Sign commits for verified programs

[Woody4618]

Description

The update verified programs gh action did not have signed commits.

[vercel]

@Woody4618 is attempting to deploy a commit to the Solana Foundation Team on Vercel.

A member of the Team first needs to authorize it.

[greptile-apps]

Greptile Summary

This PR replaces the hand-rolled git/gh-CLI PR-creation block in the update-verified-programs workflow with the well-established peter-evans/create-pull-request@v7 action, primarily to gain sign-commits: true support for verified commits.

• The manual "Check for changes" step is removed; the action handles change detection internally and skips the commit/PR when public/verified-programs.json is unmodified, preserving the original guarding behaviour.
• Two new options are added: delete-branch: true (auto-deletes the branch after merge) and maintainer-can-modify: true (lets maintainers push fixups directly to the PR branch).

Confidence Score: 4/5

Safe to merge; the change is a straightforward action swap that preserves the existing workflow behaviour and adds the intended commit-signing.

The replacement action is widely used and well-maintained, sign-commits: true is a v7 feature that works as intended, and the removed explicit diff-check step is correctly handled internally by the action. The only open item is that the action is pinned to a floating semver tag rather than a commit SHA — low risk in practice but worth addressing given the step's write permissions.

.github/workflows/update-verified-programs.yaml — the action reference could be pinned to a commit SHA for supply-chain hardening.

Important Files Changed

Filename	Overview
.github/workflows/update-verified-programs.yaml	Replaces manual git/gh CLI PR-creation steps with peter-evans/create-pull-request@v7 to enable signed commits; adds delete-branch and maintainer-can-modify options; action pinned to a floating semver tag rather than a commit SHA.

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant Cron as Cron / workflow_dispatch
    participant Runner as GH Actions Runner
    participant Script as update-verified-programs.ts
    participant Action as peter-evans/create-pull-request@v7
    participant GitHub as GitHub API

    Cron->>Runner: trigger (daily 08:00 UTC)
    Runner->>Script: pnpm exec tsx (fetch programs)
    Script-->>Runner: writes public/verified-programs.json
    Runner->>Action: "invoke with sign-commits=true"
    Action->>Action: detect changes in add-paths
    alt changes detected
        Action->>GitHub: create signed commit on branch chore/update-verified-programs
        Action->>GitHub: open / update PR → base: master
    else no changes
        Action-->>Runner: "no-op (skips commit & PR)"
    end

Loading

%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant Cron as Cron / workflow_dispatch
    participant Runner as GH Actions Runner
    participant Script as update-verified-programs.ts
    participant Action as peter-evans/create-pull-request@v7
    participant GitHub as GitHub API

    Cron->>Runner: trigger (daily 08:00 UTC)
    Runner->>Script: pnpm exec tsx (fetch programs)
    Script-->>Runner: writes public/verified-programs.json
    Runner->>Action: "invoke with sign-commits=true"
    Action->>Action: detect changes in add-paths
    alt changes detected
        Action->>GitHub: create signed commit on branch chore/update-verified-programs
        Action->>GitHub: open / update PR → base: master
    else no changes
        Action-->>Runner: "no-op (skips commit & PR)"
    end

Loading

_{Reviews (1): Last reviewed commit: "Sign commits for verified programs" | Re-trigger Greptile}

[greptile-apps]

The action is referenced by a floating semver tag (@v7) rather than an immutable commit SHA. If the tag is ever re-pointed — whether by the maintainer or a supply-chain compromise — the workflow would silently execute different code. The rest of the actions in this file follow the same pattern, but since this step now has write access (contents: write, pull-requests: write) and produces signed commits, pinning it to the exact SHA is particularly worthwhile here.

Suggested change

	uses: peter-evans/create-pull-request@v7
	uses: peter-evans/create-pull-request@67df67e6d47fc5fe9c6b09c199bde2b88b3058ef # v7

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

[rogaldh]

Makes sense

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
explorer	Ready	Preview, Comment	Jun 22, 2026 11:26am