |\n| `files`              | List    | Files/[Glob] patterns to include with the commit [2]   | _required_                 |\n| `message`            | String  | Message for the commit [3]                             | _optional_                 |\n| `message-file`       | String  | File to use for the commit message [3]                 | _optional_                 |\n| `auto-stage`         | Boolean | Stage all changed files for committing [4]             | `true`                     |\n| `update-local`       | Boolean | Update local branch after committing [4]               | `true`                     |\n| `force-push`         | Boolean | Force push the commit                                  | `false`                    |\n| `if-no-commit`       | String  | Set the behavior when no commit is made [5]            | `warning`                  |\n| `allow-empty-commit` | Boolean | Allow creating an empty commit if there are no changes | `false`                    |\n| `no-throttle`        | Boolean | Disable the throttling mechanism during requests       | `false`                    |\n| `no-retry`           | Boolean | Disable the retry mechanism during requests            | `false`                    |\n| `max-retries`        | Number  | Number of retries to attempt if a request fails        | `1`                        |\n| `follow-symlinks`    | Boolean | Follow symbolic links when globbing files              | `true`                     |\n| `workspace`          | String  | Directory containing checked out files                 | `${{ github.workspace }}`  |\n| `api-url`            | String  | Base URL for the GitHub API                            | `${{ github.api_url }}`    |\n| `token`              | String  | GitHub Token for REST API access [6]                   | `${{ github.token }}`      |\n\n\u003e 1. Must in the format `owner/repo-name`. To push to other repositories you\n\u003e    will _need_ to use a [GitHub App Token](#custom-github-app-token).\n\u003e 2. Files within your `.gitignore` will not be included. You can also negate\n\u003e    any files by prefixing it with `!`\n\u003e 3. You must include either `message` or `message-file` (which takes priority).\n\u003e 4. Only files that match a pattern you include will be in the final commit,\n\u003e    but you can optionally stage files yourself for more control.\n\u003e 5. Available options are `info`, `notice`, `warning` and `error`. (Will be set\n\u003e    to `ignore` if `allow-empty-commit` is `true`)\n\u003e 6. This Action is intended to work with the default `GITHUB_TOKEN` or a\n\u003e    [GitHub App Token](#custom-github-app-token). See the\n\u003e    [limitations](#limitations) section.\n\n### Outputs\n\n| Name     | Type   | Description                                       |\n| -------- | ------ | ------------------------------------------------- |\n| `blobs`  | JSON   | A JSON list of blob SHAs within the tree          |\n| `tree`   | String | SHA of the underlying tree for the commit         |\n| `commit` | String | SHA of the commit itself                          |\n| `ref`    | String | SHA for the ref that was updated (same as commit) |\n\n### GITHUB_TOKEN Permissions\n\nThis Actions requires the following permissions granted to the `GITHUB_TOKEN`.\n\n- `contents: write`\n\n### GitHub App Token\n\nAs an alternative to the default `GITHUB_TOKEN`, you can use a GitHub App to\ngenerate the necessary token to create _and_ sign the commit instead. This gives\nyou a nicely signed/verified commit plus all the benefits that using using your\ntoken provide, such as your own bot's name, writing to protected tags/branches,\nwriting to other repositories, etc.\n\nRefer to the [Use a GitHub App Token](#use-a-github-app-token) example to to\nquickly get started with this approach.\n\nFor more details, refer to these discussions on the topic:\n\n- [How to Use Commit Signing with GitHub Apps](https://github.com/orgs/community/discussions/50055)\n- [GitHub App Installation Token and Authenticating as a GitHub App](https://github.com/orgs/community/discussions/48186)\n\n## Examples\n\n### Commit all changes\n\n```yaml\n- name: Commit \u0026 Push changes\n  uses: iarekylew00t/verified-bot-commit@v2\n  with:\n    message: 'chore: Updates'\n    files: |\n      **\n```\n\n### Commit changes back to a Pull Request\n\n```yaml\n- name: Commit \u0026 Push changes\n  uses: iarekylew00t/verified-bot-commit@v2\n  with:\n    ref: ${{ github.event.pull_request.head.ref }}\n    message: 'chore: Update README'\n    files: |\n      README.md\n```\n\n### Ignore warnings when no files changed\n\n```yaml\n- name: Commit \u0026 Push changes\n  uses: iarekylew00t/verified-bot-commit@v2\n  with:\n    if-no-commit: info\n    message: 'feat: Some changes'\n    files: |\n      README.md\n```\n\n### Creating an empty commit\n\n```yaml\n- name: Commit \u0026 Push changes\n  uses: iarekylew00t/verified-bot-commit@v2\n  with:\n    message: 'chore: Empty commit'\n    files: '' # don't target any files\n    allow-empty-commit: true\n```\n\n### Manually stage your own files\n\n```yaml\n- name: Stage files\n  shell: bash\n  run: |\n    git add docs/\n    git restore --staged docs/something/idont/want\n\n- name: Commit \u0026 Push changes\n  uses: iarekylew00t/verified-bot-commit@v2\n  with:\n    auto-stage: false\n    message: 'chore: Updating docs'\n    files: |\n      docs/**\n```\n\n### Use a repository in another directory\n\n```yaml\n- name: Checkout repo\n  uses: actions/checkout@v4\n  with:\n    path: my-repo\n\n- name: Update files\n  shell: bash\n  run: echo 'Hello World!' \u003e my-repo/test.txt\n\n- name: Commit \u0026 Push changes\n  uses: iarekylew00t/verified-bot-commit@v2\n  with:\n    workspace: my-repo\n    message: 'chore: Updating tests'\n    files: |\n      test.txt\n```\n\n### Use a GitHub App Token\n\n```yaml\n- name: Create GitHub App Token\n  uses: actions/create-github-app-token@v2\n  id: github-app-token\n  with:\n    app-id: ${{ secrets.GH_APP_ID }}\n    private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}\n    owner: ${{ github.repository_owner }}\n    repositories: ${{ github.event.repository.name }}\n\n- name: Checkout repository\n  uses: actions/checkout@v6\n  with:\n    ref: ${{ github.event.pull_request.head.ref }}\n    token: ${{ steps.github-app-token.outputs.token }} # Use the App token to checkout\n\n# Other steps that make changes...\n\n- name: Commit \u0026 Push changes\n  uses: iarekylew00t/verified-bot-commit@v2\n  with:\n    message: 'chore: Updating README'\n    ref: ${{ github.event.pull_request.head.ref }}\n    token: ${{ steps.github-app-token.outputs.token }} # Use the App token to commit changes\n    files: |\n      README.md\n      **/README.md\n```\n\n## Limitations\n\n⚠️ As always, the default `GITHUB_TOKEN` cannot push to protected Refs.\n\n⚠️ The [Blob] API has a 40MiB limit, any files larger than this in your commit\nwill fail.\n\n\u003e [!TIP]\n\u003e\n\u003e You can create a commit with large files using regular git CLI and push it to\n\u003e a temporary branch. Then `git log --format=raw` will get you the tree hash,\n\u003e which you can use to\n\u003e [create a commit](https://docs.github.com/en/rest/git/commits?apiVersion=2022-11-28#create-a-commit)\n\u003e with Github API.\n\u003e [See example](https://github.com/orgs/community/discussions/50055#discussioncomment-13460641).\n\n⚠️ Using your own [Personal Access Token (PAT)] will result in an unsigned and\nunverified commit. You should look into using a\n[GitHub App Token](#github-app-token), or [using your own keys] and [signing\ncommits] yourself with the help of Actions like\n[webfactory/ssh-agent](https://github.com/webfactory/ssh-agent) and\n[crazy-max/ghaction-import-gpg](https://github.com/crazy-max/ghaction-import-gpg).\n\n## Common Errors\n\nBelow are some common errors that can occur depending on your use case. This are\nissues that are considered outside the scope of this Action but are still\ndocumented here to include common solutions/workarounds for others.\n\nFeel free to create an\n[Issue](https://github.com/IAreKyleW00t/verified-bot-commit/issues) or\n[Pull Request](https://github.com/IAreKyleW00t/verified-bot-commit/pulls) if you\nencounter other errors that should be documented here.\n\n### Git Object Errors\n\nIf you see errors that contain\n`insufficient permission for adding an object to repository database .git/objects`\nthen this probably means another Action in your Workflow performed a local Git\noperations as a different user than what the Runner (usually `root`), which\nresults in `.git/` files being owned by that user.\n\nYou can fix this by updating the permissions of the `.git/` directory to the\nback to current user/group.\n\n```yaml\n- name: Fix .git permissions\n  run: sudo chown -R \"$(id -u):$(id -g)\" .git\n```\n\n## Development\n\n\u003e [!CAUTION]\n\u003e\n\u003e Since this is a TypeScript action you **must** transpile it into native\n\u003e JavaScript. This is done for you automatically as part of the `npm run all`\n\u003e command and will be validated via the\n\u003e [`check-dist.yml`](https://github.com/IAreKyleW00t/verified-bot-commit/actions/workflows/check-dist.yml)\n\u003e Workflow in any PR.\n\n1. ⚙️ Install the version of [Node.js](https://nodejs.org/en) as defined in the\n   [`.tool-versions`](.tool-versions).  \n   You can use [asdf](https://github.com/asdf-vm/asdf) to help manage your\n   project runtimes.\n\n   ```sh\n   asdf plugin add nodejs https://github.com/asdf-vm/asdf-nodejs.git\n   asdf install\n   ```\n\n2. 🛠️ Install dependencies\n\n   ```sh\n   npm install\n   ```\n\n3. 🏗️ Format, lint, test, and package your code changes.\n\n   ```sh\n   npm run all\n   ```\n\n## Releases\n\nFor maintainers, the following release process should be used when cutting new\nversions.\n\n1. ⏬ Pull down the latest changes and ensure all\n   [Workflows](https://github.com/IAreKyleW00t/verified-bot-commit/actions) are\n   passing.\n\n   ```sh\n   git checkout main\n   git pull\n   ```\n\n2. ✅ Bump the package version.\n\n   ```sh\n   npm version \u003cmajor|minor|patch\u003e -m \"chore: Bumping version to vX.Y.Z\"\n   ```\n\n3. 🔖 Create a new Tag, push it up, then create a\n   [new Release](https://github.com/IAreKyleW00t/verified-bot-commit/releases/new)\n   for the version.\n\n   ```sh\n   git tag vX.Y.Z\n   git push -u origin vX.Y.Z\n   ```\n\n   Alternatively you can create the Tag on the GitHub Release page itself.\n\n   When the tag is pushed it will kick off the\n   [Shared Tags](https://github.com/IAreKyleW00t/verified-bot-commit/actions/workflows/shared-tags.yml)\n   Workflows to update the `v$MAJOR` and `v$MAJOR.MINOR` tags.\n\n## Contributing\n\nFeel free to contribute and make things better by opening an\n[Issue](https://github.com/IAreKyleW00t/verified-bot-commit/issues) or\n[Pull Request](https://github.com/IAreKyleW00t/verified-bot-commit/pulls).  \nThank you for your contribution! ❤️\n\n## License\n\nSee [LICENSE](LICENSE).\n\n## Credits\n\nSpecial thanks and credits to the following projects for their work and\ninspiration:\n\n- [swinton/commit](https://github.com/swinton/commit)\n- [ChromeQ/commit](https://github.com/ChromeQ/commit)\n\n\u003c!-- Links --\u003e\n\n[^1]:\n    [Git Internals - Git Objects](https://git-scm.com/book/en/v2/Git-Internals-Git-Objects)\n\n[REST API]: https://docs.github.com/en/rest\n[Personal Access Token (PAT)]:\n  https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens\n[Blob]: https://docs.github.com/en/rest/git/blobs\n[Tree]: https://docs.github.com/en/rest/git/trees\n[Glob]: https://en.wikipedia.org/wiki/Glob_(programming)\n[using your own keys]:\n  https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key\n[signing commits]:\n  https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fiarekylew00t%2Fverified-bot-commit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fiarekylew00t%2Fverified-bot-commit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fiarekylew00t%2Fverified-bot-commit/lists"}