msiebeneicher · msiebeneicher · Jan 3, 2023 · Dec 8, 2022 · Dec 23, 2022 · Dec 27, 2022
diff --git a/.github/workflows/actions_template_sync.yml b/.github/workflows/actions_template_sync.yml
@@ -7,6 +7,8 @@ on:
   # manual trigger
   workflow_dispatch:
 
+permissions: read-all
+
 jobs:
   repo-sync:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -14,9 +14,11 @@ jobs:
 
     steps:
       # To use this repository's private action, you must check out the repository
-      - name: Checkout
+      -
+        name: Checkout
         uses: actions/checkout@v3
-      - name: Test action step
+      -
+        name: Test action step
         uses: ./ # Uses an action in the root directory
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}

diff --git a/.github/workflows/test_pat.yml b/.github/workflows/test_pat.yml
@@ -0,0 +1,26 @@
+name: test-pat
+
+on:
+  pull_request:
+  push:
+  # manual trigger
+  workflow_dispatch:
+
+jobs:
+  test-implementation-job:
+
+    runs-on: ubuntu-latest
+
+    steps:
+      # To use this repository's private action, you must check out the repository
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Test action step PAT
+        uses: ./ # Uses an action in the root directory
+        with:
+          # github_token: ${{ secrets.GITHUB_TOKEN }}
+          source_repo_path: ${{ secrets.SOURCE_REPO_PATH_TEST }} # <owner/repo>, should be within secrets
+          source_repo_github_token: ${{ secrets.SOURCE_REPO_PAT }} # contains the private PAT of the private repository
+          is_dry_run: true
diff --git a/.github/workflows/test_ssh.yml b/.github/workflows/test_ssh.yml
@@ -13,9 +13,11 @@ jobs:
 
     steps:
       # To use this repository's private action, you must check out the repository
-      - name: Checkout
+      -
+        name: Checkout
         uses: actions/checkout@v3
-      - name: Test action step ssh
+      -
+        name: Test action step ssh
         uses: ./ # Uses an action in the root directory
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}

diff --git a/Dockerfile b/Dockerfile
@@ -3,10 +3,10 @@
 ######################################
 FROM alpine:3.17.0 as dev
 
-ARG GH_CLI_VER=2.15.0
+ARG GH_CLI_VER=2.21.1
 
 # install packages
-RUN apk add --update --no-cache bash make git zsh curl tmux musl openssh git-lfs
+RUN apk add --update --no-cache bash make git zsh curl tmux musl openssh git-lfs vim
 
 RUN wget https://github.com/cli/cli/releases/download/v${GH_CLI_VER}/gh_${GH_CLI_VER}_linux_386.tar.gz -O ghcli.tar.gz
 RUN tar --strip-components=1 -xf ghcli.tar.gz
@@ -17,6 +17,11 @@ RUN echo "set-option -g default-shell /bin/zsh" >> /root/.tmux.conf
 # install oh-my-zsh
 RUN sh -c "$(curl -fsSL https://raw.githubusercontent.com/robbyrussell/oh-my-zsh/master/tools/install.sh)"
 
+ADD src/*.sh /bin/
+RUN chmod +x /bin/entrypoint.sh \
+  && chmod +x /bin/sync_template.sh \
+  && chmod +x /bin/sync_common.sh
+
 RUN mkdir -p /root/.ssh \
   && ssh-keyscan -t rsa github.com >> /root/.ssh/known_hosts
 

diff --git a/README.md b/README.md
@@ -63,7 +63,7 @@ You will receive a pull request within your repository if there are some changes
 | github_token | Token for the repo. Can be passed in using `$\{{ secrets.GITHUB_TOKEN }}` | `true` |  |
 | source_repo_path | Repository path of the template | `true` | |
 | upstream_branch | The target branch | `true` | `main` |
-| source_repo_ssh_private_key | `[optional]` private ssh key for the source repository. E.q. useful if using a private template repository. [see](#private-template-repository)| `false` |  |
+| source_repo_ssh_private_key | `[optional]` private ssh key for the source repository. [see](#private-template-repository)| `false` |  |
 | source_repo_github_token | `[optional]` separate github token to interact with the source repository. | `false` | `$\{{ inputs.github_token }}` |
 | pr_branch_name_prefix | `[optional]` the prefix of branches created by this action | `false` | `chore/template_sync`  |
 | pr_title | `[optional]` the title of PRs opened by this action. Must be already created. | `false` | `upstream merge template repository`  |
@@ -89,7 +89,8 @@ If you have a private template repository.
 
 #### Using github app
 
-You can create and use a [GitHub App](https://docs.github.com/en/developers/apps/getting-started-with-apps/about-apps#about-github-apps) to handle the access to your private repository. To generate a token for your app you can use a separate action like [tibdex/github-app-token](https://github.com/tibdex/github-app-token).
+You can create and use a [GitHub App][github-app] to handle the access to your private repository.
+To generate a token for your app you can use a separate action like [tibdex/github-app-token][github-app-token].
 
 ```yaml
 jobs:
@@ -143,7 +144,7 @@ jobs:
 
 ## Ignore Files
 
-Create a `.templatesyncignore` file. Just like writing a `.gitignore` file, follow the [glob pattern](https://en.wikipedia.org/wiki/Glob_(programming))
+Create a `.templatesyncignore` file. Just like writing a `.gitignore` file, follow the [glob pattern][glob-pattern]
 in defining the files and folders that should be excluded from syncing with the template repository.
 
 It can also be stored inside `.github` folder.
@@ -212,3 +213,6 @@ specification. Contributions of any kind welcome!
 [pr-labels]: https://docs.github.com/en/issues/using-labels-and-milestones-to-track-work/managing-labels
 [devto-example]: https://dev.to/andreasaugustin/github-actions-template-sync-1g9k
 [github-example]: https://github.com/AndreasAugustin/teaching/blob/main/docs/git/git_action_sync.md
+[github-app]: https://docs.github.com/en/developers/apps/getting-started-with-apps/about-apps#about-github-apps
+[glob-pattern]: https://en.wikipedia.org/wiki/Glob_(programming)
+[github-app-token]: https://github.com/tibdex/github-app-token
diff --git a/action.yml b/action.yml
@@ -7,7 +7,8 @@ branding:
 inputs:
   github_token:
     description: 'Token for the repo. Can be passed in using $\{{ secrets.GITHUB_TOKEN }}'
-    required: true
+    # TODO(anau)
+    # required: true
   source_repo_path:
     description: 'Repository path of the template'
     required: true
@@ -17,8 +18,9 @@ inputs:
     default: 'main'
   source_repo_ssh_private_key:
     description: '[optional] private ssh key for the source repository. E.q. useful if using a private template repository.'
+  # TODO(anau)
   source_repo_github_token:
-    description: '[optional] Separate github token to interact with the source repository. Using $\{{ inputs.github_token }} by default.'
+     description: '[optional] Separate github token to interact with the source repository. Using $\{{ inputs.github_token }} by default.'
   pr_branch_name_prefix:
     description: '[optional] the prefix of branches created by this action'
     default: 'chore/template_sync'

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -5,9 +5,9 @@ services:
     build:
       context: .
       target: dev
-    volumes:
-      - .:/app/
-      - ~/.gitconfig:/root/.gitconfig:ro
+    # volumes:
+      #- .:/app/
+      # - ~/.gitconfig:/root/.gitconfig:ro
     environment:
       - SSH_PRIVATE_KEY_SRC
 

diff --git a/src/Dockerfile b/src/Dockerfile
@@ -1,6 +1,6 @@
 FROM alpine:3.17.0
 
-ARG GH_CLI_VER=2.15.0
+ARG GH_CLI_VER=2.21.1
 
 # TODO(anau) change user
 ARG GITHUB_URL="https://github.com/AndreasAugustin/actions-template-sync"

diff --git a/src/entrypoint.sh b/src/entrypoint.sh
@@ -6,10 +6,16 @@ set -x
 # shellcheck source=src/sync_common.sh
 source sync_common.sh
 
-[ -z "${GITHUB_TOKEN}" ] && {
-  err "Missing input 'github_token: \${{ secrets.GITHUB_TOKEN }}'.";
-  exit 1;
-};
+if [[ -z "${GITHUB_TOKEN}" && -z "${SOURCE_REPO_GITHUB_TOKEN}" ]]; then
+# TODO
+    err "Missing input 'github_token: \${{ secrets.GITHUB_TOKEN }}'.";
+    exit 1;
+fi
+
+# if [[ -z "${SOURCE_REPO_GITHUB_TOKEN}" ]]; then
+#   debug "Missing input 'source_repo_github_token: \${{ input.source_repo_github_token }}'. Using github_token as default."
+#   SOURCE_REPO_GITHUB_TOKEN="${GITHUB_TOKEN}"
+# fi
 
 if [[ -z "${SOURCE_REPO_GITHUB_TOKEN}" ]]; then
   echo "::debug::Missing input 'source_repo_github_token: \${{ input.source_repo_github_token }}'. Using github_token as default."
@@ -23,7 +29,7 @@ fi
 
 SOURCE_REPO_HOSTNAME="${HOSTNAME:-github.com}"
 
-# In case of private template repository this will be overwritten
+# In case of ssh template repository this will be overwritten
 SOURCE_REPO_PREFIX="https://${SOURCE_REPO_HOSTNAME}/"
 
 function ssh_setup() {
@@ -60,9 +66,17 @@ function git_init() {
   git config --global --add safe.directory /github/workspace
   git lfs install
 
-  git config --global "credential.https://${SOURCE_REPO_HOSTNAME}.helper" "!gh auth git-credential"
-  gh auth login --git-protocol "https" --hostname "${SOURCE_REPO_HOSTNAME}" --with-token <<< "${GITHUB_TOKEN}"
-
+  if [[ -n "${SOURCE_REPO_GITHUB_TOKEN}" ]]; then
+      if [[ -n "${GITHUB_TOKEN}" ]]; then
+        export GITHUB_TOKEN_BK="${GITHUB_TOKEN}"
+        unset GITHUB_TOKEN
+      fi
+
+    gh auth login --git-protocol "https" --hostname "${SOURCE_REPO_HOSTNAME}" --with-token <<< "${SOURCE_REPO_GITHUB_TOKEN}"
+    gh auth setup-git --hostname "${SOURCE_REPO_HOSTNAME}"
+    # git config --global "credential.https://${SOURCE_REPO_HOSTNAME}.helper" "!gh auth git-credential"
+    gh auth status
+  fi
   echo "::endgroup::"
 }
 

diff --git a/src/sync_template.sh b/src/sync_template.sh
@@ -32,6 +32,15 @@ if [[ -n "${SRC_SSH_PRIVATEKEY_ABS_PATH}" ]]; then
   export GIT_SSH_COMMAND="ssh -i ${SRC_SSH_PRIVATEKEY_ABS_PATH}"
 fi
 
+#if [[ -n "${SOURCE_REPO_GITHUB_TOKEN}" ]]; then
+#	debug "using github token for source repo"
+	# TODO(anau) check this later
+#	unset GITHUB_TOKEN
+#	gh auth login --git-protocol "https" --hostname "${SOURCE_REPO_HOSTNAME}" --with-token <<< "${SOURCE_REPO_GITHUB_TOKEN}"
+#	gh auth setup-git
+#	sleep 1
+# fi
+
 TEMPLATE_SYNC_IGNORE_FILE_PATH=".templatesyncignore"
 TEMPLATE_REMOTE_GIT_HASH=$(git ls-remote "${SOURCE_REPO}" HEAD | awk '{print $1}')
 NEW_TEMPLATE_GIT_HASH=$(git rev-parse --short "${TEMPLATE_REMOTE_GIT_HASH}")
@@ -105,10 +114,15 @@ echo "::endgroup::"
 push_and_create_pr () {
   if [ "$IS_DRY_RUN" != "true" ]; then
     echo "::group::final gh auth login before creating pull request"
-    gh auth login --git-protocol "https" --hostname "${SOURCE_REPO_HOSTNAME}" --with-token <<< "${GITHUB_TOKEN}"
+    if [[ -n "${GITHUB_TOKEN_BK}" ]]; then
+        export GITHUB_TOKEN="${GITHUB_TOKEN_BK}"
+        gh auth login --git-protocol "https" --hostname "${SOURCE_REPO_HOSTNAME}" --with-token <<< "${GITHUB_TOKEN}"
+    fi
+
     echo "::endgroup::"
 
-    echo "::group::push changes and create PR"
+		echo "::group::push changes and create PR"
+    debug "push changes"
     git push --set-upstream origin "${NEW_BRANCH}"
 
     gh pr create \