git-commit-guard 0.22.2__tar.gz → 0.23.0__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (29) hide show
  1. {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/.github/workflows/coverage-baseline.yml +2 -2
  2. {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/.github/workflows/coverage-comment.yml +2 -2
  3. {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/.github/workflows/lint-commits.yml +1 -1
  4. {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/.github/workflows/lint-md.yml +1 -1
  5. {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/.github/workflows/lint-workflows.yml +2 -2
  6. {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/.github/workflows/release.yml +1 -1
  7. git_commit_guard-0.23.0/.github/workflows/security-audit.yml +69 -0
  8. {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/.github/workflows/test.yml +2 -2
  9. {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/PKG-INFO +28 -12
  10. {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/README.md +27 -11
  11. {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/docs/index.html +17 -8
  12. {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/src/git_commit_guard/__init__.py +42 -24
  13. {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/tests/test_git_commit_guard.py +277 -48
  14. git_commit_guard-0.23.0/uv.lock +315 -0
  15. git_commit_guard-0.22.2/.github/workflows/security-audit.yml +0 -22
  16. git_commit_guard-0.22.2/uv.lock +0 -320
  17. {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/.editorconfig +0 -0
  18. {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/.github/workflows/lint-python.yml +0 -0
  19. {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/.gitignore +0 -0
  20. {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/.markdownlint.json +0 -0
  21. {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/.pre-commit-hooks.yaml +0 -0
  22. {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/.python-version +0 -0
  23. {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/LICENSE +0 -0
  24. {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/action.yml +0 -0
  25. {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/cliff.toml +0 -0
  26. {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/docs/commit-guard-icon.svg +0 -0
  27. {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/pyproject.toml +0 -0
  28. {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/ruff.toml +0 -0
  29. {git_commit_guard-0.22.2 → git_commit_guard-0.23.0}/tests/__init__.py +0 -0
@@ -16,7 +16,7 @@ jobs:
16
16
  persist-credentials: false
17
17
  - name: Install uv
18
18
  # yamllint disable-line rule:line-length
19
- uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # ratchet:astral-sh/setup-uv@v7
19
+ uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # ratchet:astral-sh/setup-uv@v8.2.0
20
20
  - name: Cache NLTK data
21
21
  # yamllint disable-line rule:line-length
22
22
  uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
@@ -27,7 +27,7 @@ jobs:
27
27
  run: uv run --dev pytest tests/ --cov=git_commit_guard --cov-report=xml
28
28
  - name: Upload coverage baseline
29
29
  # yamllint disable-line rule:line-length
30
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4
30
+ uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # ratchet:actions/upload-artifact@v7
31
31
  with:
32
32
  name: main-coverage
33
33
  path: coverage.xml
@@ -16,7 +16,7 @@ jobs:
16
16
  steps:
17
17
  - name: Download artifact
18
18
  # yamllint disable-line rule:line-length
19
- uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # ratchet:actions/download-artifact@v4
19
+ uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # ratchet:actions/download-artifact@v8
20
20
  with:
21
21
  run-id: ${{ github.event.workflow_run.id }}
22
22
  name: pr
@@ -57,7 +57,7 @@ jobs:
57
57
  - name: Download baseline coverage
58
58
  if: steps.baseline.outputs.run-id != ''
59
59
  # yamllint disable-line rule:line-length
60
- uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # ratchet:actions/download-artifact@v4
60
+ uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # ratchet:actions/download-artifact@v8
61
61
  with:
62
62
  run-id: ${{ steps.baseline.outputs.run-id }}
63
63
  name: main-coverage
@@ -22,6 +22,6 @@ jobs:
22
22
  key: nltk-averaged-perceptron-tagger-punkt
23
23
  - name: Lint commits
24
24
  # yamllint disable-line rule:line-length
25
- uses: benner/commit-guard@9162df75e7a6eba395bf7c07c1a0952fc6d04ea0 # v0.22.1
25
+ uses: benner/commit-guard@4f989e92ddf04153ec33040da42bc2f788c71584 # v0.22.3
26
26
  with:
27
27
  range: origin/${{ github.base_ref }}..HEAD
@@ -37,7 +37,7 @@ jobs:
37
37
  persist-credentials: false
38
38
  - name: Set up uv
39
39
  # yamllint disable-line rule:line-length
40
- uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
40
+ uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
41
41
  with:
42
42
  enable-cache: false
43
43
  - name: Set up reviewdog
@@ -34,7 +34,7 @@ jobs:
34
34
  persist-credentials: false
35
35
  - name: Set up uv
36
36
  # yamllint disable-line rule:line-length
37
- uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # ratchet:astral-sh/setup-uv@v7
37
+ uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # ratchet:astral-sh/setup-uv@v8.2.0
38
38
  - name: Set up reviewdog
39
39
  # yamllint disable-line rule:line-length
40
40
  uses: reviewdog/action-setup@d8a7baabd7f3e8544ee4dbde3ee41d0011c3a93f # ratchet:reviewdog/action-setup@v1
@@ -59,7 +59,7 @@ jobs:
59
59
  persist-credentials: false
60
60
  - name: Set up uv
61
61
  # yamllint disable-line rule:line-length
62
- uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # ratchet:astral-sh/setup-uv@v7
62
+ uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # ratchet:astral-sh/setup-uv@v8.2.0
63
63
  - name: Set up reviewdog
64
64
  # yamllint disable-line rule:line-length
65
65
  uses: reviewdog/action-setup@d8a7baabd7f3e8544ee4dbde3ee41d0011c3a93f # ratchet:reviewdog/action-setup@v1
@@ -20,7 +20,7 @@ jobs:
20
20
  fetch-depth: 0
21
21
  - name: Set up uv
22
22
  # yamllint disable-line rule:line-length
23
- uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
23
+ uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
24
24
  with:
25
25
  enable-cache: false
26
26
  - name: Build package
@@ -0,0 +1,69 @@
1
+ ---
2
+ name: Security Audit
3
+ on: # yamllint disable-line rule:truthy
4
+ pull_request:
5
+ schedule:
6
+ - cron: 13 3 * * *
7
+ permissions:
8
+ contents: read
9
+ jobs:
10
+ audit:
11
+ runs-on: ubuntu-latest
12
+ permissions:
13
+ contents: read
14
+ issues: write
15
+ steps:
16
+ - name: Checkout code
17
+ # yamllint disable-line rule:line-length
18
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
19
+ with:
20
+ persist-credentials: false
21
+ - name: Install uv
22
+ # yamllint disable-line rule:line-length
23
+ uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
24
+ - name: Audit dependencies
25
+ run: |
26
+ set -o pipefail
27
+ uv audit --frozen --preview-features audit-command 2>&1 |
28
+ tee audit.log
29
+ - name: Report failure in a tracking issue
30
+ if: failure() && github.event_name == 'schedule'
31
+ env:
32
+ GH_TOKEN: ${{ github.token }}
33
+ GH_REPO: ${{ github.repository }}
34
+ run: |
35
+ run_url="$GITHUB_SERVER_URL/$GITHUB_REPOSITORY"
36
+ run_url="$run_url/actions/runs/$GITHUB_RUN_ID"
37
+ {
38
+ echo "Scheduled security audit failed: $run_url"
39
+ echo
40
+ echo '```'
41
+ cat audit.log
42
+ echo '```'
43
+ echo
44
+ echo '<!-- security-audit -->'
45
+ } > issue-body.md
46
+ issue=$(gh issue list --state open \
47
+ --search 'Security audit failing in:title' \
48
+ --json number --jq '.[0].number')
49
+ if [ -n "$issue" ]; then
50
+ gh issue comment "$issue" --body-file issue-body.md
51
+ else
52
+ gh issue create --title "Security audit failing" \
53
+ --body-file issue-body.md
54
+ fi
55
+ - name: Close the tracking issue
56
+ if: success() && github.event_name == 'schedule'
57
+ env:
58
+ GH_TOKEN: ${{ github.token }}
59
+ GH_REPO: ${{ github.repository }}
60
+ run: |-
61
+ run_url="$GITHUB_SERVER_URL/$GITHUB_REPOSITORY"
62
+ run_url="$run_url/actions/runs/$GITHUB_RUN_ID"
63
+ issue=$(gh issue list --state open \
64
+ --search 'Security audit failing in:title' \
65
+ --json number --jq '.[0].number')
66
+ if [ -n "$issue" ]; then
67
+ gh issue close "$issue" \
68
+ --comment "Scheduled security audit is green again: $run_url"
69
+ fi
@@ -15,7 +15,7 @@ jobs:
15
15
  persist-credentials: false
16
16
  - name: Install uv
17
17
  # yamllint disable-line rule:line-length
18
- uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
18
+ uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
19
19
  - name: Cache NLTK data
20
20
  uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
21
21
  with:
@@ -35,7 +35,7 @@ jobs:
35
35
  cp coverage.xml ./pr/
36
36
  - name: Upload PR artifact
37
37
  # yamllint disable-line rule:line-length
38
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4
38
+ uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # ratchet:actions/upload-artifact@v7
39
39
  with:
40
40
  name: pr
41
41
  path: pr/
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.4
2
2
  Name: git-commit-guard
3
- Version: 0.22.2
3
+ Version: 0.23.0
4
4
  Summary: Opinionated conventional commit message linter with imperative mood detection
5
5
  Project-URL: Homepage, https://github.com/benner/commit-guard
6
6
  Project-URL: Repository, https://github.com/benner/commit-guard
@@ -36,7 +36,7 @@ Opinionated conventional commit message linter with imperative mood detection.
36
36
  verb, verified via nltk POS tagging — not a hand-coded regex of "bad"
37
37
  words.
38
38
  * **Signature verification without a local keyring.** Resolves the commit
39
- author via the GitHub API and verifies GPG/SSH against their published
39
+ committer via the GitHub API and verifies GPG/SSH against their published
40
40
  `.gpg`/`.keys` — no per-runner key management.
41
41
  * **Strict by default.** Subject format, body, trailers, `Signed-off-by`,
42
42
  and signature all enforced out of the box; opt out with `--disable`.
@@ -242,7 +242,7 @@ independently of `--enable`/`--disable`.
242
242
  The `signature` check verifies the commit without any local keyring setup:
243
243
 
244
244
  1. If the repo has a GitHub remote, call the Commits API
245
- (`GET /repos/{owner}/{repo}/commits/{sha}`) to resolve the author's GitHub
245
+ (`GET /repos/{owner}/{repo}/commits/{sha}`) to resolve the committer's GitHub
246
246
  username — this works for corporate emails, noreply addresses, or any email
247
247
  not listed publicly on a GitHub profile.
248
248
  2. If the Commits API is unavailable (no GitHub remote, commit not yet pushed,
@@ -250,7 +250,7 @@ The `signature` check verifies the commit without any local keyring setup:
250
250
  (`{id}+{username}@users.noreply.github.com` or
251
251
  `{username}@users.noreply.github.com`) — no API call needed.
252
252
  3. If neither of the above resolves a username, fall back to searching GitHub
253
- by the commit author's email.
253
+ by the commit committer's email.
254
254
  4. Fetch the resolved user's public keys from `github.com/{username}.gpg`
255
255
  (GPG) and the `/users/{username}/ssh_signing_keys` API (SSH keys tagged
256
256
  with the **Signing key** role). Auth-only SSH keys are deliberately not
@@ -261,7 +261,7 @@ The `signature` check verifies the commit without any local keyring setup:
261
261
  `git verify-commit` with the SSH allowed-signers config.
262
262
  7. If any key verifies, the check passes. If none do, it fails.
263
263
 
264
- If the author cannot be resolved via either method, or the GitHub API is
264
+ If the committer cannot be resolved via either method, or the GitHub API is
265
265
  unreachable, the check fails with a clear error.
266
266
 
267
267
  For private repositories, set `GITHUB_TOKEN` or `GH_TOKEN` so the Commits API
@@ -316,7 +316,7 @@ COMMIT_GUARD_GIT_TIMEOUT=30 commit-guard --range origin/main..HEAD
316
316
  In GitHub Actions, set it at the step or job level:
317
317
 
318
318
  ```yaml
319
- - uses: benner/commit-guard@v0.22.2
319
+ - uses: benner/commit-guard@v0.23.0
320
320
  env:
321
321
  COMMIT_GUARD_GIT_TIMEOUT: 30
322
322
  with:
@@ -352,6 +352,22 @@ misconfigured range specs in CI. Use `--allow-empty` to exit 0 instead:
352
352
  commit-guard --range origin/main..HEAD --allow-empty
353
353
  ```
354
354
 
355
+ ### Quiet mode
356
+
357
+ Use `--quiet` (or `-q`) to suppress output for commits that have nothing to
358
+ report — only commits with errors or warnings are printed. On a long range
359
+ this leaves exactly the offending commits in the output; a fully compliant
360
+ range prints nothing and exits 0:
361
+
362
+ ```bash
363
+ commit-guard --range origin/main..HEAD --quiet
364
+ ```
365
+
366
+ Quiet mode applies to single-commit and range mode, in both text and
367
+ `--output jsonl` formats. Exit codes are unchanged, so it composes with CI
368
+ gating. `--output-file` is not affected — the file always receives the
369
+ complete record stream.
370
+
355
371
  ### Machine-readable output
356
372
 
357
373
  Use `--output jsonl` to emit one JSON line per commit to stdout instead of the
@@ -400,7 +416,7 @@ steps:
400
416
  - uses: actions/checkout@v4
401
417
  with:
402
418
  fetch-depth: 0
403
- - uses: benner/commit-guard@v0.22.2
419
+ - uses: benner/commit-guard@v0.23.0
404
420
  ```
405
421
 
406
422
  Check all commits in a pull request:
@@ -416,7 +432,7 @@ jobs:
416
432
  - uses: actions/checkout@v4
417
433
  with:
418
434
  fetch-depth: 0
419
- - uses: benner/commit-guard@v0.22.2
435
+ - uses: benner/commit-guard@v0.23.0
420
436
  with:
421
437
  range: ${{ env.PR_BASE }}..${{ env.PR_HEAD }}
422
438
  ```
@@ -424,7 +440,7 @@ jobs:
424
440
  Check a specific commit SHA (mirrors the positional CLI argument):
425
441
 
426
442
  ```yaml
427
- - uses: benner/commit-guard@v0.22.2
443
+ - uses: benner/commit-guard@v0.23.0
428
444
  with:
429
445
  rev: ${{ github.sha }}
430
446
  ```
@@ -442,7 +458,7 @@ jobs:
442
458
  - uses: actions/checkout@v4
443
459
  with:
444
460
  fetch-depth: 0
445
- - uses: benner/commit-guard@v0.22.2
461
+ - uses: benner/commit-guard@v0.23.0
446
462
  with:
447
463
  range: ${{ env.PR_BASE }}..${{ env.PR_HEAD }}
448
464
  disable: signed-off,signature
@@ -462,7 +478,7 @@ jobs:
462
478
  When `output-file` is set the action exposes the path as an output:
463
479
 
464
480
  ```yaml
465
- - uses: benner/commit-guard@v0.22.2
481
+ - uses: benner/commit-guard@v0.23.0
466
482
  id: cg
467
483
  with:
468
484
  range: ${{ env.PR_BASE }}..${{ env.PR_HEAD }}
@@ -478,7 +494,7 @@ Add to your `.pre-commit-config.yaml`:
478
494
  ---
479
495
  repos:
480
496
  - repo: https://github.com/benner/commit-guard
481
- rev: v0.22.2
497
+ rev: v0.23.0
482
498
  hooks:
483
499
  - id: commit-guard
484
500
  - id: commit-guard-signature
@@ -15,7 +15,7 @@ Opinionated conventional commit message linter with imperative mood detection.
15
15
  verb, verified via nltk POS tagging — not a hand-coded regex of "bad"
16
16
  words.
17
17
  * **Signature verification without a local keyring.** Resolves the commit
18
- author via the GitHub API and verifies GPG/SSH against their published
18
+ committer via the GitHub API and verifies GPG/SSH against their published
19
19
  `.gpg`/`.keys` — no per-runner key management.
20
20
  * **Strict by default.** Subject format, body, trailers, `Signed-off-by`,
21
21
  and signature all enforced out of the box; opt out with `--disable`.
@@ -221,7 +221,7 @@ independently of `--enable`/`--disable`.
221
221
  The `signature` check verifies the commit without any local keyring setup:
222
222
 
223
223
  1. If the repo has a GitHub remote, call the Commits API
224
- (`GET /repos/{owner}/{repo}/commits/{sha}`) to resolve the author's GitHub
224
+ (`GET /repos/{owner}/{repo}/commits/{sha}`) to resolve the committer's GitHub
225
225
  username — this works for corporate emails, noreply addresses, or any email
226
226
  not listed publicly on a GitHub profile.
227
227
  2. If the Commits API is unavailable (no GitHub remote, commit not yet pushed,
@@ -229,7 +229,7 @@ The `signature` check verifies the commit without any local keyring setup:
229
229
  (`{id}+{username}@users.noreply.github.com` or
230
230
  `{username}@users.noreply.github.com`) — no API call needed.
231
231
  3. If neither of the above resolves a username, fall back to searching GitHub
232
- by the commit author's email.
232
+ by the commit committer's email.
233
233
  4. Fetch the resolved user's public keys from `github.com/{username}.gpg`
234
234
  (GPG) and the `/users/{username}/ssh_signing_keys` API (SSH keys tagged
235
235
  with the **Signing key** role). Auth-only SSH keys are deliberately not
@@ -240,7 +240,7 @@ The `signature` check verifies the commit without any local keyring setup:
240
240
  `git verify-commit` with the SSH allowed-signers config.
241
241
  7. If any key verifies, the check passes. If none do, it fails.
242
242
 
243
- If the author cannot be resolved via either method, or the GitHub API is
243
+ If the committer cannot be resolved via either method, or the GitHub API is
244
244
  unreachable, the check fails with a clear error.
245
245
 
246
246
  For private repositories, set `GITHUB_TOKEN` or `GH_TOKEN` so the Commits API
@@ -295,7 +295,7 @@ COMMIT_GUARD_GIT_TIMEOUT=30 commit-guard --range origin/main..HEAD
295
295
  In GitHub Actions, set it at the step or job level:
296
296
 
297
297
  ```yaml
298
- - uses: benner/commit-guard@v0.22.2
298
+ - uses: benner/commit-guard@v0.23.0
299
299
  env:
300
300
  COMMIT_GUARD_GIT_TIMEOUT: 30
301
301
  with:
@@ -331,6 +331,22 @@ misconfigured range specs in CI. Use `--allow-empty` to exit 0 instead:
331
331
  commit-guard --range origin/main..HEAD --allow-empty
332
332
  ```
333
333
 
334
+ ### Quiet mode
335
+
336
+ Use `--quiet` (or `-q`) to suppress output for commits that have nothing to
337
+ report — only commits with errors or warnings are printed. On a long range
338
+ this leaves exactly the offending commits in the output; a fully compliant
339
+ range prints nothing and exits 0:
340
+
341
+ ```bash
342
+ commit-guard --range origin/main..HEAD --quiet
343
+ ```
344
+
345
+ Quiet mode applies to single-commit and range mode, in both text and
346
+ `--output jsonl` formats. Exit codes are unchanged, so it composes with CI
347
+ gating. `--output-file` is not affected — the file always receives the
348
+ complete record stream.
349
+
334
350
  ### Machine-readable output
335
351
 
336
352
  Use `--output jsonl` to emit one JSON line per commit to stdout instead of the
@@ -379,7 +395,7 @@ steps:
379
395
  - uses: actions/checkout@v4
380
396
  with:
381
397
  fetch-depth: 0
382
- - uses: benner/commit-guard@v0.22.2
398
+ - uses: benner/commit-guard@v0.23.0
383
399
  ```
384
400
 
385
401
  Check all commits in a pull request:
@@ -395,7 +411,7 @@ jobs:
395
411
  - uses: actions/checkout@v4
396
412
  with:
397
413
  fetch-depth: 0
398
- - uses: benner/commit-guard@v0.22.2
414
+ - uses: benner/commit-guard@v0.23.0
399
415
  with:
400
416
  range: ${{ env.PR_BASE }}..${{ env.PR_HEAD }}
401
417
  ```
@@ -403,7 +419,7 @@ jobs:
403
419
  Check a specific commit SHA (mirrors the positional CLI argument):
404
420
 
405
421
  ```yaml
406
- - uses: benner/commit-guard@v0.22.2
422
+ - uses: benner/commit-guard@v0.23.0
407
423
  with:
408
424
  rev: ${{ github.sha }}
409
425
  ```
@@ -421,7 +437,7 @@ jobs:
421
437
  - uses: actions/checkout@v4
422
438
  with:
423
439
  fetch-depth: 0
424
- - uses: benner/commit-guard@v0.22.2
440
+ - uses: benner/commit-guard@v0.23.0
425
441
  with:
426
442
  range: ${{ env.PR_BASE }}..${{ env.PR_HEAD }}
427
443
  disable: signed-off,signature
@@ -441,7 +457,7 @@ jobs:
441
457
  When `output-file` is set the action exposes the path as an output:
442
458
 
443
459
  ```yaml
444
- - uses: benner/commit-guard@v0.22.2
460
+ - uses: benner/commit-guard@v0.23.0
445
461
  id: cg
446
462
  with:
447
463
  range: ${{ env.PR_BASE }}..${{ env.PR_HEAD }}
@@ -457,7 +473,7 @@ Add to your `.pre-commit-config.yaml`:
457
473
  ---
458
474
  repos:
459
475
  - repo: https://github.com/benner/commit-guard
460
- rev: v0.22.2
476
+ rev: v0.23.0
461
477
  hooks:
462
478
  - id: commit-guard
463
479
  - id: commit-guard-signature
@@ -315,7 +315,7 @@
315
315
  </li>
316
316
  <li>
317
317
  <strong>Signature verification without a local keyring.</strong>
318
- Resolves the commit author via the GitHub API and verifies GPG/SSH
318
+ Resolves the commit committer via the GitHub API and verifies GPG/SSH
319
319
  against their published <code>.gpg</code>/<code>.keys</code> — no
320
320
  per-runner key management.
321
321
  </li>
@@ -456,7 +456,7 @@ require-subject-pattern = "[A-Z]+-[0-9]+"</code></pre>
456
456
  <ol>
457
457
  <li>If the repo has a GitHub remote, call the Commits API
458
458
  (<code>GET /repos/{owner}/{repo}/commits/{sha}</code>) to resolve
459
- the author's GitHub username — works for corporate emails, noreply
459
+ the committer's GitHub username — works for corporate emails, noreply
460
460
  addresses, or any email not listed publicly on a GitHub profile.</li>
461
461
  <li>If the Commits API is unavailable (no GitHub remote, commit not
462
462
  yet pushed, or API error), parse the username directly from a
@@ -464,7 +464,7 @@ require-subject-pattern = "[A-Z]+-[0-9]+"</code></pre>
464
464
  (<code>{id}+{username}@users.noreply.github.com</code>) — no API
465
465
  call needed.</li>
466
466
  <li>If neither of the above resolves a username, fall back to
467
- searching GitHub by the commit author's email.</li>
467
+ searching GitHub by the commit committer's email.</li>
468
468
  <li>Fetch the resolved user's public keys from
469
469
  <code>github.com/{username}.gpg</code> (GPG) and
470
470
  <code>/users/{username}/ssh_signing_keys</code> (SSH keys tagged
@@ -476,7 +476,7 @@ require-subject-pattern = "[A-Z]+-[0-9]+"</code></pre>
476
476
  <li>Pass if any key verifies; fail if none do.</li>
477
477
  </ol>
478
478
  <p>
479
- If the author cannot be resolved via either method, or the GitHub API
479
+ If the committer cannot be resolved via either method, or the GitHub API
480
480
  is unreachable, the check fails with a clear error. For private
481
481
  repositories, set <code>GITHUB_TOKEN</code> or <code>GH_TOKEN</code>
482
482
  so the Commits API can authenticate. The official GitHub Action wires
@@ -551,6 +551,15 @@ require-subject-pattern = "[A-Z]+-[0-9]+"</code></pre>
551
551
  readable logs and structured results for downstream steps:
552
552
  </p>
553
553
  <pre><code class="language-bash">commit-guard --range origin/main..HEAD --output-file results.jsonl</code></pre>
554
+ <p>
555
+ Use <code>--quiet</code> (or <code>-q</code>) to suppress output for
556
+ commits that have nothing to report — only commits with errors or
557
+ warnings are printed, in both text and JSONL formats. A fully
558
+ compliant range prints nothing and exits 0. Exit codes are unchanged,
559
+ and <code>--output-file</code> always receives the complete record
560
+ stream:
561
+ </p>
562
+ <pre><code class="language-bash">commit-guard --range origin/main..HEAD --quiet</code></pre>
554
563
  </section>
555
564
 
556
565
  <section id="github-actions">
@@ -566,13 +575,13 @@ require-subject-pattern = "[A-Z]+-[0-9]+"</code></pre>
566
575
  - uses: actions/checkout@v4
567
576
  with:
568
577
  fetch-depth: 0
569
- - uses: benner/commit-guard@v0.22.2
578
+ - uses: benner/commit-guard@v0.23.0
570
579
  with:
571
580
  range: ${{ env.PR_BASE }}..${{ env.PR_HEAD }}
572
581
  disable: signed-off,signature</code></pre>
573
582
 
574
583
  <p>Check a specific commit SHA:</p>
575
- <pre><code class="language-yaml"> - uses: benner/commit-guard@v0.22.2
584
+ <pre><code class="language-yaml"> - uses: benner/commit-guard@v0.23.0
576
585
  with:
577
586
  rev: ${{ github.sha }}</code></pre>
578
587
 
@@ -591,7 +600,7 @@ require-subject-pattern = "[A-Z]+-[0-9]+"</code></pre>
591
600
  When <code>output-file</code> is set the action exposes the path as
592
601
  a step output, making JSONL results available to subsequent steps:
593
602
  </p>
594
- <pre><code class="language-yaml"> - uses: benner/commit-guard@v0.22.2
603
+ <pre><code class="language-yaml"> - uses: benner/commit-guard@v0.23.0
595
604
  id: cg
596
605
  with:
597
606
  range: ${{ env.PR_BASE }}..${{ env.PR_HEAD }}
@@ -604,7 +613,7 @@ require-subject-pattern = "[A-Z]+-[0-9]+"</code></pre>
604
613
  <p>Add to <code>.pre-commit-config.yaml</code>:</p>
605
614
  <pre><code class="language-yaml">repos:
606
615
  - repo: https://github.com/benner/commit-guard
607
- rev: v0.22.2
616
+ rev: v0.23.0
608
617
  hooks:
609
618
  - id: commit-guard
610
619
  - id: commit-guard-signature</code></pre>