From 497f88ddc333272fc0cd8459f97d6249127a217f Mon Sep 17 00:00:00 2001
From: Byron Wall <byron.wall@commercetools.com>
Date: Thu, 16 Apr 2026 14:09:02 -0400
Subject: [PATCH 1/2] ci: add commitMode github-api to changesets/action for
 signed commits

The GitHub org enforces "Require signed commits" as of 2026-04-10.
changesets/action defaults to commitMode: git-cli, which produces unsigned
commits that are blocked by the ruleset. Setting commitMode: github-api
routes the commit through the GitHub API, which auto-signs on behalf of
the authoring GitHub App.

Closes FEC-826

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 5d82fefdd..6e200404b 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -60,6 +60,7 @@ jobs:
           publish: pnpm changeset publish
           version: pnpm changeset:version-and-format
           commit: 'ci(changesets): version packages'
+          commitMode: 'github-api'
         env:
           GITHUB_TOKEN: ${{ steps.generate_github_token.outputs.token }}
 

From 28a3f73f27dea31d78908f4fff29f3a9437985b3 Mon Sep 17 00:00:00 2001
From: Byron Wall <byron.wall@commercetools.com>
Date: Thu, 16 Apr 2026 15:17:30 -0400
Subject: [PATCH 2/2] ci(release): reset tree before canary publish

changesets/action in commitMode: github-api runs the `version:`
command locally (bumping package.jsons, deleting .changeset/*.md)
but commits via the GitHub API without resetting the working tree.
The next step's `git checkout main` fails silently on the dirty
state, causing canary to publish production version numbers under
the canary dist-tag.

Fix: hard-reset to origin/main before running canary, and add
`set -euo pipefail` so future silent failures become hard stops.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6e200404b..59fa207ad 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -68,7 +68,10 @@ jobs:
       - name: Publishing canary releases to npm registry
         if: steps.changesets.outputs.published != 'true'
         run: |
-          git checkout main
+          set -euo pipefail
+          git fetch origin main
+          git reset --hard origin/main
+          git clean -fd
           pnpm changeset version --snapshot canary
           pnpm changeset publish --tag canary
         env: