fix(sign-push): force rebase so -S actually re-signs the tip

`git rebase <base>` is a no-op when HEAD is already a descendant of <base>, which is the normal shape for a local branch built on top of origin/main. Without `--force-rebase`, rebase short-circuits, `-S` never runs, and the unsigned commit gets pushed and rejected by required_signatures branch rules. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-24 23:57:10 +02:00
parent e9653cff2e
commit a21fb1a908
4 changed files with 40 additions and 2 deletions
--- a/tests/test_resign.py
+++ b/tests/test_resign.py
@@ -0,0 +1,28 @@
+"""Guard the rebase invocation used to re-sign pending commits."""
+
+from __future__ import annotations
+
+import subprocess
+from unittest.mock import MagicMock
+
+from git_maintainer_tools import sign_push
+
+
+def test_resign_passes_force_rebase(monkeypatch):
+    """`git rebase <base>` is a no-op when HEAD already descends from base.
+
+    Without `--force-rebase`, `-S` would never replay any commit and the
+    tip would stay unsigned, so push-time `required_signatures` rules
+    reject it. This test pins the flag in place.
+    """
+    fake_run = MagicMock(return_value=MagicMock(returncode=0))
+    monkeypatch.setattr(subprocess, "run", fake_run)
+
+    sign_push.resign("abc123")
+
+    called_cmd = fake_run.call_args.args[0]
+    assert called_cmd[0] == "git"
+    assert "rebase" in called_cmd
+    assert "--force-rebase" in called_cmd
+    assert "-S" in called_cmd
+    assert called_cmd[-1] == "abc123"