Feat/enable git app

.github/workflows/test.yml

@@ -14,9 +14,11 @@ jobs:
 
     steps:
       # To use this repository's private action, you must check out the repository
-      - name: Checkout
+      -
+        name: Checkout
         uses: actions/checkout@v3
-      - name: Test action step
+      -
+        name: Test action step
         uses: ./ # Uses an action in the root directory
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/test_pat.yml

@@ -0,0 +1,25 @@
+name: test-pat
+
+on:
+  pull_request:
+  push:
+  # manual trigger
+  workflow_dispatch:
+
+jobs:
+  test-implementation-job:
+
+    runs-on: ubuntu-latest
+
+    steps:
+      # To use this repository's private action, you must check out the repository
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Test action step PAT
+        uses: ./ # Uses an action in the root directory
+        with:
+          github_token: ${{ secrets.SOURCE_REPO_PAT }}
+          source_repo_path: ${{ secrets.SOURCE_REPO_PATH_TEST }} # <owner/repo>, should be within secrets
+          is_dry_run: true

.github/workflows/test_ssh.yml

@@ -13,9 +13,11 @@ jobs:
 
     steps:
       # To use this repository's private action, you must check out the repository
-      - name: Checkout
+      -
+        name: Checkout
         uses: actions/checkout@v3
-      - name: Test action step ssh
+      -
+        name: Test action step ssh
         uses: ./ # Uses an action in the root directory
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}

Dockerfile

@@ -3,10 +3,10 @@
 ######################################
 FROM alpine:3.17.0 as dev
 
-ARG GH_CLI_VER=2.15.0
+ARG GH_CLI_VER=2.21.1
 
 # install packages
-RUN apk add --update --no-cache bash make git zsh curl tmux musl openssh git-lfs
+RUN apk add --update --no-cache bash make git zsh curl tmux musl openssh git-lfs vim
 
 RUN wget https://github.com/cli/cli/releases/download/v${GH_CLI_VER}/gh_${GH_CLI_VER}_linux_386.tar.gz -O ghcli.tar.gz
 RUN tar --strip-components=1 -xf ghcli.tar.gz
@@ -17,6 +17,11 @@ RUN echo "set-option -g default-shell /bin/zsh" >> /root/.tmux.conf
 # install oh-my-zsh
 RUN sh -c "$(curl -fsSL https://raw.githubusercontent.com/robbyrussell/oh-my-zsh/master/tools/install.sh)"
 
+ADD src/*.sh /bin/
+RUN chmod +x /bin/entrypoint.sh \
+  && chmod +x /bin/sync_template.sh \
+  && chmod +x /bin/sync_common.sh
+
 RUN mkdir -p /root/.ssh \
   && ssh-keyscan -t rsa github.com >> /root/.ssh/known_hosts
 

README.md

@@ -63,8 +63,7 @@ You will receive a pull request within your repository if there are some changes
 | github_token | Token for the repo. Can be passed in using `$\{{ secrets.GITHUB_TOKEN }}` | `true` |  |
 | source_repo_path | Repository path of the template | `true` | |
 | upstream_branch | The target branch | `true` | `main` |
-| source_repo_ssh_private_key | `[optional]` private ssh key for the source repository. E.q. useful if using a private template repository. [see](#private-template-repository)| `false` |  |
-| source_repo_github_token | `[optional]` separate github token to interact with the source repository. | `false` | `$\{{ inputs.github_token }}` |
+| source_repo_ssh_private_key | `[optional]` private ssh key for the source repository. [see](#private-template-repository)| `false` |  |
 | pr_branch_name_prefix | `[optional]` the prefix of branches created by this action | `false` | `chore/template_sync`  |
 | pr_title | `[optional]` the title of PRs opened by this action. Must be already created. | `false` | `upstream merge template repository`  |
 | pr_labels | `[optional]` comma separated list. [pull request labels][pr-labels]. Must be already created. | `false` | |
@@ -89,7 +88,8 @@ If you have a private template repository.
 
 #### Using github app
 
-You can create and use a [GitHub App](https://docs.github.com/en/developers/apps/getting-started-with-apps/about-apps#about-github-apps) to handle the access to your private repository. To generate a token for your app you can use a separate action like [tibdex/github-app-token](https://github.com/tibdex/github-app-token).
+You can create and use a [GitHub App][github-app] to handle the access to your private repository.
+To generate a token for your app you can use a separate action like [tibdex/github-app-token][github-app-token].
 
 ```yaml
 jobs:
@@ -105,10 +105,9 @@ jobs:
           private_key: ${{ secrets.PRIVATE_KEY }}
 
       - name: actions-template-sync
-        uses: AndreasAugustin/[email protected].0-draft
+        uses: AndreasAugustin/[email protected].5-draft
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          source_repo_github_token: ${{ steps.generate_token.outputs.token }}
+          github_token: ${{ steps.generate_token.outputs.token }}
           source_repo_path: <owner/repo>
           upstream_branch: <target_branch> # defaults to main
           pr_labels: <label1>,<label2>[,...] # optional, no default
@@ -143,7 +142,7 @@ jobs:
 
 ## Ignore Files
 
-Create a `.templatesyncignore` file. Just like writing a `.gitignore` file, follow the [glob pattern](https://en.wikipedia.org/wiki/Glob_(programming))
+Create a `.templatesyncignore` file. Just like writing a `.gitignore` file, follow the [glob pattern][glob-pattern]
 in defining the files and folders that should be excluded from syncing with the template repository.
 
 It can also be stored inside `.github` folder.
@@ -212,3 +211,6 @@ specification. Contributions of any kind welcome!
 [pr-labels]: https://docs.github.com/en/issues/using-labels-and-milestones-to-track-work/managing-labels
 [devto-example]: https://dev.to/andreasaugustin/github-actions-template-sync-1g9k
 [github-example]: https://github.com/AndreasAugustin/teaching/blob/main/docs/git/git_action_sync.md
+[github-app]: https://docs.github.com/en/developers/apps/getting-started-with-apps/about-apps#about-github-apps
+[glob-pattern]: https://en.wikipedia.org/wiki/Glob_(programming)
+[github-app-token]: https://github.com/tibdex/github-app-token

action.yml

@@ -17,8 +17,6 @@ inputs:
     default: 'main'
   source_repo_ssh_private_key:
     description: '[optional] private ssh key for the source repository. E.q. useful if using a private template repository.'
-  source_repo_github_token:
-    description: '[optional] Separate github token to interact with the source repository. Using $\{{ inputs.github_token }} by default.'
   pr_branch_name_prefix:
     description: '[optional] the prefix of branches created by this action'
     default: 'chore/template_sync'
@@ -40,7 +38,6 @@ runs:
   image: 'src/Dockerfile'
   env:
     GITHUB_TOKEN: ${{ inputs.github_token }}
-    SOURCE_REPO_GITHUB_TOKEN: ${{ inputs.source_repo_github_token }}
     SOURCE_REPO_PATH: ${{ inputs.source_repo_path }}
     UPSTREAM_BRANCH: ${{ inputs.upstream_branch }}
     SSH_PRIVATE_KEY_SRC: ${{ inputs.source_repo_ssh_private_key }}

src/Dockerfile

@@ -1,6 +1,6 @@
 FROM alpine:3.17.0
 
-ARG GH_CLI_VER=2.15.0
+ARG GH_CLI_VER=2.21.1
 
 # TODO(anau) change user
 ARG GITHUB_URL="https://github.com/AndreasAugustin/actions-template-sync"

src/entrypoint.sh

@@ -6,14 +6,9 @@ set -x
 # shellcheck source=src/sync_common.sh
 source sync_common.sh
 
-[ -z "${GITHUB_TOKEN}" ] && {
-  err "Missing input 'github_token: \${{ secrets.GITHUB_TOKEN }}'.";
-  exit 1;
-};
-
-if [[ -z "${SOURCE_REPO_GITHUB_TOKEN}" ]]; then
-  echo "::debug::Missing input 'source_repo_github_token: \${{ input.source_repo_github_token }}'. Using github_token as default."
-  SOURCE_REPO_GITHUB_TOKEN="${GITHUB_TOKEN}"
+if [[ -z "${GITHUB_TOKEN}" ]]; then
+    err "Missing input 'github_token: \${{ secrets.GITHUB_TOKEN }}'.";
+    exit 1;
 fi
 
 if [[ -z "${SOURCE_REPO_PATH}" ]]; then
@@ -23,7 +18,7 @@ fi
 
 SOURCE_REPO_HOSTNAME="${HOSTNAME:-github.com}"
 
-# In case of private template repository this will be overwritten
+# In case of ssh template repository this will be overwritten
 SOURCE_REPO_PREFIX="https://${SOURCE_REPO_HOSTNAME}/"
 
 function ssh_setup() {
@@ -46,6 +41,10 @@ function ssh_setup() {
 # Forward to /dev/null to swallow the output of the private key
 if [[ -n "${SSH_PRIVATE_KEY_SRC}" ]] &>/dev/null; then
   ssh_setup
+else
+  # gh auth login --git-protocol "https" --hostname "${SOURCE_REPO_HOSTNAME}"
+  gh auth setup-git --hostname "${SOURCE_REPO_HOSTNAME}"
+  gh auth status
 fi
 
 export SOURCE_REPO="${SOURCE_REPO_PREFIX}${SOURCE_REPO_PATH}"
@@ -60,9 +59,6 @@ function git_init() {
   git config --global --add safe.directory /github/workspace
   git lfs install
 
-  git config --global "credential.https://${SOURCE_REPO_HOSTNAME}.helper" "!gh auth git-credential"
-  gh auth login --git-protocol "https" --hostname "${SOURCE_REPO_HOSTNAME}" --with-token <<< "${GITHUB_TOKEN}"
-
   echo "::endgroup::"
 }
 

src/sync_template.sh

@@ -63,7 +63,7 @@ echo "::group::Pull template"
 debug "create new branch from default branch with name ${NEW_BRANCH}"
 git checkout -b "${NEW_BRANCH}"
 debug "pull changes from template"
-gh auth login --git-protocol "https" --hostname "${SOURCE_REPO_HOSTNAME}" --with-token <<< "${SOURCE_REPO_GITHUB_TOKEN}"
+
 # TODO(anau) eventually make squash optional
 git pull "${SOURCE_REPO}" --allow-unrelated-histories --squash --strategy=recursive -X theirs
 echo "::endgroup::"
@@ -104,11 +104,9 @@ echo "::endgroup::"
 
 push_and_create_pr () {
   if [ "$IS_DRY_RUN" != "true" ]; then
-    echo "::group::final gh auth login before creating pull request"
-    gh auth login --git-protocol "https" --hostname "${SOURCE_REPO_HOSTNAME}" --with-token <<< "${GITHUB_TOKEN}"
-    echo "::endgroup::"
 
     echo "::group::push changes and create PR"
+    debug "push changes"
     git push --set-upstream origin "${NEW_BRANCH}"
 
     gh pr create \