chore: Use custom action to commit changes in CI instead of git commit (#2533)

fnesveda · web-flow · commit a11dae6140f2 · 2026-05-15T18:13:14.000+02:00
We want to enforce commit signing for all commits in our repositories.
To do that, we need to make sure even commits created by CI workflows
are signed.

It would be possible to sign using GPG keys, but that would require a
lot of maintenance.

Instead, we can commit using the GitHub GraphQL API, which automatically
signs commits.

This PR replaces direct `git commit` / `git push` usage (and third-party
commit actions like `EndBug/add-and-commit`)
with the `apify/actions/signed-commit` action, which uses the GraphQL
API under the hood.
diff --git a/.github/workflows/bump-openapi-version.yaml b/.github/workflows/bump-openapi-version.yaml
@@ -22,9 +22,8 @@ jobs:
 
             - name: Commit changes
               id: commit
-              uses: EndBug/add-and-commit@v10
+              uses: apify/actions/signed-commit@v1.0.0
               with:
-                  author_name: github-actions[bot]
-                  author_email: 41898282+github-actions[bot]@users.noreply.github.com
                   message: "chore(openapi): Update OpenAPI version [skip ci]"
                   pull: '--rebase --autostash'
+                  github-token: ${{ secrets.APIFY_SERVICE_ACCOUNT_GITHUB_TOKEN }}
diff --git a/.github/workflows/publish-to-npm.yaml b/.github/workflows/publish-to-npm.yaml
@@ -93,13 +93,12 @@ jobs:
 
             -   name: Commit the new theme version
                 continue-on-error: true
-                uses: EndBug/add-and-commit@v10
+                uses: apify/actions/signed-commit@v1.0.0
                 with:
-                    add: 'apify-docs-theme/package*.json'
-                    author_name: github-actions[bot]
-                    author_email: 41898282+github-actions[bot]@users.noreply.github.com
                     message: 'chore: publish new version of @apify/docs-theme [skip ci]'
+                    add: 'apify-docs-theme/package.json apify-docs-theme/package-lock.json'
                     pull: '--rebase --autostash'
+                    github-token: ${{ secrets.APIFY_SERVICE_ACCOUNT_GITHUB_TOKEN }}
 
     rebuild-docs:
         needs: publish
