chore: Use custom action to commit changes in CI instead of git commit (#297)

fnesveda · web-flow · commit ff1ff705079a · 2026-05-15T18:53:27.000+02:00
We want to enforce commit signing for all commits in our repositories.
To do that, we need to make sure even commits created by CI workflows
are signed.

It would be possible to sign using GPG keys, but that would require a
lot of maintenance.

Instead, we can commit using the GitHub GraphQL API, which automatically
signs commits.

This PR replaces direct `git commit` / `git push` usage (and third-party
commit actions like `EndBug/add-and-commit`)
with the `apify/actions/signed-commit` action, which uses the GraphQL
API under the hood.
diff --git a/.github/workflows/check-execute-workflow-dist.yaml b/.github/workflows/check-execute-workflow-dist.yaml
@@ -33,9 +33,8 @@ jobs:
         run: pnpm --filter execute-workflow build
 
       - name: Commit and push if changed
-        uses: EndBug/add-and-commit@v10
+        uses: apify/actions/signed-commit@v1.0.0
         with:
-          author_name: github-actions[bot]
-          author_email: 41898282+github-actions[bot]@users.noreply.github.com
           message: "chore: rebuild execute-workflow dist [skip ci]"
           add: 'execute-workflow/dist/'
+          github-token: ${{ secrets.APIFY_SERVICE_ACCOUNT_GITHUB_TOKEN }}
diff --git a/.github/workflows/claude-md-maintenance.yml b/.github/workflows/claude-md-maintenance.yml
@@ -97,24 +97,32 @@ jobs:
             echo "changed=false" >> "$GITHUB_OUTPUT"
           fi
 
+      - name: Prepare branch name
+        if: steps.diff.outputs.changed == 'true'
+        id: branch
+        run: echo "name=chore/update-claude-md-$(date +%Y%m%d%H%M%S)" >> "$GITHUB_OUTPUT"
+
+      - name: Commit CLAUDE.md
+        if: steps.diff.outputs.changed == 'true'
+        uses: apify/actions/signed-commit@v1.0.0
+        with:
+          message: "docs: update CLAUDE.md [skip ci]"
+          add: CLAUDE.md
+          github-token: ${{ github.token }}
+          branch: ${{ steps.branch.outputs.name }}
+          create-branch: 'true'
+
       - name: Create PR with updated CLAUDE.md
         if: steps.diff.outputs.changed == 'true'
         id: create-pr
         env:
           GH_TOKEN: ${{ github.token }}
         run: |
-          git config user.name  "github-actions[bot]"
-          git config user.email "github-actions[bot]@users.noreply.github.com"
-          BRANCH="chore/update-claude-md-$(date +%Y%m%d%H%M%S)"
-          git checkout -b "$BRANCH"
-          git add CLAUDE.md
-          git commit -m "docs: update CLAUDE.md [skip ci]"
-          git push origin "$BRANCH"
           PR_URL=$(gh pr create \
             --title "docs: update CLAUDE.md" \
             --body "Automated update of CLAUDE.md generated by the Claude MD Maintenance workflow." \
             --base "${{ github.ref_name }}" \
-            --head "$BRANCH")
+            --head "${{ steps.branch.outputs.name }}")
           echo "pr_url=$PR_URL" >> "$GITHUB_OUTPUT"
 
       - name: Assign PR and request review
diff --git a/.github/workflows/python_bump_and_update_changelog.yaml b/.github/workflows/python_bump_and_update_changelog.yaml
@@ -27,7 +27,7 @@ jobs:
   bump_and_update_changelog:
     runs-on: ubuntu-latest
     outputs:
-      changelog_commitish: ${{ steps.commit.outputs.commit_long_sha || github.sha }}
+      changelog_commitish: ${{ steps.commit.outputs.commit_long_sha }}
 
     steps:
       - name: Checkout repository
@@ -61,9 +61,8 @@ jobs:
 
       - name: Commit changes
         id: commit
-        uses: EndBug/add-and-commit@v10
+        uses: apify/actions/signed-commit@v1.0.0
         with:
-          author_name: github-actions[bot]
-          author_email: 41898282+github-actions[bot]@users.noreply.github.com
           message: "chore(release): Update changelog and package version [skip ci]"
           pull: '--rebase --autostash'
+          github-token: ${{ secrets.APIFY_SERVICE_ACCOUNT_GITHUB_TOKEN }}
diff --git a/.github/workflows/sync_branches_push.yaml b/.github/workflows/sync_branches_push.yaml
@@ -45,7 +45,9 @@ jobs:
   push:
     runs-on: ubuntu-latest
     steps:
-      - name: git
+      - name: Merge head branch into base branch via GitHub API
+        env:
+          GH_TOKEN: ${{ secrets.githubToken }}
         run: |
           if [ "${GITHUB_EVENT_NAME}" = "pull_request" ]; then
             HEAD_BRANCH="${GITHUB_BASE_REF}"
@@ -55,17 +57,11 @@ jobs:
             echo ">>> Don't know how to handle event name: ${GITHUB_EVENT_NAME}"
             exit 1
           fi
-          mkdir repo
-          cd repo
-          git clone https://github-actions:${{ secrets.githubToken }}@github.com/${{ github.repository }}.git .
 
-          git config --global user.email "${{ inputs.gitConfigEmail }}"
-          git config --global user.name "${{ inputs.gitConfigUsername }}"
-          git config pull.rebase false
-
-          git switch ${{ inputs.baseBranch }}
-          git pull origin ${HEAD_BRANCH} --no-edit --no-ff
-          git push https://github-actions:${{ secrets.githubToken }}@github.com/${{ github.repository }}.git ${{ inputs.baseBranch }}:${{ inputs.baseBranch }}
+          gh api -X POST "repos/${GITHUB_REPOSITORY}/merges" \
+            -f base="${{ inputs.baseBranch }}" \
+            -f head="${HEAD_BRANCH}" \
+            -f commit_message="Merge ${HEAD_BRANCH} into ${{ inputs.baseBranch }}"
 
       - name: report failure to slack
         if: ${{ failure() }}
diff --git a/git-cliff-release/README.md b/git-cliff-release/README.md
@@ -47,12 +47,13 @@ jobs:
           path: CHANGELOG.md
           write-mode: overwrite
           contents: ${{ steps.metadata.outputs.changelog }}
+      - name: Stage changes
+        run: git add -A
       - name: Commit changes
-        uses: EndBug/add-and-commit@v10
+        uses: apify/workflows/commit@main
         with:
-          author_name: Foo
-          author_email: foo@bar.com
-          message: "chore(release): Update changelog and package version [skip ci]"
+          commit-message: "chore(release): Update changelog and package version [skip ci]"
+          github-token: ${{ secrets.GITHUB_TOKEN }}
 ```
 
 Manually trigger a release:
@@ -93,18 +94,19 @@ jobs:
           path: CHANGELOG.md
           write-mode: overwrite
           contents: ${{ steps.metadata.outputs.changelog }}
+      - name: Stage changes
+        run: git add -A
       - name: Commit changes
         id: commit
-        uses: EndBug/add-and-commit@v10
+        uses: apify/workflows/commit@main
         with:
-          author_name: Foo
-          author_email: foo@bar.com
-          message: "chore(release): Update changelog and package version [skip ci]"
+          commit-message: "chore(release): Update changelog and package version [skip ci]"
+          github-token: ${{ secrets.GITHUB_TOKEN }}
       - name: Create release
         uses: softprops/action-gh-release@v2
         with:
           tag_name: ${{ steps.metadata.outputs.tag_name }}
           name: ${{ steps.metadata.outputs.version_number }}
-          target_commitish: ${{ steps.commit.commit_long_sha || github.sha }}
+          target_commitish: ${{ steps.commit.outputs.commit_long_sha }}
           body: ${{ steps.metadata.outputs.release_notes }}
 ```
