feat: signed commit when renaming upstream module (#61)

ARR4N · web-flow · commit c6c85589afaa · 2024-10-17T12:47:06.000+11:00
## Why this should be merged Signs commits for auto-renaming the Go module, originally introduced in #51 with unsigned commits that can't be merged to `main`. ## How this works Changes the commit action to use [`ghcommit`](https://github.com/planetscale/ghcommit), which was made specifically to allow for keyless signing (GitHub signs the commit). The workflow no longer opens a PR to the `renamed-go-module` branch as it's redundant and the generated branch can be used directly. The commit message includes the `workflow_dispatch` trigger branch as well as a hash of the workflow file for a complete audit trail. I removed the commented-out PR trigger as it's unnecessary. In development we can now just trigger the workflow on the dev branch. ## How this was tested Inspecting [the commit](ava-labs@572b8ab) generated by a [workflow run](https://github.com/ava-labs/libevm/actions/runs/11357025696/job/31589219847). It is identical in modifications to the one reviewed in #59.
diff --git a/.github/workflows/rename-module.yml b/.github/workflows/rename-module.yml
@@ -1,13 +1,6 @@
 name: Rename Go module
 
 on:
-  # During development, the next two lines MAY be enabled to have the PR
-  # automatically run this workflow for inspection of the resulting branch.
-  # However, they MUST be disabled again before merging otherwise *all* PRs will
-  # run this.
-  #
-  # pull_request:
-  #   branches: [ main ]
   workflow_dispatch:
     inputs:
       source_commit:
@@ -19,18 +12,24 @@ on:
 jobs:
   rename-module:
     runs-on: ubuntu-latest
-    env:
-      source_commit: "${{ inputs.source_commit || '2bd6bd01d2e8561dd7fc21b631f4a34ac16627a1' }}"
-      # env variables cannot reference others so we have to duplicate the ||
-      output_branch: "${{ github.ref_name }}_auto-rename-module-${{ inputs.source_commit || '2bd6bd01d2e8561dd7fc21b631f4a34ac16627a1' }}"
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0 # everything
-          fetch-tags: true
+
+      - name: Set variables
+        id: vars
+        # Including hashes of both the source commit and the workflow file makes
+        # this idempotent.
+        env:
+          WORKFLOW_HASH: ${{ hashFiles('.github/workflows/rename-module.yml') }}
+        run: |
+          echo "WORKFLOW_HASH=${WORKFLOW_HASH}" >> "$GITHUB_OUTPUT";
+          echo "DEST_BRANCH=auto-rename-module_source-${{ inputs.source_commit }}_workflow-${WORKFLOW_HASH}-${{ github.ref_name }}" \
+            >> "$GITHUB_OUTPUT";
 
       - name: Check out source commit
-        run: git checkout ${{ env.source_commit }}
+        run: git checkout ${{ inputs.source_commit }}
 
       - name: Globally update module name
         run: |
@@ -60,22 +59,18 @@ jobs:
           go build ./...;
           go test ./accounts/abi/bind ./rlp/rlpgen
 
-      - name: Commit to new branch
-        uses: devops-infra/action-commit-push@8bc2ff9f9de7aa2a7581fc7e5b6401c04cab54c7
-        with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          target_branch: ${{ env.output_branch }}
-          force: true
-          commit_prefix: "[AUTO] rename Go module + update internal import paths"
+      - name: Create new branch
+        env:
+          BRANCH: ${{ steps.vars.outputs.DEST_BRANCH }}
+        run: |
+          git checkout -b "${BRANCH}";
+          git push origin "${BRANCH}";
 
-      - name: Open PR to "renamed-go-module" iff workflow dispatched on "main"
-        # If we are changing the way in which we manage module renaming then it
-        # MUST go through PR review to main; only then can it open PRs.
-        if: github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main'
-        uses: devops-infra/action-pull-request@v0.5.5
+      - name: Commit to new branch
+        uses: planetscale/ghcommit-action@d4176bfacef926cc2db351eab20398dfc2f593b5 # v0.2.0
+        env:
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          source_branch: ${{ env.output_branch }}
-          target_branch: renamed-go-module
-          title: "[AUTO] Rename upstream Go module at `${{ env.source_commit }}`"
-          body: "_PR generated by GitHub Action_"
+          commit_message: "[AUTO] rename Go module + update internal import paths\n\nWorkflow: ${{ steps.vars.outputs.WORKFLOW_HASH }} on branch ${{ github.ref_name }}"
+          repo: ${{ github.repository }}
+          branch: ${{ steps.vars.outputs.DEST_BRANCH }}
