Add signed dev-to-master merge helper#65
Conversation
|
Looking for one thing? Review this PR in Change Stack to search files, summaries, diffs, and code without losing your place. Warning Review limit reached
More reviews will be available in 4 minutes and 3 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
WalkthroughThis PR introduces a new Bash script that safely merges a remote development branch into master. The script enforces clean repository state, validates branch histories, uses signed merge commits, optionally verifies all new commits are signed by GPG keys from an allow-list, and conditionally pushes the result. ChangesControlled dev-to-master merge workflow
Estimated code review effort🎯 4 (Complex) | ⏱️ ~75 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@merge-dev-to-master.sh`:
- Line 33: The case pattern '-h|--help)' is missing spaces around the '|' which
fails shfmt; update the case entry (the pattern used in the case statement,
e.g., the '-h|--help)' pattern) to include spaces around the pipe like '-h |
--help)' (and similarly fix any other case patterns with '|' in the same script)
so the script conforms to shfmt formatting rules and CI passes.
- Around line 101-114: commit_signature_key_id currently extracts a key token
from `git log --show-signature` which can be 8/16/40 chars, while
key_id_is_allowed uses exact matches against ALLOWED_GPG_KEY_IDS; update
key_id_is_allowed (or normalize in commit_signature_key_id) to compare by
suffix/normalize lengths so different GPG outputs match: either strip to the
lower 16 chars of the fingerprint (or always compare trailing 16 chars) or
perform a suffix match (e.g., check if the commit key ends with an allowed ID)
and ensure functions named commit_signature_key_id and key_id_is_allowed (and
load_allowed_gpg_key_ids if present) use the same normalization strategy so
8/16/40-char variants all match allowed entries.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 8a4462a6-ebe9-4f8b-8f6d-1f5b8865d218
📒 Files selected for processing (1)
merge-dev-to-master.sh
There was a problem hiding this comment.
Pull request overview
Adds a repository helper script to promote changes from dev to master with an option to push, aiming to ensure the resulting history is signed by known keys in the repo’s keys/*.asc.
Changes:
- Adds
merge-dev-to-master.shto fetch, fast-forwardmaster, mergeorigin/devwith a signed merge commit, and optionally push. - Introduces commit signature allow-list checking against public keys stored under
keys/. - Adds pre-flight checks for being in a Git repo and having a clean working tree before modifying branches.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
ba38969 to
e73a072
Compare
c1b3377 to
e399f81
Compare
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
e399f81 to
62885e2
Compare
| load_allowed_gpg_key_ids | ||
|
|
||
| commits="$(git rev-list "$range")" | ||
|
|
Summary by CodeRabbit
Release Notes