ci: sign weekly lockfile commits as github-actions[bot]#2148
Merged
Conversation
The peter-evans/create-pull-request action defaults author to
${{ github.actor }}. For scheduled workflows, GitHub assigns this to
a human user (the schedule owner), causing weekly dependency update
commits to be incorrectly attributed to a maintainer rather than the
bot.
Github-Issue: #2043
felixweinberger
previously approved these changes
Feb 26, 2026
Kludex
previously approved these changes
Feb 26, 2026
sign-commits: true causes the action to create commits via the GitHub REST API, automatically using the token identity (github-actions[bot]) for both author and committer. This avoids hardcoding the bot email and gives commits a Verified badge as a bonus. The author/committer inputs are ignored when sign-commits is enabled.
maxisbey
dismissed stale reviews from Kludex and felixweinberger
via
0a11666
felixweinberger
approved these changes
Feb 26, 2026
Contributor
felixweinberger
left a comment
felixweinberger
left a comment
There was a problem hiding this comment.
That looks better, thanks for checking.
maxisbey
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The
peter-evans/create-pull-requestaction defaults itsauthorinput to${{ github.actor }}. For scheduled workflow runs, GitHub setsgithub.actorto a human user (the "schedule owner"), notgithub-actions[bot]. This causes the weekly lockfile update commits to be incorrectly attributed to a maintainer.All 6 scheduled runs of this workflow so far have
actor: Kludex, likely because @Kludex merged the dependabot PR (#1878) that touched the workflow file shortly after it was created — since bots can't own schedules, GitHub attributed the schedule to the human merger.Fix
sign-commits: truecauses the action to create commits via the GitHub REST API rather than local git. When creating commits this way, noauthor/committerfields are passed — GitHub automatically uses the token identity (github-actions[bot]for the defaultGITHUB_TOKEN). Per the action docs, theauthor/committerinputs are ignored entirely whensign-commitsis enabled.This avoids hardcoding the bot email, and commits get a "Verified" badge as a bonus. Force-push to the fixed weekly branch is explicitly supported via
updateRefwithforce: true. This is the approach used by Gradle, DataDog, Microsoft, and Composer in their scheduled dependency-update workflows.The only limitations (40MiB per-file, Git LFS incompatibility, SSH deploy keys) don't apply here —
uv.lockis ~300KB plain text committed viaGITHUB_TOKEN.Addresses question on #2043.
AI Disclaimer