Skip to content

👷 sign chrome-bump commits with commit-headless#4838

Open
thomas-lebeau wants to merge 3 commits into
mainfrom
worktree-sign-chrome-bump-commit
Open

👷 sign chrome-bump commits with commit-headless#4838
thomas-lebeau wants to merge 3 commits into
mainfrom
worktree-sign-chrome-bump-commit

Conversation

@thomas-lebeau

@thomas-lebeau thomas-lebeau commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator

Motivation

The chrome-bump CI job pushed its version-bump commit directly with git push, producing an unverified commit on the created branch. This currently works because we have admin rights to bypass the signed-commit policy on the repo, but we're about to lose that bypass — so CI-generated commits need to be properly signed (Verified) going forward.

Changes

  • Add a commit OctoSTS scope (main branch only) and a chainguard policy (self.gitlab.commit.sts.yaml) authorizing it for the GitLab CI job
  • Install commit-headless in the CI image (Dockerfile) to create signed (Verified) commits through the GitHub API
  • Add pushSignedCommit() in gitUtils.ts, which pushes HEAD as a new remote branch via commit-headless push and points the local branch at it, so a later gh pr create doesn't attempt its own unsigned push
  • Use pushSignedCommit() in bump-chrome-version.ts instead of git push
  • Bump CURRENT_CI_IMAGE to 117 for the updated Dockerfile

Test instructions

It's hard to test before merging, but when it's merged we can:

  • Manually run the bump-chrome-version-scheduled GitLab CI job with CHROME_PACKAGE_VERSION overridden to an old version (e.g. a version with a lower major than what's currently released), so the job detects a newer Chrome version and creates a bump PR
  • Verify the job pushes a Verified commit on the new bump-chrome-version-to-<major> branch
  • Verify the resulting PR is opened correctly against main
  • Close the test PR/branch afterwards (no need to merge it)

Checklist

  • Tested locally
  • Tested on staging
  • Added unit tests for this change.
  • Added e2e/integration tests for this change.
  • Updated documentation and/or relevant AGENTS.md file

The chrome-bump CI job pushed its version-bump commit directly with
`git push`, producing an unverified commit on the created branch.

- add a `commit` OctoSTS scope (main branch only) and wire a chainguard
  policy (self.gitlab.commit.sts.yaml) authorizing it for the GitLab CI
  job
- install `commit-headless` in the CI image (Dockerfile) to create
  signed (Verified) commits through the GitHub API
- add `pushSignedCommit()` in gitUtils.ts, which pushes HEAD as a new
  remote branch via `commit-headless push` and points the local branch
  at it, so a later `gh pr create` doesn't attempt its own unsigned push
- use `pushSignedCommit()` in bump-chrome-version.ts instead of
  `git push`
- bump CURRENT_CI_IMAGE to 117 for the updated Dockerfile
@datadog-prod-us1-4

datadog-prod-us1-4 Bot commented Jul 1, 2026

Copy link
Copy Markdown

Tests

🎉 All green!

🧪 All tests passed
❄️ No new flaky tests detected

🎯 Code Coverage (details)
Patch Coverage: 100.00%
Overall Coverage: 77.20% (+0.00%)

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: e748071 | Docs | Datadog PR Page | Give us feedback!

@cit-pr-commenter-54b7da

Copy link
Copy Markdown

Bundles Sizes Evolution

📦 Bundle Name Base Size Local Size 𝚫 𝚫% Status
Rum 172.69 KiB 172.69 KiB 0 B 0.00%
Rum Profiler 8.22 KiB 8.22 KiB 0 B 0.00%
Rum Recorder 21.14 KiB 21.14 KiB 0 B 0.00%
Logs 54.58 KiB 54.58 KiB 0 B 0.00%
Rum Slim 130.52 KiB 130.52 KiB 0 B 0.00%
Worker 22.96 KiB 22.96 KiB 0 B 0.00%

@thomas-lebeau thomas-lebeau marked this pull request as ready for review July 1, 2026 14:57
@thomas-lebeau thomas-lebeau requested a review from a team as a code owner July 1, 2026 14:57

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f0850a28d9

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread scripts/lib/gitUtils.ts Outdated
The remote commit created by commit-headless is re-signed, so its SHA
differs from the local one. Using `--reset` resets the local branch
directly to the remote SHA, replacing the previous `git fetch` step.
Comment thread scripts/lib/gitUtils.ts
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants