Commit Attribution
When tools like createOrUpdateFile or mergePullRequest create commits, you can control how those commits are attributed. This is useful for AI agents, bots, and automated workflows where you want clear accountability.
AI assistant prompt (commit attribution)
Configure commit attribution in this @github-tools/sdk project: use coAuthors on createGithubTools or createGithubAgent to credit the bot or AI assistant on commits while keeping the human user as the primary author. See https://github-tools.com/guide/commit-attribution.
Understanding Git attribution
Git tracks three types of attribution on commits:
| Role | Description | Set by |
|---|---|---|
| Author | The person who wrote the code | author option or authenticated user |
| Committer | The person who applied the commit | committer option or authenticated user |
| Co-author | Additional contributors | Co-authored-by trailer in commit message |
When using GitHub's API (which this SDK does), the default author and committer is the authenticated user (the owner of the token).
Add co-authors to commits
The most common pattern is keeping the human as author while crediting a bot or AI assistant as co-author:
import { createGithubTools } from '@github-tools/sdk'
const tools = createGithubTools({
token: userToken,
coAuthors: [
{ name: 'my-bot[bot]', email: '12345+my-bot[bot]@users.noreply.github.com' }
]
})
This appends a Co-authored-by trailer to every commit message:
Update README.md
Co-authored-by: my-bot[bot] <12345+my-bot[bot]@users.noreply.github.com>
GitHub recognizes these trailers and displays co-authors in the commit UI.
Override author and committer
You can also override the author and committer identity:
import { createGithubTools } from '@github-tools/sdk'
const tools = createGithubTools({
token: botToken,
author: { name: 'Jane Doe', email: 'jane@example.com' },
committer: { name: 'my-bot[bot]', email: '12345+my-bot[bot]@users.noreply.github.com' }
})
Use with agents
The same options work with createGithubAgent and createDurableGithubAgent:
import { createGithubAgent } from '@github-tools/sdk'
const agent = createGithubAgent({
model: 'anthropic/claude-sonnet-4.6',
preset: 'maintainer',
coAuthors: [
{ name: 'my-bot[bot]', email: '12345+my-bot[bot]@users.noreply.github.com' }
]
})
Commit signing
The SDK automatically attempts to create signed commits using GitHub's createCommitOnBranch GraphQL mutation. Whether commits are actually signed depends on your token type:
| Token Type | Commits Signed? |
|---|---|
| GitHub App installation token | Yes |
GITHUB_TOKEN (Actions) | Yes |
| User OAuth token | No |
| Personal Access Token (PAT) | No |
Signed commits show as "Verified" in the GitHub UI and satisfy branch protection rules requiring signed commits.
author or committer, the SDK uses the REST API instead of GraphQL, and commits will not be signed. Co-authors work with both methods.Why some tokens don't produce signed commits
GitHub only signs commits made by bots (GitHub Apps). When you authenticate as a user (OAuth or PAT), GitHub cannot sign on your behalf because it doesn't have access to your private signing key. The commit still works—it just won't be marked as "Verified."
For more details, see GitHub's commit signature verification docs.
Attribution patterns
| Scenario | Author | Committer | Co-author |
|---|---|---|---|
| Human using AI assistant | Human (default) | Human (default) | Bot |
| Bot acting on behalf of user | Human (override) | Bot (override) | — |
| Fully automated CI | Bot (default) | Bot (default) | — |