Support commit signing for homebrew taps (and maybe other platforms too)

[vedantmgoyal9]

Is your feature request related to a problem? Please describe.

Support GPG and SSH commit signing where we push to Git repos, like homebrew taps/winget-pkgs.

Pushing commit fails, or PR is not able to merge, where "Require signed commits" is enabled in branch protection rules (see option 9 - https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule#creating-a-branch-protection-rule)

Describe the solution you'd like

GitHub (google/go-github) SDK provides a way to sign commits.

https://github.com/google/go-github/blob/master/github/git_commits.go

Previous issue:

• Using brew option to publish homebrew formula does not support signed commits. #1774

That's a fair assessment. I assume the best way forward would be for GitHub to bring that functionality (signing and deployment keys) into the API/SDK.

Originally posted by @radeksimko in #1774 (comment)

Describe alternatives you've considered

N/A

Search

• I did search for other open and closed issues before opening this

Supporter

• I am a sponsor or a Pro customer

Code of Conduct

• I agree to follow this project's Code of Conduct

Additional context

No response

[caarlos0]

still don't know if I want to do this, for the same reasons laid of in the original issue.

that said, if you use the git option and appropriately setup git to sign (with git config) it might work already...

[caarlos0]

closing as not possible with github api.

[vedantmgoyal9]

Commits made by GitHub GraphQL API are automatically signed.

[caarlos0]

thats a very big change, not sure if its worth the risk

[vedantmgoyal9]

Maybe you can re-open and add a label for community vote? If it gets enough +1s, then it can be implemented if it gets high demand.

[caarlos0]

if someone PRs it, I'm willing to accept.

Probably would have to be opt-in for now at least, as there's a too many details already taken care of in the current implementation... I wouldn't feel confident to just switch it, I think.

[vedantmgoyal9]

I think we don't have change the whole implementation. We can just update the following part to use GraphQL API. Rest other things will remain same as they are now - use REST API.

goreleaser/internal/client/github.go

Lines 288 to 337 in 554ca5f

	if defBranch != branch && branch != "" {
	_, res, err := c.client.Repositories.GetBranch(ctx, repo.Owner, repo.Name, branch, 100)
	if err != nil && (res == nil || res.StatusCode != http.StatusNotFound) {
	return fmt.Errorf("could not get branch %q: %w", branch, err)
	}
	if res.StatusCode == http.StatusNotFound {
	defRef, _, err := c.client.Git.GetRef(ctx, repo.Owner, repo.Name, "refs/heads/"+defBranch)
	if err != nil {
	return fmt.Errorf("could not get ref %q: %w", "refs/heads/"+defBranch, err)
	}
	if _, _, err := c.client.Git.CreateRef(ctx, repo.Owner, repo.Name, &github.Reference{
	Ref: github.String("refs/heads/" + branch),
	Object: &github.GitObject{
	SHA: defRef.Object.SHA,
	},
	}); err != nil {
	rerr := new(github.ErrorResponse)
	if !errors.As(err, &rerr) || rerr.Message != "Reference already exists" {
	return fmt.Errorf("could not create ref %q from %q: %w", "refs/heads/"+branch, defRef.Object.GetSHA(), err)
	}
	}
	}
	}
	file, _, res, err := c.client.Repositories.GetContents(
	ctx,
	repo.Owner,
	repo.Name,
	path,
	&github.RepositoryContentGetOptions{
	Ref: branch,
	},
	)
	if err != nil && (res == nil || res.StatusCode != http.StatusNotFound) {
	return fmt.Errorf("could not get %q: %w", path, err)
	}
	options.SHA = github.String(file.GetSHA())
	if _, _, err := c.client.Repositories.UpdateFile(
	ctx,
	repo.Owner,
	repo.Name,
	path,
	options,
	); err != nil {
	return fmt.Errorf("could not update %q: %w", path, err)
	}
	return nil

Edit: GraphQL API doesn't support custom commit author name and email, so we can make it optional with a config parameter like:

# .goreleaser.yaml
github:
  sign_commits: true # boolean

and based on that use GraphQL API. If custom commit author and email is set along with sign_commits parameter, just give a warning that they will be ignored.

[caarlos0]

I would rather make it more explicit, something like:

github:
  use_graphql_api: true

and we can start with the commit only, but eventually I'd say to reimplement the whole client

[vedantmgoyal9]

That can also be done. We can implement things one-by-one and switch to GraphQL API.