Add opt-in GPG-signed commits via GitHub API

[dragid10]

Summary

Backport commits are now created through GitHub's Git Data REST API, so they are automatically signed by GitHub's web-flow GPG key and show as "Verified". No GPG key management needed — no new permissions required.

Git subprocess operations and GitHub API calls have been extracted into dedicated modules, following the existing one-module-per-API pattern (checks_api.py, comments_api.py, locking_api.py):

• git_cli.py — git subprocess operations (clone, fetch, cherry-pick, temp ref upload)
• git_api.py — GitHub Git Data REST API (GitAPI class with get_branch_head_sha, create_commit, create_branch)
• event_handlers.py — simplified to orchestration; git and API logic moved out

How it works

1. Cherry-pick runs locally as before (conflict detection, rename handling, --mainline for merge commits)
2. Tree SHA and commit message are read from the local result
3. Objects are uploaded to GitHub via a temporary ref (prefixed with the backport branch name for ruleset compatibility, with a random suffix)
4. Temp ref is deleted
5. A signed commit is created via POST /repos/{owner}/{repo}/git/commits
6. The backport branch is created via POST /repos/{owner}/{repo}/git/refs

Ref: #1

Test results

Tested end-to-end with a real GitHub App on dragid10/patchback-test-repo:

• PR #10 — commit d2cbe04: committer GitHub, verified: true

Test plan

• End-to-end test with real GitHub App — signed commit shows as Verified
• Unit tests for GitAPI methods and error handling (23 tests, all passing)
• Verified all try blocks have a single instruction
• Verified no unused imports or dead code (pyflakes, vulture)

Note: The pre-commit.ci failure is a pre-existing issue (no .pre-commit-config.yaml in the repo) — same failure on PR #50.

[webknjaz]

This is a bad type. It's full of typing.Any and contradicts the docstring claim.

[dragid10]

updated to tuple[str, str] | None

[webknjaz]

Still a bad API. I didn't get to record all the feedback earlier. If you want to return a bunch of related things, have an object for that. A tuple with arbitrary strings isn't really usable. Although, I'm yet to check the other places for why you thought it's needed.

[webknjaz]

Adds a signed_commits setting (default false) to the per-repo .github/patchback.yml config

What's the justification for having this optional? Why do we need a feature toggle?

[webknjaz]

Not sure if this bunch of logic probably belongs on this abstraction layer.

[webknjaz]

An API with hopefully-in-sync-number-of-tuple-items isn't exactly nice to work with. This should be an object. We probably need to move Git REST API interaction into a dedicated class, just like with the comments, the statuses and similar things.

[dragid10]

Adds a signed_commits setting (default false) to the per-repo .github/patchback.yml config

What's the justification for having this optional? Why do we need a feature toggle?

I imagine most wouldn't care if this was the default setting. but since going through the GitHub web signing changes what the committer actually looks like (changes to GitHub), if they were not aware of this change, they might think it odd.

And I've also learned over the years that some people just want the choice regardless of if they exercise it or not 😅
Not particularly strong justification, but it felt nicer to treat it as opt-in

[webknjaz]

try-blocks must have one single instruction. Otherwise, this causes multiple poorly-visible error handling branches that can originate on multiple lines that are difficult to guess just by looking at them.

[webknjaz]

push? this error message is identical to another place, making it difficult to distinguish between them in the logs and the comments. We should make sure to include the context unique to each situation.

[webknjaz]

Avoid nested try-in-finally. This is difficult to reason about. Additionally, such cases could be abstracted away by a CM.

[webknjaz]

Code should speak for itself. If you feel like the code comment is needed, most of the time it's a sign of abstraction layer leaks or problematic variable naming.

[webknjaz]

This should probably be at least prefixed the same way as the final branch name. Projects with branch protection rulesets might allow certain patterns but not others. Perhaps, just use the final branch name and append /{a_random_thing} at the end — this will likely avoid most of such cases.

[webknjaz]

This should mention the ref name.

[webknjaz]

We may also want to hint the users to check their rulesets for signs of blocking the pushes.

[webknjaz]

That's a retro-style command. Today, it's git push -d ...

[webknjaz]

This is probably not needed in the first place. We shouldn't have parts of commit manipulation in disconnected places, anyway.

[webknjaz]

Adds a signed_commits setting (default false) to the per-repo .github/patchback.yml config

What's the justification for having this optional? Why do we need a feature toggle?

I imagine most wouldn't care if this was the default setting. but since going through the GitHub web signing changes what the committer actually looks like (changes to GitHub), if they were not aware of this change, they might think it odd.

And I've also learned over the years that some people just want the choice regardless of if they exercise it or not 😅 Not particularly strong justification, but it felt nicer to treat it as opt-in

Let's just get rid of this until somebody asks. I don't want additional complexity that potentially nobody even wants in the first place that I'd be left with to maintain. Less is more.

Also, the committer thing is fine — the author is still the GH App which is what's most important: https://api.github.com/repos/dragid10/patchback-test-repo/commits/9b66d01f772a1fd2ba1c010524c5f24872da1895

[webknjaz]

How it works

1. Cherry-pick runs locally as before (conflict detection, rename handling, `--mainline` for merge commits)

2. Tree SHA and commit message are read from the local result

3. Objects are uploaded to GitHub via a temporary ref (deleted immediately after)

4. A signed commit is created via `POST /repos/{owner}/{repo}/git/commits`

5. The backport branch is created via `POST /repos/{owner}/{repo}/git/refs`

I'm wondering if it'd be a good idea to provide this as a part of the utils in octomachinery. But this probably goes into the same bucket as sanitizers/octomachinery#4..

Still, it'd be good to have a well-isolated relocatable piece of logic in a helper for better structuring. The amount of logic in the event_handlers is growing and is rather unhelpful. With the state of the project where we don't have a CI or tests, not even the linters or the workflow tooling, I wouldn't like to keep the cognitive complexity in check.

---

Note: it'd be good to have a helper capable of going through a chain of commits and signing each of those one by one. This is a little out of the scope but keep it in mind when working on other stuff.

[webknjaz]

I'm done w/ the review round for now. Since you're already looking into this, I'm open to getting a CLAUDE.md with the context in a standalone PR.

[dragid10]

@webknjaz I pushed some new commits to address your feedback!

[webknjaz]

Yeah, I liked some parts of the previous state more. Now, I'll have to find enough time to compose a full review. No ETA for that. FWIW, it's best to have smaller PRs as atomic patches are easier to review and merge-in faster + “no-go” things that may happen to be in the same PR wouldn't be blocking. One huge commit is going to take time to polish.

[webknjaz]

Does this actually work? What if it's called outside of the exception handling context? Seems rather fragile.

[dragid10]

Yeah, I liked some parts of the previous state more. Now, I'll have to find enough time to compose a full review. No ETA for that. FWIW, it's best to have smaller PRs as atomic patches are easier to review and merge-in faster + “no-go” things that may happen to be in the same PR wouldn't be blocking. One huge commit is going to take time to polish.

okay would you prefer I go with this direction now?

[webknjaz]

I think it's a good idea to identify the smallest improvement you can distill and work on that first. In a standalone PR. We may need to pre-agree on what that would be. This could be moving some helpers into a separate model. This could be agreeing to push the low-level sync operations closer to the subprocess invocations and making more logic async-native.

[webknjaz]

FTR, I've also raised the question of having GH App-bound signing keys that would not require the API dance with some GH folks in private spaces. So long-term, this can end up being simplified if they take on the idea I presented. But probably not in months.

[webknjaz]

I think it's a good idea to identify the smallest improvement you can distill and work on that first. In a standalone PR. We may need to pre-agree on what that would be. This could be moving some helpers into a separate model. This could be agreeing to push the low-level sync operations closer to the subprocess invocations and making more logic async-native.

Apparently, I forgot to click "Submit" yesterday, and this has been sitting unsent in my browser:
A good place to start could be separating refactoring and functional changes.