├── .github ├── CODEOWNERS └── workflows │ ├── ci.yaml │ ├── licensing.yaml │ ├── release.yaml │ ├── validate-renovate.yml │ └── zizmor.yaml ├── .gitignore ├── .goreleaser.yml ├── Dockerfile ├── LICENSE ├── Makefile ├── README.md ├── doc └── dependency_decisions.yml ├── go.mod ├── go.sum ├── main.go ├── renovate.json └── zizmor.yml /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @planetscale/infra 2 | -------------------------------------------------------------------------------- /.github/workflows/ci.yaml: -------------------------------------------------------------------------------- 1 | name: ci 2 | 3 | on: 4 | push: 5 | branches: 6 | - main 7 | pull_request: 8 | types: 9 | - opened 10 | - reopened 11 | - synchronize 12 | 13 | jobs: 14 | test: 15 | runs-on: ubuntu-latest 16 | steps: 17 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 18 | with: 19 | persist-credentials: false 20 | 21 | - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5 22 | with: 23 | go-version-file: go.mod 24 | 25 | - uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8 26 | 27 | # installed here to run lint on the .goreleaser.yml file: 28 | - name: Install GoReleaser 29 | uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6 30 | with: 31 | install-only: true 32 | 33 | - run: make lint 34 | - run: make test 35 | 36 | release-test: 37 | runs-on: ubuntu-latest 38 | steps: 39 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 40 | with: 41 | persist-credentials: false 42 | 43 | - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5 44 | with: 45 | go-version-file: go.mod 46 | 47 | - uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8 48 | 49 | - name: Install GoReleaser 50 | uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6 51 | with: 52 | install-only: true 53 | 54 | - run: make snapshot -------------------------------------------------------------------------------- /.github/workflows/licensing.yaml: -------------------------------------------------------------------------------- 1 | name: Verify dependency licenses 2 | 3 | on: 4 | push: 5 | branches: 6 | - main 7 | pull_request: 8 | types: 9 | - opened 10 | - reopened 11 | - synchronize 12 | 13 | jobs: 14 | licensing: 15 | runs-on: ubuntu-latest 16 | steps: 17 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 18 | with: 19 | fetch-depth: 0 20 | persist-credentials: false 21 | 22 | - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5 23 | with: 24 | go-version-file: go.mod 25 | 26 | - run: sudo gem install license_finder 27 | - run: license_finder 28 | -------------------------------------------------------------------------------- /.github/workflows/release.yaml: -------------------------------------------------------------------------------- 1 | name: release 2 | 3 | # release process: 4 | # 5 | # on main branch merge: 6 | # 1. Calculate next semantic version tag (autotag) 7 | # 2. invoke goreleaser to build binaries, docker images, and generate GH release with new version tag 8 | 9 | on: 10 | push: 11 | branches: 12 | - main 13 | paths: 14 | - go.mod 15 | - go.sum 16 | - '**.go' 17 | - .goreleaser.yml 18 | - Dockerfile 19 | workflow_dispatch: 20 | 21 | jobs: 22 | test: 23 | runs-on: ubuntu-latest 24 | steps: 25 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 26 | with: 27 | persist-credentials: false 28 | 29 | - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5 30 | with: 31 | go-version-file: go.mod 32 | cache: false 33 | 34 | - uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8 35 | 36 | # installed here to run lint on the .goreleaser.yml file: 37 | - name: Install GoReleaser 38 | uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6 39 | with: 40 | install-only: true 41 | 42 | - run: make lint 43 | - run: make test 44 | 45 | release: 46 | runs-on: ubuntu-latest 47 | needs: [test] 48 | 49 | permissions: 50 | contents: write 51 | packages: write 52 | 53 | steps: 54 | - name: checkout code with full history (unshallow) 55 | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 56 | with: 57 | fetch-depth: 0 58 | fetch-tags: true 59 | persist-credentials: false 60 | 61 | - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5 62 | with: 63 | go-version-file: go.mod 64 | cache: false 65 | 66 | - name: install autotag binary 67 | run: | 68 | curl -sL https://git.io/autotag-install | sh -s -- -b "${RUNNER_TEMP}/bin" 69 | echo "${RUNNER_TEMP}/bin" >> $GITHUB_PATH 70 | 71 | - name: Install GoReleaser 72 | uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6 73 | with: 74 | install-only: true 75 | 76 | - name: login to ghcr.io 77 | uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3 78 | with: 79 | registry: ghcr.io 80 | username: ${{ github.actor }} 81 | password: ${{ secrets.GITHUB_TOKEN }} 82 | 83 | - name: do release 84 | run: make release 85 | env: 86 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} -------------------------------------------------------------------------------- /.github/workflows/validate-renovate.yml: -------------------------------------------------------------------------------- 1 | name: validate renovate.json 2 | 3 | on: 4 | pull_request: 5 | 6 | env: 7 | LOG_LEVEL: debug 8 | 9 | jobs: 10 | renovate-config-validator: 11 | runs-on: ubuntu-latest 12 | timeout-minutes: 10 13 | 14 | steps: 15 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 16 | with: 17 | persist-credentials: false 18 | 19 | - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 20 | with: 21 | node-version: lts/* 22 | 23 | - run: npx -p renovate renovate-config-validator renovate.json 24 | -------------------------------------------------------------------------------- /.github/workflows/zizmor.yaml: -------------------------------------------------------------------------------- 1 | name: GitHub Actions Security Analysis with zizmor 2 | 3 | on: 4 | push: 5 | branches: ["main"] 6 | pull_request: 7 | branches: ["**"] 8 | 9 | jobs: 10 | zizmor: 11 | name: zizmor latest via PyPI 12 | runs-on: ubuntu-latest 13 | permissions: 14 | security-events: write 15 | # required for workflows in private repositories 16 | contents: read 17 | actions: read 18 | steps: 19 | - name: Checkout repository 20 | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 21 | with: 22 | persist-credentials: false 23 | 24 | - name: Install the latest version of uv 25 | uses: astral-sh/setup-uv@f0ec1fc3b38f5e7cd731bb6ce540c5af426746bb # v6 26 | 27 | - name: Run zizmor 🌈 28 | run: uvx zizmor --format sarif . > results.sarif 29 | env: 30 | GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} 31 | 32 | - name: Upload SARIF file 33 | uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3 34 | with: 35 | sarif_file: results.sarif 36 | category: zizmor -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | Attic/ 2 | .vscode/ 3 | ghcommit 4 | HACK.md 5 | dist/ 6 | cover.out 7 | -------------------------------------------------------------------------------- /.goreleaser.yml: -------------------------------------------------------------------------------- 1 | version: 2 # goreleaser config format 2 | 3 | project_name: ghcommit 4 | 5 | builds: 6 | - binary: ghcommit 7 | main: ./ 8 | env: 9 | - CGO_ENABLED=0 10 | flags: 11 | - -trimpath 12 | ldflags: 13 | # Default is `-s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.Date}}`. 14 | -s -w -X main.version={{.Version}}+{{.ShortCommit}} 15 | goos: 16 | - linux 17 | - darwin 18 | - freebsd 19 | - openbsd 20 | goarch: 21 | - amd64 22 | - arm64 23 | goarm: 24 | - "" 25 | ignore: 26 | - goos: darwin 27 | goarch: 386 28 | - goos: windows 29 | goarch: 386 30 | 31 | archives: 32 | # binary-only releases - all platforms 33 | - id: binaries 34 | formats: 35 | - binary 36 | name_template: "{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}" 37 | # archive releases containing: binary, readme, and license. tarballs (macos, linux), zip (windows) 38 | - id: archives 39 | name_template: >- 40 | {{ .ProjectName }}_ 41 | {{- .Os }}_ 42 | {{- if eq .Arch "amd64" }}amd64 43 | {{- else if eq .Arch "386" }}i386 44 | {{- else }}{{ .Arch }}{{ end }} 45 | format_overrides: 46 | - goos: windows 47 | formats: 48 | - zip 49 | 50 | checksum: 51 | name_template: "checksums.txt" 52 | 53 | snapshot: 54 | version_template: "{{ .Tag }}-next" 55 | 56 | changelog: 57 | sort: asc 58 | filters: 59 | exclude: 60 | - "^docs:" 61 | - "^ci:" 62 | - "^test:" 63 | - "skip ci" 64 | - "ci skip" 65 | - Merge pull request 66 | - Merge branch 67 | 68 | release: 69 | github: 70 | owner: planetscale 71 | name: ghcommit 72 | footer: | 73 | ## Docker Images 74 | amd64: 75 | - `ghcr.io/planetscale/ghcommit:{{ .Tag }}` 76 | - `ghcr.io/planetscale/ghcommit:v{{ .Major }}` 77 | - `ghcr.io/planetscale/ghcommit:v{{ .Major }}.{{ .Minor }}` 78 | - `ghcr.io/planetscale/ghcommit:v{{ .Major }}.{{ .Minor }}.{{ .Patch }}` 79 | - `ghcr.io/planetscale/ghcommit:latest` 80 | 81 | arm64: 82 | - `ghcr.io/planetscale/ghcommit:{{ .Tag }}-arm64` 83 | - `ghcr.io/planetscale/ghcommit:v{{ .Major }}-arm64` 84 | - `ghcr.io/planetscale/ghcommit:v{{ .Major }}.{{ .Minor }}-arm64` 85 | - `ghcr.io/planetscale/ghcommit:v{{ .Major }}.{{ .Minor }}.{{ .Patch }}-arm64` 86 | - `ghcr.io/planetscale/ghcommit:latest-arm64` 87 | 88 | dockers: 89 | # primary docker image for amd64 arch 90 | - dockerfile: Dockerfile 91 | use: buildx 92 | build_flag_templates: 93 | - "--pull" 94 | - "--platform=linux/amd64" 95 | ids: 96 | - ghcommit 97 | goos: linux 98 | goarch: amd64 99 | image_templates: 100 | - "ghcr.io/planetscale/ghcommit:{{ .Tag }}-amd64" 101 | - "ghcr.io/planetscale/ghcommit:v{{ .Major }}-amd64" 102 | - "ghcr.io/planetscale/ghcommit:v{{ .Major }}.{{ .Minor }}-amd64" 103 | - "ghcr.io/planetscale/ghcommit:v{{ .Major }}.{{ .Minor }}.{{ .Patch }}-amd64" 104 | - "ghcr.io/planetscale/ghcommit:latest-amd64" 105 | # build a docker image for arm64 arch 106 | - dockerfile: Dockerfile 107 | use: buildx 108 | build_flag_templates: 109 | - "--pull" 110 | - "--platform=linux/arm64" 111 | ids: 112 | - ghcommit 113 | goos: linux 114 | goarch: arm64 115 | goarm: "" 116 | image_templates: 117 | - "ghcr.io/planetscale/ghcommit:{{ .Tag }}-arm64" 118 | - "ghcr.io/planetscale/ghcommit:v{{ .Major }}-arm64" 119 | - "ghcr.io/planetscale/ghcommit:v{{ .Major }}.{{ .Minor }}-arm64" 120 | - "ghcr.io/planetscale/ghcommit:v{{ .Major }}.{{ .Minor }}.{{ .Patch }}-arm64" 121 | - "ghcr.io/planetscale/ghcommit:latest-arm64" 122 | 123 | # use `docker_manifests` section to create combined multi-arch image manifests: 124 | docker_manifests: 125 | - name_template: "ghcr.io/planetscale/ghcommit:{{ .Tag }}" 126 | image_templates: 127 | - "ghcr.io/planetscale/ghcommit:{{ .Tag }}-amd64" 128 | - "ghcr.io/planetscale/ghcommit:{{ .Tag }}-arm64" 129 | 130 | - name_template: "ghcr.io/planetscale/ghcommit:v{{ .Major }}" 131 | image_templates: 132 | - "ghcr.io/planetscale/ghcommit:v{{ .Major }}-amd64" 133 | - "ghcr.io/planetscale/ghcommit:v{{ .Major }}-arm64" 134 | 135 | - name_template: "ghcr.io/planetscale/ghcommit:v{{ .Major }}.{{ .Minor }}" 136 | image_templates: 137 | - "ghcr.io/planetscale/ghcommit:v{{ .Major }}.{{ .Minor }}-amd64" 138 | - "ghcr.io/planetscale/ghcommit:v{{ .Major }}.{{ .Minor }}-arm64" 139 | 140 | - name_template: "ghcr.io/planetscale/ghcommit:latest" 141 | image_templates: 142 | - "ghcr.io/planetscale/ghcommit:latest-amd64" 143 | - "ghcr.io/planetscale/ghcommit:latest-arm64" 144 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | # syntax=docker/dockerfile:1.16@sha256:e2dd261f92e4b763d789984f6eab84be66ab4f5f08052316d8eb8f173593acf7 2 | FROM pscale.dev/wolfi-prod/git:2.49.0 3 | 4 | COPY ghcommit /ghcommit 5 | 6 | ENTRYPOINT ["/ghcommit"] 7 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | APPENDIX: How to apply the Apache License to your work. 180 | 181 | To apply the Apache License to your work, attach the following 182 | boilerplate notice, with the fields enclosed by brackets "[]" 183 | replaced with your own identifying information. (Don't include 184 | the brackets!) The text should be enclosed in the appropriate 185 | comment syntax for the file format. We also recommend that a 186 | file or class name and description of purpose be included on the 187 | same "printed page" as the copyright notice for easier 188 | identification within third-party archives. 189 | 190 | Copyright 2023 PlanetScale, Inc. 191 | 192 | Licensed under the Apache License, Version 2.0 (the "License"); 193 | you may not use this file except in compliance with the License. 194 | You may obtain a copy of the License at 195 | 196 | http://www.apache.org/licenses/LICENSE-2.0 197 | 198 | Unless required by applicable law or agreed to in writing, software 199 | distributed under the License is distributed on an "AS IS" BASIS, 200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 201 | See the License for the specific language governing permissions and 202 | limitations under the License. 203 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | deps: 2 | @go get 3 | 4 | lint: 5 | @golangci-lint run -v --timeout=3m 6 | @if command -v goreleaser >/dev/null; then \ 7 | goreleaser check; \ 8 | else \ 9 | echo "goreleaser not installed, skipping goreleaser linting"; \ 10 | fi 11 | 12 | test: 13 | @go test -coverprofile=cover.out -v ./... 14 | 15 | cov: 16 | @go tool cover -html=cover.out 17 | 18 | build-linux: 19 | @GOOS=linux GOOARCH=amd64 go build -trimpath -v ./ 20 | 21 | build: 22 | @go build -trimpath -v ./ 23 | 24 | goreleaser: 25 | @goreleaser $(GORELEASER_ARGS) 26 | 27 | snapshot: GORELEASER_ARGS= --clean --snapshot 28 | snapshot: goreleaser 29 | 30 | autotag: 31 | @autotag -v 32 | 33 | release: autotag 34 | @goreleaser $(GORELEASER_ARGS) 35 | 36 | .PHONY: build build-linux cov test snapshot autotag release goreleaser -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ghcommit 2 | 3 | Use GitHub's GraphQL API `createCommitOnBranch` mutation to commit files to a GitHub repository. 4 | 5 | There is a companion GitHub Action in the the [ghcommit-action](https://github.com/planetscale/ghcommit-action) repo. 6 | 7 | ## Why? 8 | 9 | Enable keyless signing in CI environments. Especially useful for repos which require signed commits and have 10 | CI worklows that commit back to the repo (eg: code formatters, generators, etc). 11 | 12 | Normally in order to sign commits from within a CI pipeline you would need to setup and manage GPG or SSH keys 13 | in the CI pipeline. And you take on the risk of those keys be copied by developers with access to the CI environment. 14 | The keys will need to be rotated as people leave the team or keys expire. Using `ghcommit` instead uses the GitHub 15 | GraphQL API to make git commits which are signed by GitHub's web flow GPG key. 16 | 17 | > :warning: This is meant for use in CI environments and with small commits. For example, a CI workflow 18 | that formats code and commits the changes. This is not meant to be used for large commits 19 | and should not be used in place of `git` for day-to-day development. 20 | 21 | ## Install 22 | 23 | 1. go install: `go install github.com/planetscale/ghcommit@latest` 24 | 2. Binaries, tarballs, and docker images are available on the [github releases](https://github.com/planetscale/ghcommit/releases) page. 25 | 26 | ## Usage 27 | 28 | A `GITHUB_TOKEN` environment variable must be set. 29 | 30 | The `-r/--repository`, `-b/--branch`, and `-m/--message` flags are required. 31 | 32 | At least one added/changed or deleted file must be specified. 33 | 34 | Provide a list of changed/added (`-a/--add`) or deleted (`-d/--delete`) files. The `-a` and `-d` flags may be used multiple times. 35 | 36 | ```console 37 | ghcommit -r owner/repo -b branch --add newfile.txt --add changedfile.txt --delete deletedfile.txt 38 | ``` 39 | 40 | All flags may be provided via environment variables. Run `ghcommit -h` to see the full list of flags and env vars. 41 | 42 | > NOTE: Changes are not reflected on the local clone of the repository. The commit is made directly to the GitHub repository. 43 | > This utility is meant to be run from CI pipelines where the local clone is ephemeral. 44 | 45 | ## Alternatives 46 | 47 | As mentioned above, it is possible to sign commits with GPG. 48 | 49 | Another option which uses a form of keyless signing is the [sigstore/gitsign](https://github.com/sigstore/gitsign) 50 | project. However, as of April 2023, GitHub does not recognize signatures created by `gitsign` so 51 | these commits will not be identified as "verified" by GitHub. 52 | 53 | ## Releasing 54 | 55 | Releases are generated automatically on all successful `main` branch builds. This project uses 56 | [autotag](https://github.com/pantheon-systems/autotag) and [goreleaser](https://goreleaser.com/) to 57 | automate this process. 58 | 59 | Semver (`vMajor.Minor.Patch`) is used for versioning and releases. By default, `autotag` will bump the 60 | patch version on a successful main build, eg: `v1.0.0` -> `v1.0.1`. 61 | 62 | To bump the major or minor release instead, include `[major]` or `[minor]` in the commit message. 63 | Refer to the autotag [docs](https://github.com/pantheon-systems/autotag#incrementing-major-and-minor-versions) 64 | for more details. 65 | 66 | Include `[skip ci]` in the commit message to prevent a new version from being released. Only use this 67 | for things like documentation updates. 68 | -------------------------------------------------------------------------------- /doc/dependency_decisions.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - - :permit 3 | - bsd-2-clause 4 | - :who: 5 | :why: 6 | :versions: [] 7 | :when: "2022-01-28 22:57:44.699976000 Z" 8 | - - :permit 9 | - bsd-3-clause 10 | - :who: 11 | :why: 12 | :versions: [] 13 | :when: "2022-01-28 22:57:47.442554000 Z" 14 | - - :permit 15 | - apache-2.0 16 | - :who: 17 | :why: 18 | :versions: [] 19 | :when: "2022-01-28 22:58:10.290944000 Z" 20 | - - :permit 21 | - MIT 22 | - :who: 23 | :why: 24 | :versions: [] 25 | :when: "2022-01-28 23:02:00.154973000 Z" 26 | - - :permit 27 | - ISC 28 | - :who: 29 | :why: 30 | :versions: [] 31 | :when: "2022-01-28 23:02:02.680050000 Z" 32 | -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module github.com/planetscale/ghcommit 2 | 3 | go 1.23.0 4 | 5 | toolchain go1.24.3 6 | 7 | require ( 8 | github.com/jessevdk/go-flags v1.6.1 9 | github.com/shurcooL/githubv4 v0.0.0-20240727222349-48295856cce7 10 | golang.org/x/oauth2 v0.30.0 11 | ) 12 | 13 | require ( 14 | github.com/shurcooL/graphql v0.0.0-20220606043923-3cf50f8a0a29 // indirect 15 | golang.org/x/net v0.38.0 // indirect 16 | golang.org/x/sys v0.31.0 // indirect 17 | ) 18 | -------------------------------------------------------------------------------- /go.sum: -------------------------------------------------------------------------------- 1 | github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= 2 | github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= 3 | github.com/jessevdk/go-flags v1.6.1 h1:Cvu5U8UGrLay1rZfv/zP7iLpSHGUZ/Ou68T0iX1bBK4= 4 | github.com/jessevdk/go-flags v1.6.1/go.mod h1:Mk8T1hIAWpOiJiHa9rJASDK2UGWji0EuPGBnNLMooyc= 5 | github.com/shurcooL/githubv4 v0.0.0-20240727222349-48295856cce7 h1:cYCy18SHPKRkvclm+pWm1Lk4YrREb4IOIb/YdFO0p2M= 6 | github.com/shurcooL/githubv4 v0.0.0-20240727222349-48295856cce7/go.mod h1:zqMwyHmnN/eDOZOdiTohqIUKUrTFX62PNlu7IJdu0q8= 7 | github.com/shurcooL/graphql v0.0.0-20220606043923-3cf50f8a0a29 h1:B1PEwpArrNp4dkQrfxh/abbBAOZBVp0ds+fBEOUOqOc= 8 | github.com/shurcooL/graphql v0.0.0-20220606043923-3cf50f8a0a29/go.mod h1:AuYgA5Kyo4c7HfUmvRGs/6rGlMMV/6B1bVnB9JxJEEg= 9 | golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8= 10 | golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8= 11 | golang.org/x/oauth2 v0.29.0 h1:WdYw2tdTK1S8olAzWHdgeqfy+Mtm9XNhv/xJsY65d98= 12 | golang.org/x/oauth2 v0.29.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8= 13 | golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI= 14 | golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU= 15 | golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik= 16 | golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= 17 | -------------------------------------------------------------------------------- /main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "bytes" 5 | "context" 6 | "encoding/base64" 7 | "fmt" 8 | "io" 9 | "log" 10 | "os" 11 | "os/exec" 12 | "strings" 13 | 14 | "github.com/jessevdk/go-flags" 15 | "github.com/shurcooL/githubv4" 16 | "golang.org/x/oauth2" 17 | ) 18 | 19 | const githubGraphQLURL = "https://api.github.com/graphql" 20 | 21 | var version = "development" 22 | 23 | var opts struct { 24 | Adds []string `short:"a" long:"add" description:"Added or modified file to commit. Use multiple times for multiple files." env:"GHCOMMIT_ADD"` 25 | Deletes []string `short:"d" long:"delete" description:"Deleted file to commit. Use multiple times for multiple files." env:"GHCOMMIT_DELETE"` 26 | Empty bool `short:"e" long:"empty" description:"Allow empty commit." env:"GHCOMMIT_EMPTY"` 27 | Message string `short:"m" long:"message" description:"Commit message" env:"GHCOMMIT_MESSAGE" required:"true"` 28 | Repository string `short:"r" long:"repository" description:"Owner/Repository to commit to." env:"GHCOMMIT_REPOSITORY" required:"true"` 29 | Branch string `short:"b" long:"branch" description:"Branch to commit to." env:"GHCOMMIT_BRANCH" required:"true"` 30 | HeadSHA string `short:"s" long:"sha" description:"Commit SHA of the HEAD branch to apply to. Acts as a safety check to ensure the right branch is modified. The output of 'git rev-parse HEAD' is used if not set" env:"GHCOMMIT_SHA"` 31 | Version bool `short:"v" long:"version" description:"Print version and exit"` 32 | } 33 | 34 | func main() { 35 | ctx := context.Background() 36 | 37 | _, err := flags.Parse(&opts) 38 | if err != nil { 39 | // no need to print error, flags.Parse() already does this 40 | os.Exit(1) 41 | } 42 | 43 | if opts.Version { 44 | log.Println(version) 45 | os.Exit(0) 46 | } 47 | 48 | if len(opts.Adds) == 0 && len(opts.Deletes) == 0 && !opts.Empty { 49 | log.Fatal("No files to commit. Use --empty flag to allow empty commits.") 50 | } 51 | 52 | ght := os.Getenv("GITHUB_TOKEN") 53 | if ght == "" { 54 | log.Fatal("GITHUB_TOKEN env var must be set") 55 | } 56 | 57 | ghes := os.Getenv("GITHUB_GRAPHQL_URL") 58 | 59 | tok := oauth2.StaticTokenSource(&oauth2.Token{AccessToken: ght}) 60 | httpClient := oauth2.NewClient(ctx, tok) 61 | 62 | var client *githubv4.Client 63 | if ghes == githubGraphQLURL { 64 | client = githubv4.NewClient(httpClient) 65 | } else { 66 | client = githubv4.NewEnterpriseClient(ghes, httpClient) 67 | } 68 | 69 | // parse the commit message into headline and body 70 | headline, body := parseMessage(opts.Message) 71 | 72 | // if no head SHA is provided, try to get it by running git in the current directory 73 | expectedHeadOid := opts.HeadSHA 74 | if expectedHeadOid == "" { 75 | headSHA, err := getHeadSHA(ctx) 76 | if err != nil { 77 | log.Fatal(err) 78 | } 79 | expectedHeadOid = headSHA 80 | } 81 | 82 | // process added / modified files: 83 | additions := make([]githubv4.FileAddition, 0, len(opts.Adds)) 84 | for _, f := range opts.Adds { 85 | enc, err := base64EncodeFile(f) 86 | if err != nil { 87 | log.Fatal(err) 88 | } 89 | additions = append(additions, githubv4.FileAddition{ 90 | Path: githubv4.String(f), 91 | Contents: githubv4.Base64String(enc), 92 | }) 93 | } 94 | 95 | // process deleted files: 96 | deletions := make([]githubv4.FileDeletion, 0, len(opts.Deletes)) 97 | for _, f := range opts.Deletes { 98 | deletions = append(deletions, githubv4.FileDeletion{ 99 | Path: githubv4.String(f), 100 | }) 101 | } 102 | 103 | // the actual mutation request 104 | var m struct { 105 | CreateCommitOnBranch struct { 106 | Commit struct { 107 | URL string 108 | } 109 | } `graphql:"createCommitOnBranch(input:$input)"` 110 | } 111 | 112 | // create the $input struct for the graphQL createCommitOnBranch mutation request: 113 | input := githubv4.CreateCommitOnBranchInput{ 114 | Branch: githubv4.CommittableBranch{ 115 | RepositoryNameWithOwner: githubv4.NewString(githubv4.String(opts.Repository)), 116 | BranchName: githubv4.NewString(githubv4.String(opts.Branch)), 117 | }, 118 | Message: githubv4.CommitMessage{ 119 | Headline: githubv4.String(headline), 120 | Body: githubv4.NewString(githubv4.String(body)), 121 | }, 122 | FileChanges: &githubv4.FileChanges{ 123 | Additions: &additions, 124 | Deletions: &deletions, 125 | }, 126 | ExpectedHeadOid: githubv4.GitObjectID(expectedHeadOid), 127 | } 128 | 129 | if err := client.Mutate(ctx, &m, input, nil); err != nil { 130 | log.Fatal(err) 131 | } 132 | log.Printf("Success. New commit: %s", m.CreateCommitOnBranch.Commit.URL) 133 | } 134 | 135 | func base64EncodeFile(path string) (string, error) { 136 | in, err := os.Open(path) 137 | if err != nil { 138 | return "", err 139 | } 140 | defer in.Close() // nolint: errcheck 141 | 142 | buf := bytes.Buffer{} 143 | encoder := base64.NewEncoder(base64.StdEncoding, &buf) 144 | 145 | if _, err := io.Copy(encoder, in); err != nil { 146 | return "", err 147 | } 148 | if err := encoder.Close(); err != nil { 149 | return "", err 150 | } 151 | return buf.String(), nil 152 | } 153 | 154 | func parseMessage(msg string) (string, string) { 155 | parts := strings.SplitN(msg, "\n", 2) 156 | if len(parts) == 1 { 157 | return parts[0], "" 158 | } 159 | return parts[0], parts[1] 160 | } 161 | 162 | func getHeadSHA(ctx context.Context) (string, error) { 163 | out, err := exec.CommandContext(ctx, "git", "rev-parse", "HEAD").Output() 164 | if err != nil { 165 | return "", fmt.Errorf("error running 'git rev-parse HEAD': %s", err) 166 | } 167 | s := string(out) 168 | s = strings.TrimSuffix(s, "\n") 169 | return s, nil 170 | } 171 | -------------------------------------------------------------------------------- /renovate.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "extends": [ 4 | "github>planetscale/renovate-config", 5 | "github>planetscale/renovate-config:weeklyBatchMinorPatchDigest" 6 | ], 7 | "packageRules": [ 8 | { 9 | "description": "Don't pin static image, we do not want its weekly updates.", 10 | "matchPackageNames": [ 11 | "pscale.dev/wolfi-prod/git" 12 | ], 13 | "pinDigests": false 14 | } 15 | ] 16 | } 17 | -------------------------------------------------------------------------------- /zizmor.yml: -------------------------------------------------------------------------------- 1 | rules: 2 | cache-poisoning: 3 | ignore: 4 | # ci.yaml runs goreleaser in snapshot mode to test the build process but does not 5 | # push a new release. However, zizmor uses the presence of goreleaser to assume 6 | # a workflow publishes releases and then enables its cache-poisoning rule. 7 | - ci.yaml 8 | --------------------------------------------------------------------------------