Merge pull request #114 from peter-evans/dev

Add support for ssh protocol

.gitignore

@@ -1,3 +1,6 @@
 __pycache__
+.python-version
+
 node_modules
+
 .DS_Store

README.md

@@ -1,4 +1,4 @@
-# <img width="24" height="24" src="assets/logo.svg"> Create Pull Request
+# <img width="24" height="24" src="docs/assets/logo.svg"> Create Pull Request
 [![GitHub Marketplace](https://img.shields.io/badge/Marketplace-Create%20Pull%20Request-blue.svg?colorA=24292e&colorB=0366d6&style=flat&longCache=true&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAA4AAAAOCAYAAAAfSC3RAAAABHNCSVQICAgIfAhkiAAAAAlwSFlzAAAM6wAADOsB5dZE0gAAABl0RVh0U29mdHdhcmUAd3d3Lmlua3NjYXBlLm9yZ5vuPBoAAAERSURBVCiRhZG/SsMxFEZPfsVJ61jbxaF0cRQRcRJ9hlYn30IHN/+9iquDCOIsblIrOjqKgy5aKoJQj4O3EEtbPwhJbr6Te28CmdSKeqzeqr0YbfVIrTBKakvtOl5dtTkK+v4HfA9PEyBFCY9AGVgCBLaBp1jPAyfAJ/AAdIEG0dNAiyP7+K1qIfMdonZic6+WJoBJvQlvuwDqcXadUuqPA1NKAlexbRTAIMvMOCjTbMwl1LtI/6KWJ5Q6rT6Ht1MA58AX8Apcqqt5r2qhrgAXQC3CZ6i1+KMd9TRu3MvA3aH/fFPnBodb6oe6HM8+lYHrGdRXW8M9bMZtPXUji69lmf5Cmamq7quNLFZXD9Rq7v0Bpc1o/tp0fisAAAAASUVORK5CYII=)](https://github.com/marketplace/actions/create-pull-request)
 
 A GitHub action to create a pull request for changes to your repository in the actions workspace.
@@ -88,6 +88,21 @@ If there is some reason you need to use `actions/checkout@v1` the following step
       - run: git checkout "${GITHUB_REF:11}"
 ```
 
+Checking out a branch from a different repository from where the workflow is executing will make *that repository* the target for the created pull request. In this case, a `repo` scoped [Personal Access Token (PAT)](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line) is required.
+
+```yml
+      - uses: actions/checkout@v2
+        with:
+          token: ${{ secrets.PAT }}
+          repository: owner/repo
+
+      # Create changes to pull request here
+
+      - uses: peter-evans/create-pull-request@v2
+        with:
+          token: ${{ secrets.PAT }}
+```
+
 ### Branch naming
 
 For branch naming there are two strategies. Create a fixed-name pull request branch that will be updated with new changes until it is merged or closed, OR, always create a new unique branch each time there are changes to be committed.
@@ -194,7 +209,7 @@ jobs:
 
 This reference configuration will create pull requests that look like this:
 
-![Pull Request Example](assets/pull-request-example.png)
+![Pull Request Example](docs/assets/pull-request-example.png)
 
 ## License
 

dist/index.js

@@ -1001,24 +1001,42 @@ module.exports = require("os");
 /***/ (function(__unusedmodule, __unusedexports, __webpack_require__) {
 
 const { inspect } = __webpack_require__(669);
+const fs = __webpack_require__(747);
 const core = __webpack_require__(470);
 const exec = __webpack_require__(986);
 const setupPython = __webpack_require__(139);
 
+function fileExists(path) {
+  try {
+    return fs.statSync(path).isFile();
+  } catch (e) {
+    core.debug(`e: ${inspect(e)}`);
+    return false;
+  }
+}
+
 async function run() {
   try {
     // Allows ncc to find assets to be included in the distribution
     const src = __webpack_require__.ab + "src";
     core.debug(`src: ${src}`);
 
-    // Setup Python from the tool cache
+    // Check if the platfrom is Alpine Linux
-    setupPython("3.8.x", "x64");
+    const alpineLinux = fileExists("/etc/alpine-release");
+    core.debug(`alpineLinux: ${alpineLinux}`);
+
+    // Skip Python setup if the platform is Alpine Linux
+    if (!alpineLinux)
+      // Setup Python from the tool cache
+      setupPython("3.8.x", "x64");
 
     // Install requirements
     await exec.exec("pip", [
       "install",
       "--requirement",
-      `${src}/requirements.txt`
+      `${src}/requirements.txt`,
+      "--no-index",
+      `--find-links=${__dirname}/vendor`
     ]);
 
     // Fetch action inputs

dist/src/common.py

@@ -8,6 +8,23 @@ def get_random_string(length=7, chars=string.ascii_lowercase + string.digits):
     return "".join(random.choice(chars) for _ in range(length))
 
 
+def parse_github_repository(url):
+    # Parse the protocol and github repository from a URL
+    # e.g. HTTPS, peter-evans/create-pull-request
+    https_pattern = re.compile(r"^https://github.com/(.+/.+)$")
+    ssh_pattern = re.compile(r"^git@github.com:(.+/.+).git$")
+
+    match = https_pattern.match(url)
+    if match is not None:
+        return "HTTPS", match.group(1)
+
+    match = ssh_pattern.match(url)
+    if match is not None:
+        return "SSH", match.group(1)
+
+    raise ValueError(f"The format of '{url}' is not a valid GitHub repository URL")
+
+
 def parse_display_name_email(display_name_email):
     # Parse the name and email address from a string in the following format
     # Display Name <email@address.com>

dist/src/create_pull_request.py

@@ -31,6 +31,14 @@ def get_git_config_value(repo, name):
         return None
 
 
+def get_repository_detail():
+    remote_origin_url = get_git_config_value(repo, "remote.origin.url")
+    if remote_origin_url is None:
+        raise ValueError("Failed to fetch 'remote.origin.url' from git config")
+    protocol, github_repository = cmn.parse_github_repository(remote_origin_url)
+    return remote_origin_url, protocol, github_repository
+
+
 def git_user_config_is_set(repo):
     name = get_git_config_value(repo, "user.name")
     email = get_git_config_value(repo, "user.email")
@@ -94,7 +102,6 @@ def set_committer_author(repo, committer, author):
 
 # Get required environment variables
 github_token = os.environ["GITHUB_TOKEN"]
-github_repository = os.environ["GITHUB_REPOSITORY"]
 # Get environment variables with defaults
 path = os.getenv("CPR_PATH", os.getcwd())
 branch = os.getenv("CPR_BRANCH", DEFAULT_BRANCH)
@@ -107,6 +114,11 @@ base = os.environ.get("CPR_BASE")
 # Set the repo path
 repo = Repo(path)
 
+# Determine the GitHub repository from git config
+# This will be the target repository for the pull request
+repo_url, protocol, github_repository = get_repository_detail()
+print(f"Target repository set to {github_repository}")
+
 # Determine if the checked out ref is a valid base for a pull request
 # The action needs the checked out HEAD ref to be a branch
 # This check will fail in the following cases:
@@ -162,8 +174,10 @@ except ValueError as e:
     print(f"::error::{e} " + "Unable to continue. Exiting.")
     sys.exit(1)
 
-# Set the repository URL
+# Set the auth token in the repo URL
-repo_url = f"https://x-access-token:{github_token}@github.com/{github_repository}"
+# This supports checkout@v1. From v2 the auth token is saved for further use.
+if protocol == "HTTPS":
+    repo_url = f"https://x-access-token:{github_token}@github.com/{github_repository}"
 
 # Create or update the pull request branch
 result = coub.create_or_update_branch(repo, repo_url, commit_message, base, branch)

dist/src/requirements.txt

@@ -1,2 +1,2 @@
-GitPython==3.0.5
+GitPython==3.0.7
 PyGithub==1.45

dist/src/test_common.py

@@ -9,6 +9,30 @@ def test_get_random_string():
     assert len(cmn.get_random_string(length=20)) == 20
 
 
+def test_parse_github_repository_success():
+    protocol, repository = cmn.parse_github_repository(
+        "https://github.com/peter-evans/create-pull-request"
+    )
+    assert protocol == "HTTPS"
+    assert repository == "peter-evans/create-pull-request"
+
+    protocol, repository = cmn.parse_github_repository(
+        "git@github.com:peter-evans/create-pull-request.git"
+    )
+    assert protocol == "SSH"
+    assert repository == "peter-evans/create-pull-request"
+
+
+def test_parse_github_repository_failure():
+    url = "https://github.com/peter-evans"
+    with pytest.raises(ValueError) as e_info:
+        cmn.parse_github_repository(url)
+    assert (
+        e_info.value.args[0]
+        == f"The format of '{url}' is not a valid GitHub repository URL"
+    )
+
+
 def test_parse_display_name_email_success():
     name, email = cmn.parse_display_name_email("abc def <abc@def.com>")
     assert name == "abc def"

docs/concepts-guidelines.md

@@ -10,6 +10,7 @@ This document covers terminology, how the action works, and general usage guidel
   - [Pull request events](#pull-request-events)
   - [Restrictions on forked repositories](#restrictions-on-forked-repositories)
   - [Tag push events](#tag-push-events)
+  - [Security](#security)
 
 ## Terminology
 
@@ -46,7 +47,7 @@ Workflow steps:
 
 The following git diagram shows how the action creates and updates a pull request branch.
 
-![Create Pull Request GitGraph](../assets/cpr-gitgraph.png)
+![Create Pull Request GitGraph](assets/cpr-gitgraph.png)
 
 ## Guidelines
 
@@ -171,3 +172,23 @@ jobs:
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
 ```
+
+### Security
+
+From a security perspective it's good practice to fork third-party actions, review the code, and use your fork of the action in workflows.
+By using third-party actions directly the risk exists that it could be modified to do something malicious, such as capturing secrets.
+
+This action uses [ncc](https://github.com/zeit/ncc) to compile the Node.js code and dependencies into a single file.
+Python dependencies are vendored and committed to the repository [here](https://github.com/peter-evans/create-pull-request/tree/master/dist/vendor).
+No dependencies are downloaded during the action execution.
+
+Vendored Python dependencies can be reviewed by rebuilding the [dist](https://github.com/peter-evans/create-pull-request/tree/master/dist) directory and redownloading dependencies.
+The following commands require Node and Python 3.
+
+```
+npm install
+npm run clean
+npm run package
+```
+
+The `dist` directory should be rebuilt leaving no git diff.

index.js

@@ -1,22 +1,40 @@
 const { inspect } = require("util");
+const fs = require("fs");
 const core = require("@actions/core");
 const exec = require("@actions/exec");
 const setupPython = require("./src/setup-python");
 
+function fileExists(path) {
+  try {
+    return fs.statSync(path).isFile();
+  } catch (e) {
+    core.debug(`e: ${inspect(e)}`);
+    return false;
+  }
+}
+
 async function run() {
   try {
     // Allows ncc to find assets to be included in the distribution
     const src = __dirname + "/src";
     core.debug(`src: ${src}`);
 
-    // Setup Python from the tool cache
+    // Check if the platfrom is Alpine Linux
-    setupPython("3.8.x", "x64");
+    const alpineLinux = fileExists("/etc/alpine-release");
+    core.debug(`alpineLinux: ${alpineLinux}`);
+
+    // Skip Python setup if the platform is Alpine Linux
+    if (!alpineLinux)
+      // Setup Python from the tool cache
+      setupPython("3.8.x", "x64");
 
     // Install requirements
     await exec.exec("pip", [
       "install",
       "--requirement",
-      `${src}/requirements.txt`
+      `${src}/requirements.txt`,
+      "--no-index",
+      `--find-links=${__dirname}/vendor`
     ]);
 
     // Fetch action inputs

package.json

@@ -4,7 +4,10 @@
   "description": "Creates a pull request for changes to your repository in the actions workspace",
   "main": "index.js",
   "scripts": {
-    "package": "ncc build index.js -o dist"
+    "clean": "rm -rf dist",
+    "build": "ncc build index.js -o dist",
+    "vendor-deps": "pip download -r src/requirements.txt --no-binary=:all: -d dist/vendor",
+    "package": "npm run build && npm run vendor-deps"
   },
   "repository": {
     "type": "git",

src/common.py

@@ -8,6 +8,23 @@ def get_random_string(length=7, chars=string.ascii_lowercase + string.digits):
     return "".join(random.choice(chars) for _ in range(length))
 
 
+def parse_github_repository(url):
+    # Parse the protocol and github repository from a URL
+    # e.g. HTTPS, peter-evans/create-pull-request
+    https_pattern = re.compile(r"^https://github.com/(.+/.+)$")
+    ssh_pattern = re.compile(r"^git@github.com:(.+/.+).git$")
+
+    match = https_pattern.match(url)
+    if match is not None:
+        return "HTTPS", match.group(1)
+
+    match = ssh_pattern.match(url)
+    if match is not None:
+        return "SSH", match.group(1)
+
+    raise ValueError(f"The format of '{url}' is not a valid GitHub repository URL")
+
+
 def parse_display_name_email(display_name_email):
     # Parse the name and email address from a string in the following format
     # Display Name <email@address.com>

src/create_pull_request.py

@@ -31,6 +31,14 @@ def get_git_config_value(repo, name):
         return None
 
 
+def get_repository_detail():
+    remote_origin_url = get_git_config_value(repo, "remote.origin.url")
+    if remote_origin_url is None:
+        raise ValueError("Failed to fetch 'remote.origin.url' from git config")
+    protocol, github_repository = cmn.parse_github_repository(remote_origin_url)
+    return remote_origin_url, protocol, github_repository
+
+
 def git_user_config_is_set(repo):
     name = get_git_config_value(repo, "user.name")
     email = get_git_config_value(repo, "user.email")
@@ -94,7 +102,6 @@ def set_committer_author(repo, committer, author):
 
 # Get required environment variables
 github_token = os.environ["GITHUB_TOKEN"]
-github_repository = os.environ["GITHUB_REPOSITORY"]
 # Get environment variables with defaults
 path = os.getenv("CPR_PATH", os.getcwd())
 branch = os.getenv("CPR_BRANCH", DEFAULT_BRANCH)
@@ -107,6 +114,11 @@ base = os.environ.get("CPR_BASE")
 # Set the repo path
 repo = Repo(path)
 
+# Determine the GitHub repository from git config
+# This will be the target repository for the pull request
+repo_url, protocol, github_repository = get_repository_detail()
+print(f"Target repository set to {github_repository}")
+
 # Determine if the checked out ref is a valid base for a pull request
 # The action needs the checked out HEAD ref to be a branch
 # This check will fail in the following cases:
@@ -162,8 +174,10 @@ except ValueError as e:
     print(f"::error::{e} " + "Unable to continue. Exiting.")
     sys.exit(1)
 
-# Set the repository URL
+# Set the auth token in the repo URL
-repo_url = f"https://x-access-token:{github_token}@github.com/{github_repository}"
+# This supports checkout@v1. From v2 the auth token is saved for further use.
+if protocol == "HTTPS":
+    repo_url = f"https://x-access-token:{github_token}@github.com/{github_repository}"
 
 # Create or update the pull request branch
 result = coub.create_or_update_branch(repo, repo_url, commit_message, base, branch)

src/requirements.txt

@@ -1,2 +1,2 @@
-GitPython==3.0.5
+GitPython==3.0.7
 PyGithub==1.45

src/test_common.py

@@ -9,6 +9,30 @@ def test_get_random_string():
     assert len(cmn.get_random_string(length=20)) == 20
 
 
+def test_parse_github_repository_success():
+    protocol, repository = cmn.parse_github_repository(
+        "https://github.com/peter-evans/create-pull-request"
+    )
+    assert protocol == "HTTPS"
+    assert repository == "peter-evans/create-pull-request"
+
+    protocol, repository = cmn.parse_github_repository(
+        "git@github.com:peter-evans/create-pull-request.git"
+    )
+    assert protocol == "SSH"
+    assert repository == "peter-evans/create-pull-request"
+
+
+def test_parse_github_repository_failure():
+    url = "https://github.com/peter-evans"
+    with pytest.raises(ValueError) as e_info:
+        cmn.parse_github_repository(url)
+    assert (
+        e_info.value.args[0]
+        == f"The format of '{url}' is not a valid GitHub repository URL"
+    )
+
+
 def test_parse_display_name_email_success():
     name, email = cmn.parse_display_name_email("abc def <abc@def.com>")
     assert name == "abc def"