From 605c1cfa3495c421319badb836748479d409e2a8 Mon Sep 17 00:00:00 2001
From: Jim Myhrberg <contact@jimeh.me>
Date: Tue, 11 Nov 2025 18:05:07 +0000
Subject: [PATCH] ci(dependabot-rebuild): third attempt at signing commit with
 GitHub App (#44)

---
 .github/workflows/dependabot-rebuild.yml | 60 +++---------------------
 1 file changed, 6 insertions(+), 54 deletions(-)

diff --git a/.github/workflows/dependabot-rebuild.yml b/.github/workflows/dependabot-rebuild.yml
index 149ba1b..5d0e258 100644
--- a/.github/workflows/dependabot-rebuild.yml
+++ b/.github/workflows/dependabot-rebuild.yml
@@ -20,11 +20,6 @@ jobs:
         with:
           app-id: ${{ secrets.BOT_APP_ID }}
           private-key: ${{ secrets.BOT_PRIVATE_KEY }}
-      - name: Get GitHub App User ID
-        id: get-user-id
-        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
-        env:
-          GH_TOKEN: ${{ steps.app-token.outputs.token }}
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           token: ${{ steps.app-token.outputs.token }}
@@ -37,54 +32,11 @@ jobs:
       - name: Rebuild dist
         run: npm run bundle
       - name: Commit and push if changed
+        uses: ryancyq/github-signed-commit@e9f3b28c80da7be66d24b8f501a5abe82a6b855f # v1.2.0
         env:
           GH_TOKEN: ${{ steps.app-token.outputs.token }}
-          APP_SLUG: ${{ steps.app-token.outputs.app-slug }}
-          APP_USER_ID: ${{ steps.get-user-id.outputs.user-id }}
-          APP_NAME: ${{ steps.app-token.outputs.app-slug }}[bot]
-          APP_EMAIL: ${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com
-        run: |
-          if [ "$(git diff --ignore-space-at-eol --text dist/ | wc -l)" -gt "0" ]; then
-            # Stage changes
-            git add dist/
-
-            # Parent commit SHA (current HEAD of PR branch)
-            PARENT_SHA="$GITHUB_SHA"
-
-            # Create temporary commit on temp branch to generate tree object
-            TEMP_BRANCH="temp-rebuild-${GITHUB_SHA}"
-            git checkout -b "$TEMP_BRANCH"
-            git config user.name "$APP_NAME"
-            git config user.email "$APP_EMAIL"
-            git commit -m "temp"
-
-            # Extract tree SHA from the commit
-            TREE_SHA=$(git rev-parse HEAD^{tree})
-
-            # Push temp branch (uploads objects to GitHub) then delete it
-            git push origin "$TEMP_BRANCH"
-            git push origin --delete "$TEMP_BRANCH"
-
-            # Create signed commit via GitHub API using the tree
-            NEW_COMMIT_SHA=$(gh api \
-              --method POST \
-              "/repos/${GITHUB_REPOSITORY}/git/commits" \
-              -f message='chore: rebuild dist' \
-              -f tree="$TREE_SHA" \
-              -f parent="$PARENT_SHA" \
-              -f author[name]="$APP_NAME" \
-              -f author[email]="$APP_EMAIL" \
-              -f committer[name]="$APP_NAME" \
-              -f committer[email]="$APP_EMAIL" \
-              --jq '.sha')
-
-            # Update branch reference to point to new commit
-            gh api \
-              --method PATCH \
-              "/repos/${GITHUB_REPOSITORY}/git/refs/heads/${GITHUB_HEAD_REF}" \
-              -f sha="$NEW_COMMIT_SHA"
-
-            echo "Created verified commit: $NEW_COMMIT_SHA"
-          else
-            echo "No changes to dist/"
-          fi
+        with:
+          files: |
+            dist/**/*
+          commit-message: |-
+            chore: rebuild dist