👷 sign chrome-bump commits with commit-headless#4838
Open
thomas-lebeau wants to merge 3 commits into
Open
Conversation
The chrome-bump CI job pushed its version-bump commit directly with `git push`, producing an unverified commit on the created branch. - add a `commit` OctoSTS scope (main branch only) and wire a chainguard policy (self.gitlab.commit.sts.yaml) authorizing it for the GitLab CI job - install `commit-headless` in the CI image (Dockerfile) to create signed (Verified) commits through the GitHub API - add `pushSignedCommit()` in gitUtils.ts, which pushes HEAD as a new remote branch via `commit-headless push` and points the local branch at it, so a later `gh pr create` doesn't attempt its own unsigned push - use `pushSignedCommit()` in bump-chrome-version.ts instead of `git push` - bump CURRENT_CI_IMAGE to 117 for the updated Dockerfile
🎉 All green!🧪 All tests passed 🎯 Code Coverage (details) 🔗 Commit SHA: e748071 | Docs | Datadog PR Page | Give us feedback! |
Bundles Sizes Evolution
|
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f0850a28d9
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
The remote commit created by commit-headless is re-signed, so its SHA differs from the local one. Using `--reset` resets the local branch directly to the remote SHA, replacing the previous `git fetch` step.
BeltranBulbarellaDD
approved these changes
Jul 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
The chrome-bump CI job pushed its version-bump commit directly with
git push, producing an unverified commit on the created branch. This currently works because we have admin rights to bypass the signed-commit policy on the repo, but we're about to lose that bypass — so CI-generated commits need to be properly signed (Verified) going forward.Changes
commitOctoSTS scope (main branch only) and a chainguard policy (self.gitlab.commit.sts.yaml) authorizing it for the GitLab CI jobcommit-headlessin the CI image (Dockerfile) to create signed (Verified) commits through the GitHub APIpushSignedCommit()ingitUtils.ts, which pushes HEAD as a new remote branch viacommit-headless pushand points the local branch at it, so a latergh pr createdoesn't attempt its own unsigned pushpushSignedCommit()inbump-chrome-version.tsinstead ofgit pushCURRENT_CI_IMAGEto 117 for the updated DockerfileTest instructions
It's hard to test before merging, but when it's merged we can:
bump-chrome-version-scheduledGitLab CI job withCHROME_PACKAGE_VERSIONoverridden to an old version (e.g. a version with a lower major than what's currently released), so the job detects a newer Chrome version and creates a bump PRbump-chrome-version-to-<major>branchmainChecklist