Merge pull request #118 from peter-evans/dev

Assume python3 on PATH when running in a container

README.md

@@ -18,7 +18,7 @@ Create Pull Request action will:
 
 ## Documentation
 
-- [Concepts and guidelines](docs/concepts-guidelines.md)
+- [Concepts, guidelines and advanced usage](docs/concepts-guidelines.md)
 - [Examples](docs/examples.md)
 - [Updating from v1](docs/updating.md)
 
@@ -37,8 +37,7 @@ You can also pin to a [specific release](https://github.com/peter-evans/create-p
 
 With the exception of `token`, all inputs are **optional**. If not set, sensible default values will be used.
 
-**Note**: If you want pull requests created by this action to trigger an `on: pull_request` workflow then you must use a [Personal Access Token](https://help.github.com/en/articles/creating-a-personal-access-token-for-the-command-line) instead of the default `GITHUB_TOKEN`.
-See [this issue](https://github.com/peter-evans/create-pull-request/issues/48) for further details.
+**Note**: If you want pull requests created by this action to trigger an `on: push` or `on: pull_request` workflow then you must use a [Personal Access Token](https://help.github.com/en/articles/creating-a-personal-access-token-for-the-command-line) instead of the default `GITHUB_TOKEN`. Alternatively, allow the action to [push using SSH](https://github.com/peter-evans/create-pull-request/blob/master/docs/concepts-guidelines.md#push-using-ssh-deploy-keys) by configuring a deploy key.
 
 | Name | Description | Default |
 | --- | --- | --- |

dist/index.js

@@ -1001,6 +1001,7 @@ module.exports = require("os");
 /***/ (function(__unusedmodule, __unusedexports, __webpack_require__) {
 
 const { inspect } = __webpack_require__(669);
+const isDocker = __webpack_require__(160);
 const core = __webpack_require__(470);
 const exec = __webpack_require__(986);
 const setupPython = __webpack_require__(139);
@@ -1011,11 +1012,27 @@ async function run() {
     const src = __webpack_require__.ab + "src";
     core.debug(`src: ${src}`);
 
-    // Setup Python from the tool cache
-    setupPython("3.8.x", "x64");
+    // Determine how to access python and pip
+    const { pip, python } = (function() {
+      if (isDocker()) {
+        core.info("Running inside a Docker container");
+        // Python 3 assumed to be installed and on the PATH
+        return {
+          pip: "pip3",
+          python: "python3"
+        };
+      } else {
+        // Setup Python from the tool cache
+        setupPython("3.x", "x64");
+        return {
+          pip: "pip",
+          python: "python"
+        };
+      }
+    })();
 
     // Install requirements
-    await exec.exec("pip", [
+    await exec.exec(pip, [
       "install",
       "--requirement",
       `${src}/requirements.txt`,
@@ -1041,7 +1058,7 @@ async function run() {
       projectColumn: core.getInput("project-column"),
       branch: core.getInput("branch"),
       base: core.getInput("base"),
-      branchSuffix: core.getInput("branch-suffix"),
+      branchSuffix: core.getInput("branch-suffix")
     };
     core.debug(`Inputs: ${inspect(inputs)}`);
 
@@ -1065,7 +1082,7 @@ async function run() {
     if (inputs.branchSuffix) process.env.CPR_BRANCH_SUFFIX = inputs.branchSuffix;
 
     // Execute python script
-    await exec.exec("python", [`${src}/create_pull_request.py`]);
+    await exec.exec(python, [`${src}/create_pull_request.py`]);
   } catch (error) {
     core.setFailed(error.message);
   }
@@ -1395,6 +1412,43 @@ if (process.env.NODE_DEBUG && /\btunnel\b/.test(process.env.NODE_DEBUG)) {
 exports.debug = debug; // for test
 
 
+/***/ }),
+
+/***/ 160:
+/***/ (function(module, __unusedexports, __webpack_require__) {
+
+"use strict";
+
+const fs = __webpack_require__(747);
+
+let isDocker;
+
+function hasDockerEnv() {
+	try {
+		fs.statSync('/.dockerenv');
+		return true;
+	} catch (_) {
+		return false;
+	}
+}
+
+function hasDockerCGroup() {
+	try {
+		return fs.readFileSync('/proc/self/cgroup', 'utf8').includes('docker');
+	} catch (_) {
+		return false;
+	}
+}
+
+module.exports = () => {
+	if (isDocker === undefined) {
+		isDocker = hasDockerEnv() || hasDockerCGroup();
+	}
+
+	return isDocker;
+};
+
+
 /***/ }),
 
 /***/ 211:

dist/src/common.py

@@ -9,16 +9,20 @@ def get_random_string(length=7, chars=string.ascii_lowercase + string.digits):
 
 
 def parse_github_repository(url):
-    # Parse the github repository from a URL
-    # e.g. peter-evans/create-pull-request
-    pattern = re.compile(r"^https://github.com/(.+/.+)$")
+    # Parse the protocol and github repository from a URL
+    # e.g. HTTPS, peter-evans/create-pull-request
+    https_pattern = re.compile(r"^https://github.com/(.+/.+)$")
+    ssh_pattern = re.compile(r"^git@github.com:(.+/.+).git$")
 
-    # Check we have a match
-    match = pattern.match(url)
-    if match is None:
-        raise ValueError(f"The format of '{url}' is not a valid GitHub repository URL")
+    match = https_pattern.match(url)
+    if match is not None:
+        return "HTTPS", match.group(1)
 
-    return match.group(1)
+    match = ssh_pattern.match(url)
+    if match is not None:
+        return "SSH", match.group(1)
+
+    raise ValueError(f"The format of '{url}' is not a valid GitHub repository URL")
 
 
 def parse_display_name_email(display_name_email):

dist/src/create_pull_request.py

@@ -31,11 +31,12 @@ def get_git_config_value(repo, name):
         return None
 
 
-def get_github_repository():
+def get_repository_detail():
     remote_origin_url = get_git_config_value(repo, "remote.origin.url")
     if remote_origin_url is None:
         raise ValueError("Failed to fetch 'remote.origin.url' from git config")
-    return cmn.parse_github_repository(remote_origin_url)
+    protocol, github_repository = cmn.parse_github_repository(remote_origin_url)
+    return remote_origin_url, protocol, github_repository
 
 
 def git_user_config_is_set(repo):
@@ -115,7 +116,7 @@ repo = Repo(path)
 
 # Determine the GitHub repository from git config
 # This will be the target repository for the pull request
-github_repository = get_github_repository()
+repo_url, protocol, github_repository = get_repository_detail()
 print(f"Target repository set to {github_repository}")
 
 # Determine if the checked out ref is a valid base for a pull request
@@ -173,8 +174,10 @@ except ValueError as e:
     print(f"::error::{e} " + "Unable to continue. Exiting.")
     sys.exit(1)
 
-# Set the repository URL
-repo_url = f"https://x-access-token:{github_token}@github.com/{github_repository}"
+# Set the auth token in the repo URL
+# This supports checkout@v1. From v2 the auth token is saved for further use.
+if protocol == "HTTPS":
+    repo_url = f"https://x-access-token:{github_token}@github.com/{github_repository}"
 
 # Create or update the pull request branch
 result = coub.create_or_update_branch(repo, repo_url, commit_message, base, branch)

dist/src/requirements.txt

@@ -1,2 +1,2 @@
-GitPython==3.0.5
-PyGithub==1.45
+GitPython==3.0.7
+PyGithub==1.46

dist/src/test_common.py

@@ -10,9 +10,16 @@ def test_get_random_string():
 
 
 def test_parse_github_repository_success():
-    repository = cmn.parse_github_repository(
+    protocol, repository = cmn.parse_github_repository(
         "https://github.com/peter-evans/create-pull-request"
     )
+    assert protocol == "HTTPS"
+    assert repository == "peter-evans/create-pull-request"
+
+    protocol, repository = cmn.parse_github_repository(
+        "git@github.com:peter-evans/create-pull-request.git"
+    )
+    assert protocol == "SSH"
     assert repository == "peter-evans/create-pull-request"
 
 

docs/concepts-guidelines.md

@@ -1,6 +1,6 @@
-# Concepts and guidelines
+# Concepts, guidelines and advanced usage
 
-This document covers terminology, how the action works, and general usage guidelines.
+This document covers terminology, how the action works, general usage guidelines, and advanced usage.
 
 - [Terminology](#terminology)
 - [Events and checkout](#events-and-checkout)
@@ -9,8 +9,12 @@ This document covers terminology, how the action works, and general usage guidel
   - [Providing a consistent base](#providing-a-consistent-base)
   - [Pull request events](#pull-request-events)
   - [Restrictions on forked repositories](#restrictions-on-forked-repositories)
-  - [Tag push events](#tag-push-events)
   - [Security](#security)
+- [Advanced usage](#advanced-usage)
+  - [Creating pull requests in a remote repository](#creating-pull-requests-in-a-remote-repository)
+  - [Push using SSH (deploy keys)](#push-using-ssh-deploy-keys)
+  - [Using in an alpine linux container](#using-in-an-alpine-linux-container)
+  - [Creating pull requests on tag push](#creating-pull-requests-on-tag-push)
 
 ## Terminology
 
@@ -108,7 +112,104 @@ jobs:
     if: github.event.pull_request.head.repo.full_name == github.repository
 ```
 
-### Tag push events
+### Security
+
+From a security perspective it's good practice to fork third-party actions, review the code, and use your fork of the action in workflows.
+By using third-party actions directly the risk exists that it could be modified to do something malicious, such as capturing secrets.
+
+This action uses [ncc](https://github.com/zeit/ncc) to compile the Node.js code and dependencies into a single file.
+Python dependencies are vendored and committed to the repository [here](https://github.com/peter-evans/create-pull-request/tree/master/dist/vendor).
+No dependencies are downloaded during the action execution.
+
+Vendored Python dependencies can be reviewed by rebuilding the [dist](https://github.com/peter-evans/create-pull-request/tree/master/dist) directory and redownloading dependencies.
+The following commands require Node and Python 3.
+
+```
+npm install
+npm run clean
+npm run package
+```
+
+The `dist` directory should be rebuilt leaving no git diff.
+
+## Advanced usage
+
+### Creating pull requests in a remote repository
+
+Checking out a branch from a different repository from where the workflow is executing will make *that repository* the target for the created pull request. In this case, a `repo` scoped [Personal Access Token (PAT)](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line) is required.
+
+```yml
+      - uses: actions/checkout@v2
+        with:
+          token: ${{ secrets.PAT }}
+          repository: owner/repo
+
+      # Make changes to pull request here
+
+      - uses: peter-evans/create-pull-request@v2
+        with:
+          token: ${{ secrets.PAT }}
+```
+
+### Push using SSH (deploy keys)
+
+[Deploy keys](https://developer.github.com/v3/guides/managing-deploy-keys/#deploy-keys) can be set per repository and so are arguably more secure than using a `repo` scoped [Personal Access Token (PAT)](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line).
+Allowing the action to push with a configured deploy key will trigger `on: push` workflows. This makes it an alternative to using a PAT to trigger checks for pull requests.
+
+How to use SSH (deploy keys) with create-pull-request action:
+
+1. [Create an new SSH key pair](https://help.github.com/en/github/authenticating-to-github/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent#generating-a-new-ssh-key) for your repository. Do not set a passphrase.
+2. Copy the contents of the public key (.pub file) to a new repository [deploy key](https://developer.github.com/v3/guides/managing-deploy-keys/#deploy-keys) and check the box to "Allow write access."
+3. Add a secret to the repository containing the entire contents of the private key.
+4. As shown in the example steps below, use the [`webfactory/ssh-agent`](https://github.com/webfactory/ssh-agent) action to install the private key and clone your repository. Remember to checkout the `base` of your pull request if it's not the default branch, e.g. `git checkout my-branch`.
+
+```yml
+    steps:
+      - uses: webfactory/ssh-agent@v0.2.0
+        with:
+          ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
+
+      - name: Checkout via SSH
+        run: git clone git@github.com:peter-evans/create-pull-request.git .
+
+      # Make changes to pull request here
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v2
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+```
+
+### Using in an alpine linux container
+
+This action can be run inside an Alpine Linux container by pre-installing the correct binaries for the action's dependencies.
+
+The following example workflow installs git and Python dependencies at the start of the job. You can also bake these dependencies into your own Alpine Docker image if you prefer. Note that git must be installed *before* running `actions/checkout`, otherwise it will just download the source of the repository instead of cloning it.
+
+```yml
+jobs:
+  createPullRequestAlpine:
+    runs-on: ubuntu-latest
+    container:
+      image: alpine
+    steps:
+      - name: Install dependencies
+        run: |
+          apk --no-cache add git python3
+          ln -sf python3 /usr/bin/python
+          ln -sf pip3 /usr/bin/pip
+
+      - uses: actions/checkout@v2
+
+      # Make changes to pull request here
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v2
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+```
+
+### Creating pull requests on tag push
 
 An `on: push` workflow will also trigger when tags are pushed.
 During these events, the `actions/checkout` action will check out the `ref/tags/<tag>` git ref by default.
@@ -134,8 +235,7 @@ jobs:
           git checkout -b temp-${GITHUB_REF:10}
           git push --set-upstream origin temp-${GITHUB_REF:10}
 
-      - name: Create changes to pull request
-        run: <create changes here>
+      # Make changes to pull request here
 
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@v2
@@ -164,31 +264,10 @@ jobs:
         with:
           ref: master
 
-      - name: Create changes to pull request
-        run: <create changes here>
+      # Make changes to pull request here
 
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@v2
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
 ```
-
-### Security
-
-From a security perspective it's good practice to fork third-party actions, review the code, and use your fork of the action in workflows.
-By using third-party actions directly the risk exists that it could be modified to do something malicious, such as capturing secrets.
-
-This action uses [ncc](https://github.com/zeit/ncc) to compile the Node.js code and dependencies into a single file.
-Python dependencies are vendored and committed to the repository [here](https://github.com/peter-evans/create-pull-request/tree/master/dist/vendor).
-No dependencies are downloaded during the action execution.
-
-Vendored Python dependencies can be reviewed by rebuilding the [dist](https://github.com/peter-evans/create-pull-request/tree/master/dist) directory and redownloading dependencies.
-The following commands require Node and Python 3.
-
-```
-npm install
-npm run clean
-npm run package
-```
-
-The `dist` directory should be rebuilt leaving no git diff.

docs/examples.md

@@ -2,6 +2,7 @@
 
 - [Use case: Create a pull request to update X on push](#use-case-create-a-pull-request-to-update-x-on-push)
   - [Update project authors](#update-project-authors)
+  - [Keep a branch up-to-date with another](#keep-a-branch-up-to-date-with-another)
 - [Use case: Create a pull request to update X periodically](#use-case-create-a-pull-request-to-update-x-periodically)
   - [Update NPM dependencies](#update-npm-dependencies)
   - [Update SwaggerUI for GitHub Pages](#update-swaggerui-for-github-pages)
@@ -51,6 +52,36 @@ jobs:
           branch: update-authors
 ```
 
+### Keep a branch up-to-date with another
+
+This is a use case where a branch should be kept up to date with another by opening a pull request to update it. The pull request should then be updated with new changes until it is merged or closed.
+
+In this example scenario, a branch called `production` should be updated via pull request to keep it in sync with `master`. Merging the pull request is effectively promoting those changes to production.
+
+```yml
+name: Create production promotion pull request
+on:
+  push:
+    branches:
+      - master
+jobs:
+  productionPromotion:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          ref: production
+      - name: Reset promotion branch
+        run: |
+          git fetch origin master:master
+          git reset --hard master
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v2
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          branch: production-promotion
+```
+
 ## Use case: Create a pull request to update X periodically
 
 This pattern will work well for updating any kind of static content from an external source. The workflow executes on a schedule and raises a pull request when there are changes.

index.js

@@ -1,4 +1,5 @@
 const { inspect } = require("util");
+const isDocker = require("is-docker");
 const core = require("@actions/core");
 const exec = require("@actions/exec");
 const setupPython = require("./src/setup-python");
@@ -9,11 +10,27 @@ async function run() {
     const src = __dirname + "/src";
     core.debug(`src: ${src}`);
 
-    // Setup Python from the tool cache
-    setupPython("3.8.x", "x64");
+    // Determine how to access python and pip
+    const { pip, python } = (function() {
+      if (isDocker()) {
+        core.info("Running inside a Docker container");
+        // Python 3 assumed to be installed and on the PATH
+        return {
+          pip: "pip3",
+          python: "python3"
+        };
+      } else {
+        // Setup Python from the tool cache
+        setupPython("3.x", "x64");
+        return {
+          pip: "pip",
+          python: "python"
+        };
+      }
+    })();
 
     // Install requirements
-    await exec.exec("pip", [
+    await exec.exec(pip, [
       "install",
       "--requirement",
       `${src}/requirements.txt`,
@@ -39,7 +56,7 @@ async function run() {
       projectColumn: core.getInput("project-column"),
       branch: core.getInput("branch"),
       base: core.getInput("base"),
-      branchSuffix: core.getInput("branch-suffix"),
+      branchSuffix: core.getInput("branch-suffix")
     };
     core.debug(`Inputs: ${inspect(inputs)}`);
 
@@ -63,7 +80,7 @@ async function run() {
     if (inputs.branchSuffix) process.env.CPR_BRANCH_SUFFIX = inputs.branchSuffix;
 
     // Execute python script
-    await exec.exec("python", [`${src}/create_pull_request.py`]);
+    await exec.exec(python, [`${src}/create_pull_request.py`]);
   } catch (error) {
     core.setFailed(error.message);
   }

package-lock.json

@@ -36,11 +36,16 @@
       }
     },
     "@zeit/ncc": {
-      "version": "0.21.0",
-      "resolved": "https://registry.npmjs.org/@zeit/ncc/-/ncc-0.21.0.tgz",
-      "integrity": "sha512-RUMdvVK/w78oo+yBjruZltt0kJXYar2un/1bYQ2LuHG7GmFVm+QjxzEmySwREctaJdEnBvlMdUNWd9hXHxEI3g==",
+      "version": "0.21.1",
+      "resolved": "https://registry.npmjs.org/@zeit/ncc/-/ncc-0.21.1.tgz",
+      "integrity": "sha512-M9WzgquSOt2nsjRkYM9LRylBLmmlwNCwYbm3Up3PDEshfvdmIfqpFNSK8EJvR18NwZjGHE5z2avlDtYQx2JQnw==",
       "dev": true
     },
+    "is-docker": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/is-docker/-/is-docker-2.0.0.tgz",
+      "integrity": "sha512-pJEdRugimx4fBMra5z2/5iRdZ63OhYV0vr0Dwm5+xtW4D1FvRkB8hamMIhnWfyJeDdyr/aa7BDyNbtG38VxgoQ=="
+    },
     "qs": {
       "version": "6.9.1",
       "resolved": "https://registry.npmjs.org/qs/-/qs-6.9.1.tgz",

package.json

@@ -23,9 +23,10 @@
   "dependencies": {
     "@actions/core": "^1.1.1",
     "@actions/exec": "^1.0.1",
-    "@actions/tool-cache": "^1.1.2"
+    "@actions/tool-cache": "^1.1.2",
+    "is-docker": "^2.0.0"
   },
   "devDependencies": {
-    "@zeit/ncc": "0.21.0"
+    "@zeit/ncc": "0.21.1"
   }
 }

src/common.py

@@ -9,16 +9,20 @@ def get_random_string(length=7, chars=string.ascii_lowercase + string.digits):
 
 
 def parse_github_repository(url):
-    # Parse the github repository from a URL
-    # e.g. peter-evans/create-pull-request
-    pattern = re.compile(r"^https://github.com/(.+/.+)$")
+    # Parse the protocol and github repository from a URL
+    # e.g. HTTPS, peter-evans/create-pull-request
+    https_pattern = re.compile(r"^https://github.com/(.+/.+)$")
+    ssh_pattern = re.compile(r"^git@github.com:(.+/.+).git$")
 
-    # Check we have a match
-    match = pattern.match(url)
-    if match is None:
-        raise ValueError(f"The format of '{url}' is not a valid GitHub repository URL")
+    match = https_pattern.match(url)
+    if match is not None:
+        return "HTTPS", match.group(1)
 
-    return match.group(1)
+    match = ssh_pattern.match(url)
+    if match is not None:
+        return "SSH", match.group(1)
+
+    raise ValueError(f"The format of '{url}' is not a valid GitHub repository URL")
 
 
 def parse_display_name_email(display_name_email):

src/create_pull_request.py

@@ -31,11 +31,12 @@ def get_git_config_value(repo, name):
         return None
 
 
-def get_github_repository():
+def get_repository_detail():
     remote_origin_url = get_git_config_value(repo, "remote.origin.url")
     if remote_origin_url is None:
         raise ValueError("Failed to fetch 'remote.origin.url' from git config")
-    return cmn.parse_github_repository(remote_origin_url)
+    protocol, github_repository = cmn.parse_github_repository(remote_origin_url)
+    return remote_origin_url, protocol, github_repository
 
 
 def git_user_config_is_set(repo):
@@ -115,7 +116,7 @@ repo = Repo(path)
 
 # Determine the GitHub repository from git config
 # This will be the target repository for the pull request
-github_repository = get_github_repository()
+repo_url, protocol, github_repository = get_repository_detail()
 print(f"Target repository set to {github_repository}")
 
 # Determine if the checked out ref is a valid base for a pull request
@@ -173,8 +174,10 @@ except ValueError as e:
     print(f"::error::{e} " + "Unable to continue. Exiting.")
     sys.exit(1)
 
-# Set the repository URL
-repo_url = f"https://x-access-token:{github_token}@github.com/{github_repository}"
+# Set the auth token in the repo URL
+# This supports checkout@v1. From v2 the auth token is saved for further use.
+if protocol == "HTTPS":
+    repo_url = f"https://x-access-token:{github_token}@github.com/{github_repository}"
 
 # Create or update the pull request branch
 result = coub.create_or_update_branch(repo, repo_url, commit_message, base, branch)

src/requirements.txt

@@ -1,2 +1,2 @@
-GitPython==3.0.5
-PyGithub==1.45
+GitPython==3.0.7
+PyGithub==1.46

src/test_common.py

@@ -10,9 +10,16 @@ def test_get_random_string():
 
 
 def test_parse_github_repository_success():
-    repository = cmn.parse_github_repository(
+    protocol, repository = cmn.parse_github_repository(
         "https://github.com/peter-evans/create-pull-request"
     )
+    assert protocol == "HTTPS"
+    assert repository == "peter-evans/create-pull-request"
+
+    protocol, repository = cmn.parse_github_repository(
+        "git@github.com:peter-evans/create-pull-request.git"
+    )
+    assert protocol == "SSH"
     assert repository == "peter-evans/create-pull-request"