Skip to content

Sign commits for verified programs#1104

Open
Woody4618 wants to merge 2 commits into
solana-foundation:masterfrom
Woody4618:add-signed-commits
Open

Sign commits for verified programs#1104
Woody4618 wants to merge 2 commits into
solana-foundation:masterfrom
Woody4618:add-signed-commits

Conversation

@Woody4618

Copy link
Copy Markdown
Collaborator

Description

The update verified programs gh action did not have signed commits.

@vercel

vercel Bot commented Jun 22, 2026

Copy link
Copy Markdown

@Woody4618 is attempting to deploy a commit to the Solana Foundation Team on Vercel.

A member of the Team first needs to authorize it.

@greptile-apps

greptile-apps Bot commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR migrates the automated verified-programs update workflow from a hand-rolled shell script (manual git commit + gh pr create) to the peter-evans/create-pull-request action, enabling signed commits via sign-commits: true. The action is pinned to a full commit SHA (5f6978faf089d4d20b00c7766989d076bb2fc7f1) rather than a floating tag, which is a good supply-chain practice.

  • Signed commits: The new sign-commits: true option delegates signing to the GitHub App token, fulfilling the stated goal of the PR.
  • Simplified workflow: The separate "Check for changes" step is removed; create-pull-request natively skips creating a commit or PR when add-paths files are unchanged, preserving the same behaviour.
  • Extra improvements: delete-branch: true and maintainer-can-modify: true are added, which keep the repo tidy and enable maintainers to push fixes to the automated PR branch.

Confidence Score: 5/5

The change is safe to merge — it replaces fragile shell scripting with a well-maintained, SHA-pinned action and adds the commit-signing feature that was missing.

The diff is a straightforward swap of manual git/gh shell commands for a purpose-built action. The action is pinned to an exact commit SHA, sign-commits is correctly enabled, and the implicit change-detection behaviour of the action preserves the skip-if-nothing-changed logic that was previously done explicitly. No logic regressions or new risks are introduced.

No files require special attention.

Important Files Changed

Filename Overview
.github/workflows/update-verified-programs.yaml Replaces manual shell-based git commit and PR creation with the peter-evans/create-pull-request action (pinned to a commit SHA), adding sign-commits: true and tidying minor style inconsistencies.

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant Scheduler as GitHub Scheduler (daily)
    participant Workflow as update-verified-programs
    participant Script as update-verified-programs.ts
    participant Action as peter-evans/create-pull-request
    participant Repo as solana-foundation/explorer

    Scheduler->>Workflow: "trigger (cron 0 8 * * *)"
    Workflow->>Script: pnpm exec tsx (fetches OSecure data)
    Script-->>Workflow: writes public/verified-programs.json
    Workflow->>Action: create-pull-request (sign-commits: true)
    Action->>Action: check diff on add-paths file
    alt File changed
        Action->>Repo: signed commit + push branch
        Action->>Repo: create / update PR
    else No changes
        Action-->>Workflow: pull-request-operation: none (skip)
    end
Loading
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant Scheduler as GitHub Scheduler (daily)
    participant Workflow as update-verified-programs
    participant Script as update-verified-programs.ts
    participant Action as peter-evans/create-pull-request
    participant Repo as solana-foundation/explorer

    Scheduler->>Workflow: "trigger (cron 0 8 * * *)"
    Workflow->>Script: pnpm exec tsx (fetches OSecure data)
    Script-->>Workflow: writes public/verified-programs.json
    Workflow->>Action: create-pull-request (sign-commits: true)
    Action->>Action: check diff on add-paths file
    alt File changed
        Action->>Repo: signed commit + push branch
        Action->>Repo: create / update PR
    else No changes
        Action-->>Workflow: pull-request-operation: none (skip)
    end
Loading

Reviews (2): Last reviewed commit: "Update hash to version 8.1.1" | Re-trigger Greptile

--title "chore: update verified programs list" \
--body "Automated daily update of verified programs from OSecure." \
--base master 2>/dev/null || echo "PR already exists"
uses: peter-evans/create-pull-request@v7

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 The action is referenced by a floating semver tag (@v7) rather than an immutable commit SHA. If the tag is ever re-pointed — whether by the maintainer or a supply-chain compromise — the workflow would silently execute different code. The rest of the actions in this file follow the same pattern, but since this step now has write access (contents: write, pull-requests: write) and produces signed commits, pinning it to the exact SHA is particularly worthwhile here.

Suggested change
uses: peter-evans/create-pull-request@v7
uses: peter-evans/create-pull-request@67df67e6d47fc5fe9c6b09c199bde2b88b3058ef # v7

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense

@vercel

vercel Bot commented Jun 22, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
explorer Ready Ready Preview, Comment Jun 22, 2026 11:26am

Request Review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants