chore(ci): add GPG commit signing to weekly-update workflow#1155
Closed
chore(ci): add GPG commit signing to weekly-update workflow#1155
Conversation
Aligns with socket-btm and ultrathink convention: - format: oxfmt --write . (auto-fix formatting) - format:check: oxfmt . (check-only, CI)
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| "lint": "node scripts/lint.mjs", | ||
| "lint:all": "node scripts/lint.mjs --all", | ||
| "format": "oxfmt --write .", | ||
| "format:check": "oxfmt .", |
There was a problem hiding this comment.
Format check script writes files instead of checking
Medium Severity
The format:check script runs oxfmt . without the --check flag. Since --write is oxfmt's default behavior, this command will silently modify files in place rather than performing a non-destructive formatting check. The --check flag is needed to only verify formatting and return a non-zero exit code on violations.
- Replace dangerously-skip-permissions with explicit allowedTools - Switch model from sonnet to haiku with max-turns 25 - Reduce timeout from 30 to 15 minutes - Add SFW_BIN wrapper for pnpm in subprocesses - Add diff validation step to reject unexpected file changes - Gate push/PR/summary steps on validation passing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
github-actions[bot]git config withsetup-git-signing/cleanup-git-signingcomposite actions from socket-registryBOT_GPG_PRIVATE_KEYsecret for signed commitsTest plan
Note
Medium Risk
Medium risk because it changes GitHub Actions behavior around git/GPG signing and introduces reliance on a new secret, which could break automated dependency PR creation if misconfigured.
Overview
The weekly dependency update workflow now signs its automated commits by invoking
setup-git-signing(fed bysecrets.BOT_GPG_PRIVATE_KEY) instead of setting thegithub-actions[bot]git identity, and ensures signing state is torn down via analways()cleanup-git-signingstep.Separately,
package.jsonaddsformatandformat:checkscripts that runoxfmtacross the repo.Written by Cursor Bugbot for commit 477e5ac. Configure here.