From d1717e2d8a4fa5e55623d8f33aeb8e29251e392f Mon Sep 17 00:00:00 2001 From: Marc Siebeneicher Date: Thu, 8 Dec 2022 12:07:58 +0100 Subject: [PATCH 01/22] feat(gh-auth): add gh auth login and credential helper --- src/entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/entrypoint.sh b/src/entrypoint.sh index b0bb01da..e6f4ec2c 100755 --- a/src/entrypoint.sh +++ b/src/entrypoint.sh @@ -19,7 +19,7 @@ fi SOURCE_REPO_HOSTNAME="${HOSTNAME:-github.com}" # In case of private template repository this will be overwritten -SOURCE_REPO_PREFIX="https://${GITHUB_ACTOR}:${GITHUB_TOKEN}@${SOURCE_REPO_HOSTNAME}/" +SOURCE_REPO_PREFIX="https://${SOURCE_REPO_HOSTNAME}/" function ssh_setup() { echo "::group::ssh setup" From 4c18507a6cfd276aad3be23ba6f059f84986e236 Mon Sep 17 00:00:00 2001 From: Marc Siebeneicher Date: Fri, 23 Dec 2022 11:38:25 +0100 Subject: [PATCH 02/22] feat(gh-auth): add own source_repo_github_token handling for template repo --- README.md | 27 +++++++++++++++++++++++++++ action.yml | 3 +++ src/entrypoint.sh | 5 +++++ 3 files changed, 35 insertions(+) diff --git a/README.md b/README.md index 5435b8ab..2d5ac3ee 100644 --- a/README.md +++ b/README.md @@ -86,6 +86,33 @@ You can use all [triggers][action-triggers] which are supported for GitHub actio If you have a private template repository. +#### Using github app + +You can create and use a [GitHub App](https://docs.github.com/en/developers/apps/getting-started-with-apps/about-apps#about-github-apps) to handle the access to your private repository. To generate a token for your app you can use a separate action like [tibdex/github-app-token](https://github.com/tibdex/github-app-token). + +```yaml +jobs: + repo-sync: + runs-on: ubuntu-latest + + steps: + - name: Generate token to read from source repo # see: https://github.com/tibdex/github-app-token + id: generate_token + uses: tibdex/github-app-token@v1 + with: + app_id: ${{ secrets.APP_ID }} + private_key: ${{ secrets.PRIVATE_KEY }} + + - name: actions-template-sync + uses: AndreasAugustin/actions-template-sync@v0.5.0-draft + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + source_repo_github_token: ${{ steps.generate_token.outputs.token }} + source_repo_path: + upstream_branch: # defaults to main + pr_labels: ,[,...] # optional, no default +``` + #### SSH You have various options to use ssh keys with GitHub. diff --git a/action.yml b/action.yml index 99520439..aadd64c8 100644 --- a/action.yml +++ b/action.yml @@ -17,6 +17,8 @@ inputs: default: 'main' source_repo_ssh_private_key: description: '[optional] private ssh key for the source repository. E.q. useful if using a private template repository.' + source_repo_github_token: + description: '[optional] Separate github token to interact with the source repository. Using $\{{ inputs.github_token }} by default.' pr_branch_name_prefix: description: '[optional] the prefix of branches created by this action' default: 'chore/template_sync' @@ -38,6 +40,7 @@ runs: image: 'src/Dockerfile' env: GITHUB_TOKEN: ${{ inputs.github_token }} + SOURCE_REPO_GITHUB_TOKEN: ${{ inputs.source_repo_github_token }} SOURCE_REPO_PATH: ${{ inputs.source_repo_path }} UPSTREAM_BRANCH: ${{ inputs.upstream_branch }} SSH_PRIVATE_KEY_SRC: ${{ inputs.source_repo_ssh_private_key }} diff --git a/src/entrypoint.sh b/src/entrypoint.sh index e6f4ec2c..00017d67 100755 --- a/src/entrypoint.sh +++ b/src/entrypoint.sh @@ -11,6 +11,11 @@ source sync_common.sh exit 1; }; +if [[ -z "${SOURCE_REPO_GITHUB_TOKEN}" ]]; then + echo "::debug::Missing input 'source_repo_github_token: \${{ input.source_repo_github_token }}'. Using github_token as default." + SOURCE_REPO_GITHUB_TOKEN="${GITHUB_TOKEN}" +fi + if [[ -z "${SOURCE_REPO_PATH}" ]]; then err "Missing input 'source_repo_path: \${{ input.source_repo_path }}'."; exit 1 From 3590d737855741b76b509505b21ff921dcfee0b4 Mon Sep 17 00:00:00 2001 From: Andy Augustin Date: Tue, 27 Dec 2022 18:38:23 +0100 Subject: [PATCH 03/22] chore(): add test for PAT :rocket: fix(): small fix for private repos :bug: --- .github/workflows/test_pat.yml | 24 ++++++++++++++++++++++++ src/sync_template.sh | 3 +++ 2 files changed, 27 insertions(+) create mode 100644 .github/workflows/test_pat.yml diff --git a/.github/workflows/test_pat.yml b/.github/workflows/test_pat.yml new file mode 100644 index 00000000..cd000155 --- /dev/null +++ b/.github/workflows/test_pat.yml @@ -0,0 +1,24 @@ +name: test-pat + +on: + pull_request: + push: + # manual trigger + workflow_dispatch: + +jobs: + test-implementation-job: + + runs-on: ubuntu-latest + + steps: + # To use this repository's private action, you must check out the repository + - name: Checkout + uses: actions/checkout@v3 + - name: Test action step ssh + uses: ./ # Uses an action in the root directory + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + source_repo_path: ${{ secrets.SOURCE_REPO_PATH_SSH }} # , should be within secrets + source_repo_github_token: ${{ secrets.SOURCE_REPO_PAT }} # contains the private PAT of the private repository + is_dry_run: true diff --git a/src/sync_template.sh b/src/sync_template.sh index cf49299e..eff6f43a 100755 --- a/src/sync_template.sh +++ b/src/sync_template.sh @@ -32,6 +32,9 @@ if [[ -n "${SRC_SSH_PRIVATEKEY_ABS_PATH}" ]]; then export GIT_SSH_COMMAND="ssh -i ${SRC_SSH_PRIVATEKEY_ABS_PATH}" fi +# TODO(anau) make conditional +gh auth login --git-protocol "https" --hostname "${SOURCE_REPO_HOSTNAME}" --with-token <<< "${SOURCE_REPO_GITHUB_TOKEN}" + TEMPLATE_SYNC_IGNORE_FILE_PATH=".templatesyncignore" TEMPLATE_REMOTE_GIT_HASH=$(git ls-remote "${SOURCE_REPO}" HEAD | awk '{print $1}') NEW_TEMPLATE_GIT_HASH=$(git rev-parse --short "${TEMPLATE_REMOTE_GIT_HASH}") From 9b742247ad7218490f30978af7abf4d6fc4ed9ad Mon Sep 17 00:00:00 2001 From: Andy Augustin Date: Wed, 28 Dec 2022 10:19:02 +0100 Subject: [PATCH 04/22] chore(gh-cli): update gh cli version to latest :rocket: --- Dockerfile | 2 +- src/Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index edac2592..8665702d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,7 +3,7 @@ ###################################### FROM alpine:3.17.0 as dev -ARG GH_CLI_VER=2.15.0 +ARG GH_CLI_VER=2.21.1 # install packages RUN apk add --update --no-cache bash make git zsh curl tmux musl openssh git-lfs diff --git a/src/Dockerfile b/src/Dockerfile index c5771a42..40e86931 100644 --- a/src/Dockerfile +++ b/src/Dockerfile @@ -1,6 +1,6 @@ FROM alpine:3.17.0 -ARG GH_CLI_VER=2.15.0 +ARG GH_CLI_VER=2.21.1 # TODO(anau) change user ARG GITHUB_URL="https://github.com/AndreasAugustin/actions-template-sync" From edc921643abea52c36a71ddd691a1c8a1729188d Mon Sep 17 00:00:00 2001 From: Andy Augustin Date: Wed, 28 Dec 2022 10:23:10 +0100 Subject: [PATCH 05/22] # This is a combination of 6 commits. # This is the 1st commit message: parent 9b742247ad7218490f30978af7abf4d6fc4ed9ad author Andy Augustin 1672219390 +0100 committer Andy Augustin 1672592292 +0100 gpgsig -----BEGIN PGP SIGNATURE----- iQGzBAABCAAdFiEEApgnwt2TStNZl6Y9UpE0XzZ/UkgFAmOxu6QACgkQUpE0XzZ/ UkjAzgv/cWh9hE7VLkLM1nVmra945WUkOfWXHnCUnrsOWsxxSOkH1r2mLxZdnWtg BlFc4RciJAB39Nv1WBUt+hGBGOdYWcV1lxgSIpn+vNXd9/5xciEThRk9T1piHj+x xnZU2rW0dLlnEnFlIX1qkKeD+rjclXw46umjMgqwIF0vQSx5cR9y8sDCiqRGg2Fv G/k/xLoQwah0Ve8nwqd6dLwNYXl8cFBfvuZaGV/dt1+5BDl4J5mPYg4trxKx5xnB fTxTQ0G/qOa1OInW04EReJWZwQaGvyx5PqEFk0ESk8MuzFytfVVRCnHwdP/QvLO7 S7Y79wUBAQfHvSlwOgBtlQc5eFOiKoxahUhJIcCMLw1r2+nRjuPAA0j07v6nmjDM sfxyVSpnYnKGAfGrYGboOHuEjqKegKdY3oIQFL/Ivln7kmLxGrFcpQ+QMTEJUsLw 2AB+Yf+tJyQXnx8AiGQRnVlXW3FRCOQhCxK2zXMUpzwAsKcKYNnaKoM6jDN7EzRQ fZrB76EK =yGb3 -----END PGP SIGNATURE----- feat(): make gh auth login conditional for separate source repo token :rocket: style(lint): fix lint issues :bug: feat(): add PAT :rocket: feat(): add PAT :rocket: feat(): add PAT :rocket: feat(): add PAT :rocket: feat(): add PAT :rocket: feat(): add PAT :rocket: feat(): add PAT :rocket: doc(): update docs :pencil: feat(): add option for PAT :rocket: feat(): add option for PAT :rocket: # This is the commit message #2: feat(): add option for PAT :rocket: # This is the commit message #3: feat(): add option for PAT :rocket: # This is the commit message #4: feat(): add option for PAT :rocket: # This is the commit message #5: feat(): add option for PAT :rocket: # This is the commit message #6: trial(): add permissions :bug: --- .github/workflows/actions_template_sync.yml | 2 ++ .github/workflows/test_pat.yml | 2 +- Dockerfile | 7 ++++++- README.md | 9 +++++++-- action.yml | 6 ++++-- docker-compose.yml | 6 +++--- src/entrypoint.sh | 20 ++++++++++++++------ src/sync_template.sh | 10 ++++++++-- 8 files changed, 45 insertions(+), 17 deletions(-) diff --git a/.github/workflows/actions_template_sync.yml b/.github/workflows/actions_template_sync.yml index 838bba03..bc576644 100644 --- a/.github/workflows/actions_template_sync.yml +++ b/.github/workflows/actions_template_sync.yml @@ -7,6 +7,8 @@ on: # manual trigger workflow_dispatch: +permissions: read-all + jobs: repo-sync: runs-on: ubuntu-latest diff --git a/.github/workflows/test_pat.yml b/.github/workflows/test_pat.yml index cd000155..9d3d4e5d 100644 --- a/.github/workflows/test_pat.yml +++ b/.github/workflows/test_pat.yml @@ -18,7 +18,7 @@ jobs: - name: Test action step ssh uses: ./ # Uses an action in the root directory with: - github_token: ${{ secrets.GITHUB_TOKEN }} + # github_token: ${{ secrets.GITHUB_TOKEN }} source_repo_path: ${{ secrets.SOURCE_REPO_PATH_SSH }} # , should be within secrets source_repo_github_token: ${{ secrets.SOURCE_REPO_PAT }} # contains the private PAT of the private repository is_dry_run: true diff --git a/Dockerfile b/Dockerfile index 8665702d..ea676420 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,7 +6,7 @@ FROM alpine:3.17.0 as dev ARG GH_CLI_VER=2.21.1 # install packages -RUN apk add --update --no-cache bash make git zsh curl tmux musl openssh git-lfs +RUN apk add --update --no-cache bash make git zsh curl tmux musl openssh git-lfs vim RUN wget https://github.com/cli/cli/releases/download/v${GH_CLI_VER}/gh_${GH_CLI_VER}_linux_386.tar.gz -O ghcli.tar.gz RUN tar --strip-components=1 -xf ghcli.tar.gz @@ -17,6 +17,11 @@ RUN echo "set-option -g default-shell /bin/zsh" >> /root/.tmux.conf # install oh-my-zsh RUN sh -c "$(curl -fsSL https://raw.githubusercontent.com/robbyrussell/oh-my-zsh/master/tools/install.sh)" +ADD src/*.sh /bin/ +RUN chmod +x /bin/entrypoint.sh \ + && chmod +x /bin/sync_template.sh \ + && chmod +x /bin/sync_common.sh + RUN mkdir -p /root/.ssh \ && ssh-keyscan -t rsa github.com >> /root/.ssh/known_hosts diff --git a/README.md b/README.md index 2d5ac3ee..6661a014 100644 --- a/README.md +++ b/README.md @@ -64,6 +64,7 @@ You will receive a pull request within your repository if there are some changes | source_repo_path | Repository path of the template | `true` | | | upstream_branch | The target branch | `true` | `main` | | source_repo_ssh_private_key | `[optional]` private ssh key for the source repository. [see](#private-template-repository)| `false` | | +| source_repo_github_token | `[optional]` separate github token to interact with the source repository. | `false` | `$\{{ inputs.github_token }}` | | pr_branch_name_prefix | `[optional]` the prefix of branches created by this action | `false` | `chore/template_sync` | | pr_title | `[optional]` the title of PRs opened by this action. Must be already created. | `false` | `upstream merge template repository` | | pr_labels | `[optional]` comma separated list. [pull request labels][pr-labels]. Must be already created. | `false` | | @@ -88,7 +89,8 @@ If you have a private template repository. #### Using github app -You can create and use a [GitHub App](https://docs.github.com/en/developers/apps/getting-started-with-apps/about-apps#about-github-apps) to handle the access to your private repository. To generate a token for your app you can use a separate action like [tibdex/github-app-token](https://github.com/tibdex/github-app-token). +You can create and use a [GitHub App][github-app] to handle the access to your private repository. +To generate a token for your app you can use a separate action like [tibdex/github-app-token][github-app-token]. ```yaml jobs: @@ -142,7 +144,7 @@ jobs: ## Ignore Files -Create a `.templatesyncignore` file. Just like writing a `.gitignore` file, follow the [glob pattern](https://en.wikipedia.org/wiki/Glob_(programming)) +Create a `.templatesyncignore` file. Just like writing a `.gitignore` file, follow the [glob pattern][glob-pattern] in defining the files and folders that should be excluded from syncing with the template repository. It can also be stored inside `.github` folder. @@ -211,3 +213,6 @@ specification. Contributions of any kind welcome! [pr-labels]: https://docs.github.com/en/issues/using-labels-and-milestones-to-track-work/managing-labels [devto-example]: https://dev.to/andreasaugustin/github-actions-template-sync-1g9k [github-example]: https://github.com/AndreasAugustin/teaching/blob/main/docs/git/git_action_sync.md +[github-app]: https://docs.github.com/en/developers/apps/getting-started-with-apps/about-apps#about-github-apps +[glob-pattern]: https://en.wikipedia.org/wiki/Glob_(programming) +[github-app-token]: https://github.com/tibdex/github-app-token diff --git a/action.yml b/action.yml index aadd64c8..b2743cf6 100644 --- a/action.yml +++ b/action.yml @@ -7,7 +7,8 @@ branding: inputs: github_token: description: 'Token for the repo. Can be passed in using $\{{ secrets.GITHUB_TOKEN }}' - required: true + # TODO(anau) + # required: true source_repo_path: description: 'Repository path of the template' required: true @@ -17,8 +18,9 @@ inputs: default: 'main' source_repo_ssh_private_key: description: '[optional] private ssh key for the source repository. E.q. useful if using a private template repository.' + # TODO(anau) source_repo_github_token: - description: '[optional] Separate github token to interact with the source repository. Using $\{{ inputs.github_token }} by default.' + description: '[optional] Separate github token to interact with the source repository. Using $\{{ inputs.github_token }} by default.' pr_branch_name_prefix: description: '[optional] the prefix of branches created by this action' default: 'chore/template_sync' diff --git a/docker-compose.yml b/docker-compose.yml index a72254db..8705caa1 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -5,9 +5,9 @@ services: build: context: . target: dev - volumes: - - .:/app/ - - ~/.gitconfig:/root/.gitconfig:ro + # volumes: + #- .:/app/ + # - ~/.gitconfig:/root/.gitconfig:ro environment: - SSH_PRIVATE_KEY_SRC diff --git a/src/entrypoint.sh b/src/entrypoint.sh index 00017d67..8b7cc629 100755 --- a/src/entrypoint.sh +++ b/src/entrypoint.sh @@ -6,13 +6,14 @@ set -x # shellcheck source=src/sync_common.sh source sync_common.sh -[ -z "${GITHUB_TOKEN}" ] && { - err "Missing input 'github_token: \${{ secrets.GITHUB_TOKEN }}'."; - exit 1; -}; +if [[ -z "${GITHUB_TOKEN}" && -z "${SOURCE_REPO_GITHUB_TOKEN}" ]]; then +# TODO + err "Missing input 'github_token: \${{ secrets.GITHUB_TOKEN }}'."; + exit 1; +fi if [[ -z "${SOURCE_REPO_GITHUB_TOKEN}" ]]; then - echo "::debug::Missing input 'source_repo_github_token: \${{ input.source_repo_github_token }}'. Using github_token as default." + debug "Missing input 'source_repo_github_token: \${{ input.source_repo_github_token }}'. Using github_token as default." SOURCE_REPO_GITHUB_TOKEN="${GITHUB_TOKEN}" fi @@ -60,7 +61,14 @@ function git_init() { git config --global --add safe.directory /github/workspace git lfs install - echo "::endgroup::" + # TODO(anau) check + # gh auth setup-git + # git config --global "credential.https://${SOURCE_REPO_HOSTNAME}.helper" "!gh auth git-credential" + if [[ -z "${SOURCE_REPO_GITHUB_TOKEN}" ]]; then + gh auth setup-git --hostname "${SOURCE_REPO_HOSTNAME}" + gh auth login --git-protocol "https" --hostname "${SOURCE_REPO_HOSTNAME}" --with-token <<< "${SOURCE_REPO_GITHUB_TOKEN}" + fi + echo "::endgroup::" } git_init diff --git a/src/sync_template.sh b/src/sync_template.sh index eff6f43a..3da5443a 100755 --- a/src/sync_template.sh +++ b/src/sync_template.sh @@ -32,8 +32,14 @@ if [[ -n "${SRC_SSH_PRIVATEKEY_ABS_PATH}" ]]; then export GIT_SSH_COMMAND="ssh -i ${SRC_SSH_PRIVATEKEY_ABS_PATH}" fi -# TODO(anau) make conditional -gh auth login --git-protocol "https" --hostname "${SOURCE_REPO_HOSTNAME}" --with-token <<< "${SOURCE_REPO_GITHUB_TOKEN}" +#if [[ -n "${SOURCE_REPO_GITHUB_TOKEN}" ]]; then +# debug "using github token for source repo" + # TODO(anau) check this later +# unset GITHUB_TOKEN +# gh auth login --git-protocol "https" --hostname "${SOURCE_REPO_HOSTNAME}" --with-token <<< "${SOURCE_REPO_GITHUB_TOKEN}" +# gh auth setup-git +# sleep 1 +# fi TEMPLATE_SYNC_IGNORE_FILE_PATH=".templatesyncignore" TEMPLATE_REMOTE_GIT_HASH=$(git ls-remote "${SOURCE_REPO}" HEAD | awk '{print $1}') From 7c68c1c4fafb5074e8e28ab12b90d3f8c0896e9a Mon Sep 17 00:00:00 2001 From: Andy Augustin Date: Sun, 1 Jan 2023 18:02:24 +0100 Subject: [PATCH 06/22] parent 9b742247ad7218490f30978af7abf4d6fc4ed9ad author Andy Augustin 1672219390 +0100 committer Andy Augustin 1672592292 +0100 gpgsig -----BEGIN PGP SIGNATURE----- iQGzBAABCAAdFiEEApgnwt2TStNZl6Y9UpE0XzZ/UkgFAmOxu6QACgkQUpE0XzZ/ UkjAzgv/cWh9hE7VLkLM1nVmra945WUkOfWXHnCUnrsOWsxxSOkH1r2mLxZdnWtg BlFc4RciJAB39Nv1WBUt+hGBGOdYWcV1lxgSIpn+vNXd9/5xciEThRk9T1piHj+x xnZU2rW0dLlnEnFlIX1qkKeD+rjclXw46umjMgqwIF0vQSx5cR9y8sDCiqRGg2Fv G/k/xLoQwah0Ve8nwqd6dLwNYXl8cFBfvuZaGV/dt1+5BDl4J5mPYg4trxKx5xnB fTxTQ0G/qOa1OInW04EReJWZwQaGvyx5PqEFk0ESk8MuzFytfVVRCnHwdP/QvLO7 S7Y79wUBAQfHvSlwOgBtlQc5eFOiKoxahUhJIcCMLw1r2+nRjuPAA0j07v6nmjDM sfxyVSpnYnKGAfGrYGboOHuEjqKegKdY3oIQFL/Ivln7kmLxGrFcpQ+QMTEJUsLw 2AB+Yf+tJyQXnx8AiGQRnVlXW3FRCOQhCxK2zXMUpzwAsKcKYNnaKoM6jDN7EzRQ fZrB76EK =yGb3 -----END PGP SIGNATURE----- feat(): make gh auth login conditional for separate source repo token :rocket: style(lint): fix lint issues :bug: feat(): add PAT :rocket: feat(): add PAT :rocket: feat(): add PAT :rocket: feat(): add PAT :rocket: feat(): add PAT :rocket: feat(): add PAT :rocket: feat(): add PAT :rocket: doc(): update docs :pencil: feat(): add option for PAT :rocket: feat(): add option for PAT :rocket: feat(): add option for PAT :rocket: feat(): add option for PAT :rocket: feat(): add option for PAT :rocket: feat(): add option for PAT :rocket: trial(): add permissions :bug: trial(): new trial for accessing private repo with PAT :up: trial(): new trial for accessing private repo with PAT :up: trial(): new trial for accessing private repo with PAT :up: trial(): new trial for accessing private repo with PAT :up: trial(): new trial for accessing private repo with PAT :up: trial(): new trial for accessing private repo with PAT :up: trial(): new trial for accessing private repo with PAT :up: trial(): new trial for accessing private repo with PAT :up: --- .github/workflows/test.yml | 6 ++++-- .github/workflows/test_pat.yml | 8 +++++--- .github/workflows/test_ssh.yml | 6 ++++-- src/entrypoint.sh | 30 +++++++++++++++++------------- src/sync_template.sh | 8 ++++++++ 5 files changed, 38 insertions(+), 20 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 6dd457d4..a7973e9b 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -14,9 +14,11 @@ jobs: steps: # To use this repository's private action, you must check out the repository - - name: Checkout + - + name: Checkout uses: actions/checkout@v3 - - name: Test action step + - + name: Test action step uses: ./ # Uses an action in the root directory with: github_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/test_pat.yml b/.github/workflows/test_pat.yml index 9d3d4e5d..9577f43b 100644 --- a/.github/workflows/test_pat.yml +++ b/.github/workflows/test_pat.yml @@ -13,12 +13,14 @@ jobs: steps: # To use this repository's private action, you must check out the repository - - name: Checkout + - + name: Checkout uses: actions/checkout@v3 - - name: Test action step ssh + - + name: Test action step PAT uses: ./ # Uses an action in the root directory with: # github_token: ${{ secrets.GITHUB_TOKEN }} - source_repo_path: ${{ secrets.SOURCE_REPO_PATH_SSH }} # , should be within secrets + source_repo_path: ${{ secrets.SOURCE_REPO_PATH_TEST }} # , should be within secrets source_repo_github_token: ${{ secrets.SOURCE_REPO_PAT }} # contains the private PAT of the private repository is_dry_run: true diff --git a/.github/workflows/test_ssh.yml b/.github/workflows/test_ssh.yml index bf098a2a..6a87ed84 100644 --- a/.github/workflows/test_ssh.yml +++ b/.github/workflows/test_ssh.yml @@ -13,9 +13,11 @@ jobs: steps: # To use this repository's private action, you must check out the repository - - name: Checkout + - + name: Checkout uses: actions/checkout@v3 - - name: Test action step ssh + - + name: Test action step ssh uses: ./ # Uses an action in the root directory with: github_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/src/entrypoint.sh b/src/entrypoint.sh index 8b7cc629..efb60d6b 100755 --- a/src/entrypoint.sh +++ b/src/entrypoint.sh @@ -12,10 +12,10 @@ if [[ -z "${GITHUB_TOKEN}" && -z "${SOURCE_REPO_GITHUB_TOKEN}" ]]; then exit 1; fi -if [[ -z "${SOURCE_REPO_GITHUB_TOKEN}" ]]; then - debug "Missing input 'source_repo_github_token: \${{ input.source_repo_github_token }}'. Using github_token as default." - SOURCE_REPO_GITHUB_TOKEN="${GITHUB_TOKEN}" -fi +# if [[ -z "${SOURCE_REPO_GITHUB_TOKEN}" ]]; then +# debug "Missing input 'source_repo_github_token: \${{ input.source_repo_github_token }}'. Using github_token as default." +# SOURCE_REPO_GITHUB_TOKEN="${GITHUB_TOKEN}" +# fi if [[ -z "${SOURCE_REPO_PATH}" ]]; then err "Missing input 'source_repo_path: \${{ input.source_repo_path }}'."; @@ -24,7 +24,7 @@ fi SOURCE_REPO_HOSTNAME="${HOSTNAME:-github.com}" -# In case of private template repository this will be overwritten +# In case of ssh template repository this will be overwritten SOURCE_REPO_PREFIX="https://${SOURCE_REPO_HOSTNAME}/" function ssh_setup() { @@ -61,14 +61,18 @@ function git_init() { git config --global --add safe.directory /github/workspace git lfs install - # TODO(anau) check - # gh auth setup-git - # git config --global "credential.https://${SOURCE_REPO_HOSTNAME}.helper" "!gh auth git-credential" - if [[ -z "${SOURCE_REPO_GITHUB_TOKEN}" ]]; then - gh auth setup-git --hostname "${SOURCE_REPO_HOSTNAME}" - gh auth login --git-protocol "https" --hostname "${SOURCE_REPO_HOSTNAME}" --with-token <<< "${SOURCE_REPO_GITHUB_TOKEN}" - fi - echo "::endgroup::" + if [[ -n "${SOURCE_REPO_GITHUB_TOKEN}" ]]; then + if [[ -z "${GITHUB_TOKEN}" ]]; then + export GITHUB_TOKEN_BK="${GITHUB_TOKEN}" + unset GITHUB_TOKEN + fi + + gh auth login --git-protocol "https" --hostname "${SOURCE_REPO_HOSTNAME}" --with-token <<< "${SOURCE_REPO_GITHUB_TOKEN}" + gh auth setup-git --hostname "${SOURCE_REPO_HOSTNAME}" + # git config --global "credential.https://${SOURCE_REPO_HOSTNAME}.helper" "!gh auth git-credential" + gh auth status + fi + echo "::endgroup::" } git_init diff --git a/src/sync_template.sh b/src/sync_template.sh index 3da5443a..4563b168 100755 --- a/src/sync_template.sh +++ b/src/sync_template.sh @@ -112,6 +112,14 @@ echo "::endgroup::" push_and_create_pr () { if [ "$IS_DRY_RUN" != "true" ]; then + echo "::group::final gh auth login before creating pull request" + if [[ -z "${GITHUB_TOKEN_BK}" ]]; then + export GITHUB_TOKEN="${GITHUB_TOKEN_BK}" + gh auth login --git-protocol "https" --hostname "${SOURCE_REPO_HOSTNAME}" --with-token <<< "${GITHUB_TOKEN}" + fi + + echo "::endgroup::" + echo "::group::push changes and create PR" debug "push changes" git push --set-upstream origin "${NEW_BRANCH}" From 809ebe27953220091ec4841cec5780da8c5670e2 Mon Sep 17 00:00:00 2001 From: Marc Siebeneicher Date: Thu, 8 Dec 2022 12:07:58 +0100 Subject: [PATCH 07/22] feat(gh-auth): add gh auth login and credential helper --- src/entrypoint.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/entrypoint.sh b/src/entrypoint.sh index b0bb01da..dd1907d7 100755 --- a/src/entrypoint.sh +++ b/src/entrypoint.sh @@ -19,7 +19,7 @@ fi SOURCE_REPO_HOSTNAME="${HOSTNAME:-github.com}" # In case of private template repository this will be overwritten -SOURCE_REPO_PREFIX="https://${GITHUB_ACTOR}:${GITHUB_TOKEN}@${SOURCE_REPO_HOSTNAME}/" +SOURCE_REPO_PREFIX="https://${SOURCE_REPO_HOSTNAME}/" function ssh_setup() { echo "::group::ssh setup" @@ -55,6 +55,9 @@ function git_init() { git config --global --add safe.directory /github/workspace git lfs install + git config --global "credential.https://${SOURCE_REPO_HOSTNAME}.helper" "!gh auth git-credential" + gh auth login --git-protocol "https" --hostname "${SOURCE_REPO_HOSTNAME}" --with-token <<< "${GITHUB_TOKEN}" + echo "::endgroup::" } From cc557389010491271a45f5410d224d0ac334e932 Mon Sep 17 00:00:00 2001 From: Marc Siebeneicher Date: Fri, 23 Dec 2022 11:38:25 +0100 Subject: [PATCH 08/22] feat(gh-auth): add own source_repo_github_token handling for template repo --- README.md | 32 ++++++++++++++++++++++++++++++++ action.yml | 3 +++ src/entrypoint.sh | 16 ++++++++++++++++ src/sync_template.sh | 13 +++++++++++++ 4 files changed, 64 insertions(+) diff --git a/README.md b/README.md index 5435b8ab..15f630ab 100644 --- a/README.md +++ b/README.md @@ -63,7 +63,12 @@ You will receive a pull request within your repository if there are some changes | github_token | Token for the repo. Can be passed in using `$\{{ secrets.GITHUB_TOKEN }}` | `true` | | | source_repo_path | Repository path of the template | `true` | | | upstream_branch | The target branch | `true` | `main` | +<<<<<<< HEAD | source_repo_ssh_private_key | `[optional]` private ssh key for the source repository. [see](#private-template-repository)| `false` | | +======= +| source_repo_ssh_private_key | `[optional]` private ssh key for the source repository. E.q. useful if using a private template repository. [see](#private-template-repository)| `false` | | +| source_repo_github_token | `[optional]` separate github token to interact with the source repository. | `false` | `$\{{ inputs.github_token }}` | +>>>>>>> 42e4d55 (feat(gh-auth): add own source_repo_github_token handling for template repo) | pr_branch_name_prefix | `[optional]` the prefix of branches created by this action | `false` | `chore/template_sync` | | pr_title | `[optional]` the title of PRs opened by this action. Must be already created. | `false` | `upstream merge template repository` | | pr_labels | `[optional]` comma separated list. [pull request labels][pr-labels]. Must be already created. | `false` | | @@ -86,6 +91,33 @@ You can use all [triggers][action-triggers] which are supported for GitHub actio If you have a private template repository. +#### Using github app + +You can create and use a [GitHub App](https://docs.github.com/en/developers/apps/getting-started-with-apps/about-apps#about-github-apps) to handle the access to your private repository. To generate a token for your app you can use a separate action like [tibdex/github-app-token](https://github.com/tibdex/github-app-token). + +```yaml +jobs: + repo-sync: + runs-on: ubuntu-latest + + steps: + - name: Generate token to read from source repo # see: https://github.com/tibdex/github-app-token + id: generate_token + uses: tibdex/github-app-token@v1 + with: + app_id: ${{ secrets.APP_ID }} + private_key: ${{ secrets.PRIVATE_KEY }} + + - name: actions-template-sync + uses: AndreasAugustin/actions-template-sync@v0.5.0-draft + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + source_repo_github_token: ${{ steps.generate_token.outputs.token }} + source_repo_path: + upstream_branch: # defaults to main + pr_labels: ,[,...] # optional, no default +``` + #### SSH You have various options to use ssh keys with GitHub. diff --git a/action.yml b/action.yml index 99520439..aadd64c8 100644 --- a/action.yml +++ b/action.yml @@ -17,6 +17,8 @@ inputs: default: 'main' source_repo_ssh_private_key: description: '[optional] private ssh key for the source repository. E.q. useful if using a private template repository.' + source_repo_github_token: + description: '[optional] Separate github token to interact with the source repository. Using $\{{ inputs.github_token }} by default.' pr_branch_name_prefix: description: '[optional] the prefix of branches created by this action' default: 'chore/template_sync' @@ -38,6 +40,7 @@ runs: image: 'src/Dockerfile' env: GITHUB_TOKEN: ${{ inputs.github_token }} + SOURCE_REPO_GITHUB_TOKEN: ${{ inputs.source_repo_github_token }} SOURCE_REPO_PATH: ${{ inputs.source_repo_path }} UPSTREAM_BRANCH: ${{ inputs.upstream_branch }} SSH_PRIVATE_KEY_SRC: ${{ inputs.source_repo_ssh_private_key }} diff --git a/src/entrypoint.sh b/src/entrypoint.sh index dd1907d7..b66c181d 100755 --- a/src/entrypoint.sh +++ b/src/entrypoint.sh @@ -11,6 +11,11 @@ source sync_common.sh exit 1; }; +if [[ -z "${SOURCE_REPO_GITHUB_TOKEN}" ]]; then + echo "::debug::Missing input 'source_repo_github_token: \${{ input.source_repo_github_token }}'. Using github_token as default." + SOURCE_REPO_GITHUB_TOKEN="${GITHUB_TOKEN}" +fi + if [[ -z "${SOURCE_REPO_PATH}" ]]; then err "Missing input 'source_repo_path: \${{ input.source_repo_path }}'."; exit 1 @@ -45,6 +50,7 @@ fi export SOURCE_REPO="${SOURCE_REPO_PREFIX}${SOURCE_REPO_PATH}" +<<<<<<< HEAD function git_init() { echo "::group::git init" info "set git global configuration" @@ -62,6 +68,16 @@ function git_init() { } git_init +======= +echo "::group::git init" +echo "set git global configuration" +git config --global user.email "github-action@actions-template-sync.noreply.${SOURCE_REPO_HOSTNAME}" +git config --global user.name "${GITHUB_ACTOR}" +git config --global pull.rebase false +git config --global --add safe.directory /github/workspace +git config --global "credential.https://${SOURCE_REPO_HOSTNAME}.helper" "!gh auth git-credential" +echo "::endgroup::" +>>>>>>> 42e4d55 (feat(gh-auth): add own source_repo_github_token handling for template repo) # shellcheck source=src/sync_template.sh source sync_template.sh diff --git a/src/sync_template.sh b/src/sync_template.sh index cf49299e..f685526c 100755 --- a/src/sync_template.sh +++ b/src/sync_template.sh @@ -62,8 +62,13 @@ echo "::endgroup::" echo "::group::Pull template" debug "create new branch from default branch with name ${NEW_BRANCH}" git checkout -b "${NEW_BRANCH}" +<<<<<<< HEAD debug "pull changes from template" # TODO(anau) eventually make squash optional +======= +echo "::debug::pull changes from template" +gh auth login --git-protocol "https" --hostname "${SOURCE_REPO_HOSTNAME}" --with-token <<< "${SOURCE_REPO_GITHUB_TOKEN}" +>>>>>>> 42e4d55 (feat(gh-auth): add own source_repo_github_token handling for template repo) git pull "${SOURCE_REPO}" --allow-unrelated-histories --squash --strategy=recursive -X theirs echo "::endgroup::" @@ -103,8 +108,16 @@ echo "::endgroup::" push_and_create_pr () { if [ "$IS_DRY_RUN" != "true" ]; then +<<<<<<< HEAD echo "::group::push changes and create PR" debug "push changes" +======= + echo "::group::final gh auth login before creating pull request" + gh auth login --git-protocol "https" --hostname "${SOURCE_REPO_HOSTNAME}" --with-token <<< "${GITHUB_TOKEN}" + echo "::endgroup::" + + echo "::debug::push changes" +>>>>>>> 42e4d55 (feat(gh-auth): add own source_repo_github_token handling for template repo) git push --set-upstream origin "${NEW_BRANCH}" gh pr create \ From a06016d2e2112a594f3654efe6f513920604cf8c Mon Sep 17 00:00:00 2001 From: Marc Siebeneicher Date: Mon, 2 Jan 2023 11:05:55 +0100 Subject: [PATCH 09/22] fix(merge): fix merge conflicts --- README.md | 4 ---- src/entrypoint.sh | 11 ----------- src/sync_template.sh | 13 ++----------- 3 files changed, 2 insertions(+), 26 deletions(-) diff --git a/README.md b/README.md index 15f630ab..270db384 100644 --- a/README.md +++ b/README.md @@ -63,12 +63,8 @@ You will receive a pull request within your repository if there are some changes | github_token | Token for the repo. Can be passed in using `$\{{ secrets.GITHUB_TOKEN }}` | `true` | | | source_repo_path | Repository path of the template | `true` | | | upstream_branch | The target branch | `true` | `main` | -<<<<<<< HEAD -| source_repo_ssh_private_key | `[optional]` private ssh key for the source repository. [see](#private-template-repository)| `false` | | -======= | source_repo_ssh_private_key | `[optional]` private ssh key for the source repository. E.q. useful if using a private template repository. [see](#private-template-repository)| `false` | | | source_repo_github_token | `[optional]` separate github token to interact with the source repository. | `false` | `$\{{ inputs.github_token }}` | ->>>>>>> 42e4d55 (feat(gh-auth): add own source_repo_github_token handling for template repo) | pr_branch_name_prefix | `[optional]` the prefix of branches created by this action | `false` | `chore/template_sync` | | pr_title | `[optional]` the title of PRs opened by this action. Must be already created. | `false` | `upstream merge template repository` | | pr_labels | `[optional]` comma separated list. [pull request labels][pr-labels]. Must be already created. | `false` | | diff --git a/src/entrypoint.sh b/src/entrypoint.sh index b66c181d..c09a1949 100755 --- a/src/entrypoint.sh +++ b/src/entrypoint.sh @@ -50,7 +50,6 @@ fi export SOURCE_REPO="${SOURCE_REPO_PREFIX}${SOURCE_REPO_PATH}" -<<<<<<< HEAD function git_init() { echo "::group::git init" info "set git global configuration" @@ -68,16 +67,6 @@ function git_init() { } git_init -======= -echo "::group::git init" -echo "set git global configuration" -git config --global user.email "github-action@actions-template-sync.noreply.${SOURCE_REPO_HOSTNAME}" -git config --global user.name "${GITHUB_ACTOR}" -git config --global pull.rebase false -git config --global --add safe.directory /github/workspace -git config --global "credential.https://${SOURCE_REPO_HOSTNAME}.helper" "!gh auth git-credential" -echo "::endgroup::" ->>>>>>> 42e4d55 (feat(gh-auth): add own source_repo_github_token handling for template repo) # shellcheck source=src/sync_template.sh source sync_template.sh diff --git a/src/sync_template.sh b/src/sync_template.sh index f685526c..f6379169 100755 --- a/src/sync_template.sh +++ b/src/sync_template.sh @@ -62,13 +62,9 @@ echo "::endgroup::" echo "::group::Pull template" debug "create new branch from default branch with name ${NEW_BRANCH}" git checkout -b "${NEW_BRANCH}" -<<<<<<< HEAD debug "pull changes from template" -# TODO(anau) eventually make squash optional -======= -echo "::debug::pull changes from template" gh auth login --git-protocol "https" --hostname "${SOURCE_REPO_HOSTNAME}" --with-token <<< "${SOURCE_REPO_GITHUB_TOKEN}" ->>>>>>> 42e4d55 (feat(gh-auth): add own source_repo_github_token handling for template repo) +# TODO(anau) eventually make squash optional git pull "${SOURCE_REPO}" --allow-unrelated-histories --squash --strategy=recursive -X theirs echo "::endgroup::" @@ -108,16 +104,11 @@ echo "::endgroup::" push_and_create_pr () { if [ "$IS_DRY_RUN" != "true" ]; then -<<<<<<< HEAD - echo "::group::push changes and create PR" - debug "push changes" -======= echo "::group::final gh auth login before creating pull request" gh auth login --git-protocol "https" --hostname "${SOURCE_REPO_HOSTNAME}" --with-token <<< "${GITHUB_TOKEN}" echo "::endgroup::" - echo "::debug::push changes" ->>>>>>> 42e4d55 (feat(gh-auth): add own source_repo_github_token handling for template repo) + echo "::group::push changes and create PR" git push --set-upstream origin "${NEW_BRANCH}" gh pr create \ From 1b2dd578ccd231addf9ed2d3a3db00a8e3800636 Mon Sep 17 00:00:00 2001 From: andy Augustin Date: Mon, 2 Jan 2023 13:03:15 +0100 Subject: [PATCH 10/22] fix(): small logic fix in script Signed-off-by: andy Augustin --- src/entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/entrypoint.sh b/src/entrypoint.sh index 8848803a..c884750d 100644 --- a/src/entrypoint.sh +++ b/src/entrypoint.sh @@ -67,7 +67,7 @@ function git_init() { git lfs install if [[ -n "${SOURCE_REPO_GITHUB_TOKEN}" ]]; then - if [[ -z "${GITHUB_TOKEN}" ]]; then + if [[ -n "${GITHUB_TOKEN}" ]]; then export GITHUB_TOKEN_BK="${GITHUB_TOKEN}" unset GITHUB_TOKEN fi From f27405619f5f860e94515deaa12112c62a46901c Mon Sep 17 00:00:00 2001 From: andy Augustin Date: Mon, 2 Jan 2023 13:03:46 +0100 Subject: [PATCH 11/22] fix(): small logic fix in script Signed-off-by: andy Augustin --- src/sync_template.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/sync_template.sh b/src/sync_template.sh index 302f5b59..e900afac 100644 --- a/src/sync_template.sh +++ b/src/sync_template.sh @@ -114,7 +114,7 @@ echo "::endgroup::" push_and_create_pr () { if [ "$IS_DRY_RUN" != "true" ]; then echo "::group::final gh auth login before creating pull request" - if [[ -z "${GITHUB_TOKEN_BK}" ]]; then + if [[ -n "${GITHUB_TOKEN_BK}" ]]; then export GITHUB_TOKEN="${GITHUB_TOKEN_BK}" gh auth login --git-protocol "https" --hostname "${SOURCE_REPO_HOSTNAME}" --with-token <<< "${GITHUB_TOKEN}" fi From 42728fc5c96b249607e304ab0be87da46f6e45d1 Mon Sep 17 00:00:00 2001 From: Andy Augustin Date: Mon, 2 Jan 2023 16:57:46 +0100 Subject: [PATCH 12/22] feat(): #238 hopefully a final version :rocket: --- .github/workflows/test_pat.yml | 3 +-- README.md | 6 ++---- action.yml | 6 +----- docker-compose.yml | 6 +++--- src/entrypoint.sh | 28 +++++----------------------- src/sync_template.sh | 18 +----------------- 6 files changed, 13 insertions(+), 54 deletions(-) diff --git a/.github/workflows/test_pat.yml b/.github/workflows/test_pat.yml index 9577f43b..74ae5d21 100644 --- a/.github/workflows/test_pat.yml +++ b/.github/workflows/test_pat.yml @@ -20,7 +20,6 @@ jobs: name: Test action step PAT uses: ./ # Uses an action in the root directory with: - # github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ secrets.SOURCE_REPO_PAT }} source_repo_path: ${{ secrets.SOURCE_REPO_PATH_TEST }} # , should be within secrets - source_repo_github_token: ${{ secrets.SOURCE_REPO_PAT }} # contains the private PAT of the private repository is_dry_run: true diff --git a/README.md b/README.md index 6661a014..96b5b12e 100644 --- a/README.md +++ b/README.md @@ -64,7 +64,6 @@ You will receive a pull request within your repository if there are some changes | source_repo_path | Repository path of the template | `true` | | | upstream_branch | The target branch | `true` | `main` | | source_repo_ssh_private_key | `[optional]` private ssh key for the source repository. [see](#private-template-repository)| `false` | | -| source_repo_github_token | `[optional]` separate github token to interact with the source repository. | `false` | `$\{{ inputs.github_token }}` | | pr_branch_name_prefix | `[optional]` the prefix of branches created by this action | `false` | `chore/template_sync` | | pr_title | `[optional]` the title of PRs opened by this action. Must be already created. | `false` | `upstream merge template repository` | | pr_labels | `[optional]` comma separated list. [pull request labels][pr-labels]. Must be already created. | `false` | | @@ -106,10 +105,9 @@ jobs: private_key: ${{ secrets.PRIVATE_KEY }} - name: actions-template-sync - uses: AndreasAugustin/actions-template-sync@v0.5.0-draft + uses: AndreasAugustin/actions-template-sync@v0.5.5-draft with: - github_token: ${{ secrets.GITHUB_TOKEN }} - source_repo_github_token: ${{ steps.generate_token.outputs.token }} + github_token: ${{ steps.generate_token.outputs.token }} source_repo_path: upstream_branch: # defaults to main pr_labels: ,[,...] # optional, no default diff --git a/action.yml b/action.yml index b2743cf6..c3ab3240 100644 --- a/action.yml +++ b/action.yml @@ -7,8 +7,7 @@ branding: inputs: github_token: description: 'Token for the repo. Can be passed in using $\{{ secrets.GITHUB_TOKEN }}' - # TODO(anau) - # required: true + required: true source_repo_path: description: 'Repository path of the template' required: true @@ -18,9 +17,6 @@ inputs: default: 'main' source_repo_ssh_private_key: description: '[optional] private ssh key for the source repository. E.q. useful if using a private template repository.' - # TODO(anau) - source_repo_github_token: - description: '[optional] Separate github token to interact with the source repository. Using $\{{ inputs.github_token }} by default.' pr_branch_name_prefix: description: '[optional] the prefix of branches created by this action' default: 'chore/template_sync' diff --git a/docker-compose.yml b/docker-compose.yml index 8705caa1..a72254db 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -5,9 +5,9 @@ services: build: context: . target: dev - # volumes: - #- .:/app/ - # - ~/.gitconfig:/root/.gitconfig:ro + volumes: + - .:/app/ + - ~/.gitconfig:/root/.gitconfig:ro environment: - SSH_PRIVATE_KEY_SRC diff --git a/src/entrypoint.sh b/src/entrypoint.sh index c884750d..02cd32da 100644 --- a/src/entrypoint.sh +++ b/src/entrypoint.sh @@ -6,22 +6,11 @@ set -x # shellcheck source=src/sync_common.sh source sync_common.sh -if [[ -z "${GITHUB_TOKEN}" && -z "${SOURCE_REPO_GITHUB_TOKEN}" ]]; then -# TODO +if [[ -z "${GITHUB_TOKEN}" ]]; then err "Missing input 'github_token: \${{ secrets.GITHUB_TOKEN }}'."; exit 1; fi -# if [[ -z "${SOURCE_REPO_GITHUB_TOKEN}" ]]; then -# debug "Missing input 'source_repo_github_token: \${{ input.source_repo_github_token }}'. Using github_token as default." -# SOURCE_REPO_GITHUB_TOKEN="${GITHUB_TOKEN}" -# fi - -if [[ -z "${SOURCE_REPO_GITHUB_TOKEN}" ]]; then - echo "::debug::Missing input 'source_repo_github_token: \${{ input.source_repo_github_token }}'. Using github_token as default." - SOURCE_REPO_GITHUB_TOKEN="${GITHUB_TOKEN}" -fi - if [[ -z "${SOURCE_REPO_PATH}" ]]; then err "Missing input 'source_repo_path: \${{ input.source_repo_path }}'."; exit 1 @@ -52,6 +41,10 @@ function ssh_setup() { # Forward to /dev/null to swallow the output of the private key if [[ -n "${SSH_PRIVATE_KEY_SRC}" ]] &>/dev/null; then ssh_setup +else + gh auth login --git-protocol "https" --hostname "${SOURCE_REPO_HOSTNAME}" --with-token <<< "${GITHUB_TOKEN}" + gh auth setup-git --hostname "${SOURCE_REPO_HOSTNAME}" + gh auth status fi export SOURCE_REPO="${SOURCE_REPO_PREFIX}${SOURCE_REPO_PATH}" @@ -66,17 +59,6 @@ function git_init() { git config --global --add safe.directory /github/workspace git lfs install - if [[ -n "${SOURCE_REPO_GITHUB_TOKEN}" ]]; then - if [[ -n "${GITHUB_TOKEN}" ]]; then - export GITHUB_TOKEN_BK="${GITHUB_TOKEN}" - unset GITHUB_TOKEN - fi - - gh auth login --git-protocol "https" --hostname "${SOURCE_REPO_HOSTNAME}" --with-token <<< "${SOURCE_REPO_GITHUB_TOKEN}" - gh auth setup-git --hostname "${SOURCE_REPO_HOSTNAME}" - # git config --global "credential.https://${SOURCE_REPO_HOSTNAME}.helper" "!gh auth git-credential" - gh auth status - fi echo "::endgroup::" } diff --git a/src/sync_template.sh b/src/sync_template.sh index e900afac..49eb2ddf 100644 --- a/src/sync_template.sh +++ b/src/sync_template.sh @@ -32,15 +32,6 @@ if [[ -n "${SRC_SSH_PRIVATEKEY_ABS_PATH}" ]]; then export GIT_SSH_COMMAND="ssh -i ${SRC_SSH_PRIVATEKEY_ABS_PATH}" fi -#if [[ -n "${SOURCE_REPO_GITHUB_TOKEN}" ]]; then -# debug "using github token for source repo" - # TODO(anau) check this later -# unset GITHUB_TOKEN -# gh auth login --git-protocol "https" --hostname "${SOURCE_REPO_HOSTNAME}" --with-token <<< "${SOURCE_REPO_GITHUB_TOKEN}" -# gh auth setup-git -# sleep 1 -# fi - TEMPLATE_SYNC_IGNORE_FILE_PATH=".templatesyncignore" TEMPLATE_REMOTE_GIT_HASH=$(git ls-remote "${SOURCE_REPO}" HEAD | awk '{print $1}') NEW_TEMPLATE_GIT_HASH=$(git rev-parse --short "${TEMPLATE_REMOTE_GIT_HASH}") @@ -113,15 +104,8 @@ echo "::endgroup::" push_and_create_pr () { if [ "$IS_DRY_RUN" != "true" ]; then - echo "::group::final gh auth login before creating pull request" - if [[ -n "${GITHUB_TOKEN_BK}" ]]; then - export GITHUB_TOKEN="${GITHUB_TOKEN_BK}" - gh auth login --git-protocol "https" --hostname "${SOURCE_REPO_HOSTNAME}" --with-token <<< "${GITHUB_TOKEN}" - fi - - echo "::endgroup::" - echo "::group::push changes and create PR" + echo "::group::push changes and create PR" debug "push changes" git push --set-upstream origin "${NEW_BRANCH}" From abd42516c7df964d234111d9e897145e29dd3579 Mon Sep 17 00:00:00 2001 From: Andy Augustin Date: Mon, 2 Jan 2023 16:59:15 +0100 Subject: [PATCH 13/22] feat(): #238 hopefully a final version :rocket: --- .github/workflows/actions_template_sync.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/actions_template_sync.yml b/.github/workflows/actions_template_sync.yml index bc576644..838bba03 100644 --- a/.github/workflows/actions_template_sync.yml +++ b/.github/workflows/actions_template_sync.yml @@ -7,8 +7,6 @@ on: # manual trigger workflow_dispatch: -permissions: read-all - jobs: repo-sync: runs-on: ubuntu-latest From 7f15131cd77b511d8056165bad06ec6e0940f27d Mon Sep 17 00:00:00 2001 From: Andy Augustin Date: Mon, 2 Jan 2023 17:05:17 +0100 Subject: [PATCH 14/22] feat(): #238 hopefully a final version :rocket: --- action.yml | 1 - src/entrypoint.sh | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/action.yml b/action.yml index c3ab3240..99520439 100644 --- a/action.yml +++ b/action.yml @@ -38,7 +38,6 @@ runs: image: 'src/Dockerfile' env: GITHUB_TOKEN: ${{ inputs.github_token }} - SOURCE_REPO_GITHUB_TOKEN: ${{ inputs.source_repo_github_token }} SOURCE_REPO_PATH: ${{ inputs.source_repo_path }} UPSTREAM_BRANCH: ${{ inputs.upstream_branch }} SSH_PRIVATE_KEY_SRC: ${{ inputs.source_repo_ssh_private_key }} diff --git a/src/entrypoint.sh b/src/entrypoint.sh index 02cd32da..b7b449ac 100644 --- a/src/entrypoint.sh +++ b/src/entrypoint.sh @@ -42,7 +42,7 @@ function ssh_setup() { if [[ -n "${SSH_PRIVATE_KEY_SRC}" ]] &>/dev/null; then ssh_setup else - gh auth login --git-protocol "https" --hostname "${SOURCE_REPO_HOSTNAME}" --with-token <<< "${GITHUB_TOKEN}" + gh auth login --git-protocol "https" --hostname "${SOURCE_REPO_HOSTNAME}" gh auth setup-git --hostname "${SOURCE_REPO_HOSTNAME}" gh auth status fi From 041938981fc4dd8fd910698a29374da9e2bfe38b Mon Sep 17 00:00:00 2001 From: Andy Augustin Date: Mon, 2 Jan 2023 17:07:14 +0100 Subject: [PATCH 15/22] feat(): #238 hopefully a final version :rocket: --- src/entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/entrypoint.sh b/src/entrypoint.sh index b7b449ac..1f9c4bbc 100644 --- a/src/entrypoint.sh +++ b/src/entrypoint.sh @@ -42,7 +42,7 @@ function ssh_setup() { if [[ -n "${SSH_PRIVATE_KEY_SRC}" ]] &>/dev/null; then ssh_setup else - gh auth login --git-protocol "https" --hostname "${SOURCE_REPO_HOSTNAME}" + # gh auth login --git-protocol "https" --hostname "${SOURCE_REPO_HOSTNAME}" gh auth setup-git --hostname "${SOURCE_REPO_HOSTNAME}" gh auth status fi From 69f59a2143e284e0a5ae26ddf3c5c9c78f4a5451 Mon Sep 17 00:00:00 2001 From: Andy Augustin Date: Mon, 2 Jan 2023 17:09:43 +0100 Subject: [PATCH 16/22] feat(): #238 hopefully a final version :rocket: --- src/sync_template.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/sync_template.sh b/src/sync_template.sh index 49eb2ddf..68f62944 100644 --- a/src/sync_template.sh +++ b/src/sync_template.sh @@ -63,7 +63,7 @@ echo "::group::Pull template" debug "create new branch from default branch with name ${NEW_BRANCH}" git checkout -b "${NEW_BRANCH}" debug "pull changes from template" -gh auth login --git-protocol "https" --hostname "${SOURCE_REPO_HOSTNAME}" --with-token <<< "${SOURCE_REPO_GITHUB_TOKEN}" + # TODO(anau) eventually make squash optional git pull "${SOURCE_REPO}" --allow-unrelated-histories --squash --strategy=recursive -X theirs echo "::endgroup::" From 02649782f18a77a84465383afb164858ea8589e5 Mon Sep 17 00:00:00 2001 From: andy Augustin Date: Mon, 2 Jan 2023 17:18:42 +0100 Subject: [PATCH 17/22] Update test_ssh.yml Signed-off-by: andy Augustin --- .github/workflows/test_ssh.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test_ssh.yml b/.github/workflows/test_ssh.yml index 6a87ed84..ea781fe2 100644 --- a/.github/workflows/test_ssh.yml +++ b/.github/workflows/test_ssh.yml @@ -23,4 +23,4 @@ jobs: github_token: ${{ secrets.GITHUB_TOKEN }} source_repo_path: ${{ secrets.SOURCE_REPO_PATH_TEST }} # , should be within secrets source_repo_ssh_private_key: ${{ secrets.SOURCE_REPO_SSH_PRIVATE_KEY }} # contains the private ssh key of the private repository - is_dry_run: true + #is_dry_run: true From 33baa75d7961b69addd7445197aae73c777db6ad Mon Sep 17 00:00:00 2001 From: andy Augustin Date: Mon, 2 Jan 2023 17:20:42 +0100 Subject: [PATCH 18/22] Update test.yml Signed-off-by: andy Augustin --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index a7973e9b..ed9b1a90 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -24,4 +24,4 @@ jobs: github_token: ${{ secrets.GITHUB_TOKEN }} source_repo_path: AndreasAugustin/template.git upstream_branch: main - is_dry_run: true + # is_dry_run: true From ed6009a60e5397bbbcea872140c0471fbfde1e31 Mon Sep 17 00:00:00 2001 From: andy Augustin Date: Mon, 2 Jan 2023 17:43:52 +0100 Subject: [PATCH 19/22] Update entrypoint.sh Signed-off-by: andy Augustin --- src/entrypoint.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/entrypoint.sh b/src/entrypoint.sh index 1f9c4bbc..fa1e8eba 100644 --- a/src/entrypoint.sh +++ b/src/entrypoint.sh @@ -43,8 +43,8 @@ if [[ -n "${SSH_PRIVATE_KEY_SRC}" ]] &>/dev/null; then ssh_setup else # gh auth login --git-protocol "https" --hostname "${SOURCE_REPO_HOSTNAME}" - gh auth setup-git --hostname "${SOURCE_REPO_HOSTNAME}" - gh auth status + git config --global "credential.https://${SOURCE_REPO_HOSTNAME}.helper" "!gh auth git-credential" + gh auth login --git-protocol "https" --hostname "${SOURCE_REPO_HOSTNAME}" --with-token <<< "${GITHUB_TOKEN}" fi export SOURCE_REPO="${SOURCE_REPO_PREFIX}${SOURCE_REPO_PATH}" From a2527a07512a12255a9a3c5865bcf0f6520f9a27 Mon Sep 17 00:00:00 2001 From: Andy Augustin Date: Tue, 3 Jan 2023 09:24:02 +0100 Subject: [PATCH 20/22] fix(): fix for GITHUB_TOKEN env variable :bug: --- src/entrypoint.sh | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/src/entrypoint.sh b/src/entrypoint.sh index fa1e8eba..a0bbe910 100644 --- a/src/entrypoint.sh +++ b/src/entrypoint.sh @@ -16,7 +16,8 @@ if [[ -z "${SOURCE_REPO_PATH}" ]]; then exit 1 fi -SOURCE_REPO_HOSTNAME="${HOSTNAME:-github.com}" +DEFAULT_REPO_HOSTNAME="github.com" +SOURCE_REPO_HOSTNAME="${HOSTNAME:-${DEFAULT_REPO_HOSTNAME}}" # In case of ssh template repository this will be overwritten SOURCE_REPO_PREFIX="https://${SOURCE_REPO_HOSTNAME}/" @@ -41,9 +42,8 @@ function ssh_setup() { # Forward to /dev/null to swallow the output of the private key if [[ -n "${SSH_PRIVATE_KEY_SRC}" ]] &>/dev/null; then ssh_setup -else - # gh auth login --git-protocol "https" --hostname "${SOURCE_REPO_HOSTNAME}" - git config --global "credential.https://${SOURCE_REPO_HOSTNAME}.helper" "!gh auth git-credential" +elif [[ "${SOURCE_REPO_HOSTNAME}" != "${DEFAULT_REPO_HOSTNAME}" ]]; then + # git config --global "credential.https://${SOURCE_REPO_HOSTNAME}.helper" "!gh auth git-credential" gh auth login --git-protocol "https" --hostname "${SOURCE_REPO_HOSTNAME}" --with-token <<< "${GITHUB_TOKEN}" fi @@ -59,6 +59,8 @@ function git_init() { git config --global --add safe.directory /github/workspace git lfs install + gh auth setup-git --hostname "${SOURCE_REPO_HOSTNAME}" + gh auth status --hostname "${SOURCE_REPO_HOSTNAME}" echo "::endgroup::" } From 1435ce13ab1e1af387c3a73faac5d76bd8fc13ee Mon Sep 17 00:00:00 2001 From: Andy Augustin Date: Tue, 3 Jan 2023 09:26:09 +0100 Subject: [PATCH 21/22] fix(): fix for GITHUB_TOKEN env variable :bug: --- .github/workflows/test.yml | 2 +- .github/workflows/test_ssh.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index ed9b1a90..a7973e9b 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -24,4 +24,4 @@ jobs: github_token: ${{ secrets.GITHUB_TOKEN }} source_repo_path: AndreasAugustin/template.git upstream_branch: main - # is_dry_run: true + is_dry_run: true diff --git a/.github/workflows/test_ssh.yml b/.github/workflows/test_ssh.yml index ea781fe2..6a87ed84 100644 --- a/.github/workflows/test_ssh.yml +++ b/.github/workflows/test_ssh.yml @@ -23,4 +23,4 @@ jobs: github_token: ${{ secrets.GITHUB_TOKEN }} source_repo_path: ${{ secrets.SOURCE_REPO_PATH_TEST }} # , should be within secrets source_repo_ssh_private_key: ${{ secrets.SOURCE_REPO_SSH_PRIVATE_KEY }} # contains the private ssh key of the private repository - #is_dry_run: true + is_dry_run: true From fec865cb3432a99141226f4e4e938eac0e67b37b Mon Sep 17 00:00:00 2001 From: Marc Siebeneicher Date: Tue, 3 Jan 2023 12:00:19 +0100 Subject: [PATCH 22/22] chore: code clean up --- src/entrypoint.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/src/entrypoint.sh b/src/entrypoint.sh index a0bbe910..0716e038 100644 --- a/src/entrypoint.sh +++ b/src/entrypoint.sh @@ -43,7 +43,6 @@ function ssh_setup() { if [[ -n "${SSH_PRIVATE_KEY_SRC}" ]] &>/dev/null; then ssh_setup elif [[ "${SOURCE_REPO_HOSTNAME}" != "${DEFAULT_REPO_HOSTNAME}" ]]; then - # git config --global "credential.https://${SOURCE_REPO_HOSTNAME}.helper" "!gh auth git-credential" gh auth login --git-protocol "https" --hostname "${SOURCE_REPO_HOSTNAME}" --with-token <<< "${GITHUB_TOKEN}" fi