fix(ci): sign auto-generated docs commits

[guicaulada]

The update-docs workflow creates docs commits with a hand-set bot identity (github-aws-runners-pr|bot) while pushing with GITHUB_TOKEN. The resulting commits are unsigned, show as unverified, and don't resolve to any GitHub account (see dd5f00c on #5152 — verification.reason: unsigned, no linked author).

Key changes:

• The terraform-docs step no longer commits or pushes (git-push: false); a new step creates the commit through the GraphQL createCommitOnBranch mutation instead. Commits created via the API are signed by GitHub and show as Verified, attributed to github-actions[bot]. This avoids adding a new third-party action dependency.
• The main-branch PR path enables sign-commits: true on peter-evans/create-pull-request, which also creates commits via the API for the same effect.
• The fork path is unchanged, since forks push to their own repositories.

Notes:

• Pushing via createCommitOnBranch with GITHUB_TOKEN does not trigger new workflow runs, matching the previous git push behavior (no recursion).
• The mkdocs gh-deploy commits to gh-pages remain unsigned; mkdocs commits locally via git, so it can't use the API. Its identity (github-actions[bot]) at least matches the token used.

Validated with actionlint and zizmor (no findings on this workflow).

Testing

Tested end-to-end on a throwaway branch (gc/test/verified-docs-commits) containing this workflow plus a deliberately stale doc (a tweaked variable description in modules/webhook/variables.tf without regenerating the READMEs):

• No-change path: the run on this PR's branch exits cleanly with No documentation changes to commit. (run 27298488008)
• Commit path: the run on the test branch regenerated 4 READMEs and created the commit via the API (run 27303747943) — see 5116de7, which shows as Verified:

$ gh api repos/github-aws-runners/terraform-aws-github-runner/commits/5116de7ddf1a45c52ec2b5ce2b702d7f0dbcf5d2 \
    --jq '{author: .commit.author, committer_login: .committer.login, verified: .commit.verification.verified, reason: .commit.verification.reason}'
{
  "author": {
    "date": "2026-06-10T20:19:54Z",
    "email": "41898282+github-actions[bot]@users.noreply.github.com",
    "name": "github-actions[bot]"
  },
  "committer_login": "web-flow",
  "verified": true,
  "reason": "valid"
}

Compare with the unverified commit that motivated this PR: dd5f00c has "verified": false, "reason": "unsigned" and no resolvable author account.

Testing also surfaced two fixes now included here: terraform-docs stages the files it updates, so the change detection diffs against HEAD; and the GraphQL payload is passed to jq via a temp file (--slurpfile) because embedding file contents in a CLI argument exceeded the kernel's per-argument size limit.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[npalm]

Looks good, but @guicaulada maybe make a tiny doc change, Some trival change. This will trigger a commit on the branch to proof it fix the probelm

[Brend-Smits]

Great work, seems the terraform docs step is failing:

Run # diff against HEAD because terraform-docs stages the files it updates
/home/runner/work/_temp/6c1ec272-b350-4198-9822-211949289d07.sh: line 9: /usr/bin/jq: Argument list too long
gh: A query attribute must be specified and must be a string.
{"errors":[{"message":"A query attribute must be specified and must be a string."}]}
Error: Process completed with exit code 1.

[guicaulada]

Well... I tested in a gc/test/verified-docs-commits branch to not pollute the PR with unrelated commits, but seems documentation was outdated so we got 26a12b3 Verified on this PR either way 😅

[Brend-Smits]

LGTM !