Merge pull request #147 from peter-evans/dev

Default token to github.token

.eslintrc.json

@@ -0,0 +1,17 @@
+{
+    "env": {
+        "commonjs": true,
+        "es6": true,
+        "node": true
+    },
+    "extends": "eslint:recommended",
+    "globals": {
+        "Atomics": "readonly",
+        "SharedArrayBuffer": "readonly"
+    },
+    "parserOptions": {
+        "ecmaVersion": 2018
+    },
+    "rules": {
+    }
+}

.github/workflows/cpr-example-command.yml

@@ -13,7 +13,6 @@ jobs:
         id: cpr
         uses: ./
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
           commit-message: Add report file
           committer: Peter Evans <peter-evans@users.noreply.github.com>
           title: '[Example] Add report file'
@@ -30,6 +29,7 @@ jobs:
           project: Example Project
           project-column: To do
           branch: example-patches
+          request-to-parent: false
       - name: Check outputs
         run: |
           echo "Pull Request Number - ${{ env.PULL_REQUEST_NUMBER }}"

README.md

@@ -27,22 +27,20 @@ Create Pull Request action will:
 ```yml
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@v2
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
 ```
 
 You can also pin to a [specific release](https://github.com/peter-evans/create-pull-request/releases) version in the format `@v2.x.x`
 
 ### Action inputs
 
-With the exception of `token`, all inputs are **optional**. If not set, sensible default values will be used.
+All inputs are **optional**. If not set, sensible default values will be used.
 
 **Note**: If you want pull requests created by this action to trigger an `on: push` or `on: pull_request` workflow then you must use a [Personal Access Token](https://help.github.com/en/articles/creating-a-personal-access-token-for-the-command-line) instead of the default `GITHUB_TOKEN`. Alternatively, allow the action to [push using SSH](https://github.com/peter-evans/create-pull-request/blob/master/docs/concepts-guidelines.md#push-using-ssh-deploy-keys) by configuring a deploy key.
 
 | Name | Description | Default |
 | --- | --- | --- |
-| `token` | `GITHUB_TOKEN` or a `repo` scoped [PAT](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line). | |
-| `path` | Relative path under `$GITHUB_WORKSPACE` to the repository. | `$GITHUB_WORKSPACE` |
+| `token` | `GITHUB_TOKEN` or a `repo` scoped [PAT](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line). | `GITHUB_TOKEN` |
+| `path` | Relative path under `GITHUB_WORKSPACE` to the repository. | `GITHUB_WORKSPACE` |
 | `commit-message` | The message to use when committing changes. | `[create-pull-request] automated change` |
 | `committer` | The committer name and email address in the format `Display Name <email@address.com>`. | Defaults to the GitHub Actions bot user. See [Committer and author](#committer-and-author) for details. |
 | `author` | The author name and email address in the format `Display Name <email@address.com>`. | Defaults to the GitHub Actions bot user. See [Committer and author](#committer-and-author) for details. |
@@ -56,6 +54,7 @@ With the exception of `token`, all inputs are **optional**. If not set, sensible
 | `project` | The name of the project for which a card should be created. Requires `project-column`. | |
 | `project-column` | The name of the project column under which a card should be created. Requires `project`. | |
 | `branch` | The branch name. See [Branch naming](#branch-naming) for details. | `create-pull-request/patch` |
+| `request-to-parent` | Create the pull request in the parent repository of the checked out fork. See [push pull request branches to a fork](https://github.com/peter-evans/create-pull-request/blob/master/docs/concepts-guidelines.md#push-pull-request-branches-to-a-fork) for details. | `false` |
 | `base` | Sets the pull request base branch. | Defaults to the branch checked out in the workflow. |
 | `branch-suffix` | The branch suffix type. Valid values are `random`, `timestamp` and `short-commit-hash`. See [Branch naming](#branch-naming) for details. | |
 
@@ -68,8 +67,6 @@ Note that in order to read the step output the action step must have an id.
       - name: Create Pull Request
         id: cpr
         uses: peter-evans/create-pull-request@v2
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
       - name: Check outputs
         run: |
           echo "Pull Request Number - ${{ env.PULL_REQUEST_NUMBER }}"
@@ -119,7 +116,6 @@ In most cases, where the committer and author are the same, just the committer c
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@v2
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
           committer: Peter Evans <peter-evans@users.noreply.github.com>
 ```
 
@@ -143,8 +139,6 @@ As well as relying on the action to handle uncommitted changes, you can addition
         run: date +%s > report.txt
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@v2
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
 ```
 
 ## Reference Example
@@ -181,10 +175,12 @@ jobs:
           labels: report, automated pr
           assignees: peter-evans
           reviewers: peter-evans
+          team-reviewers: owners, maintainers
           milestone: 1
           project: Example Project
           project-column: To do
           branch: example-patches
+          request-to-parent: false
       - name: Check outputs
         run: |
           echo "Pull Request Number - ${{ env.PULL_REQUEST_NUMBER }}"

action.yml

@@ -3,7 +3,7 @@ description: 'Creates a pull request for changes to your repository in the actio
 inputs:
   token:
     description: 'GITHUB_TOKEN or a repo scoped PAT'
-    required: true
+    default: ${{ github.token }}
   path:
     description: 'Relative path under $GITHUB_WORKSPACE to the repository.'
   commit-message:
@@ -32,6 +32,9 @@ inputs:
     description: 'The name of the project column under which a card should be created.'
   branch:
     description: 'The pull request branch name.'
+  request-to-parent:
+    description: 'Create the pull request in the parent repository of the checked out fork.'
+    default: false
   base:
     description: 'The pull request base branch.'
   branch-suffix:
@@ -43,5 +46,5 @@ runs:
   using: 'node12'
   main: 'dist/index.js'
 branding:
-  icon: 'git-pull-request'  
+  icon: 'git-pull-request'
   color: 'gray-dark'

dist/cpr/create_or_update_pull_request.py

@@ -56,25 +56,37 @@ def create_or_update_pull_request(
     team_reviewers,
     project_name,
     project_column_name,
+    request_to_parent,
 ):
+    if request_to_parent is None:
+        request_to_parent = False
+    else:
+        request_to_parent = request_to_parent.lower() in ['true', '1', 't', 'y', 'yes', 'on']
+
+    github_repo = head_repo = Github(github_token).get_repo(github_repository)
+    if request_to_parent:
+        github_repo = github_repo.parent
+        if github_repo is None:
+            raise ValueError("The checked out repository is not a fork. Input 'request-to-parent' should be set to false.")
+
+    head_branch = f"{head_repo.owner.login}:{branch}"
+
     # Create the pull request
-    github_repo = Github(github_token).get_repo(github_repository)
     try:
         pull_request = github_repo.create_pull(
-            title=title, body=body, base=base, head=branch
+            title=title, body=body, base=base, head=head_branch
         )
-        print(f"Created pull request #{pull_request.number} ({branch} => {base})")
+        print(f"Created pull request #{pull_request.number} ({head_branch} => {github_repo.owner.login}:{base})")
     except GithubException as e:
         if e.status == 422:
             # A pull request exists for this branch and base
-            head_branch = "{}:{}".format(github_repository.split("/")[0], branch)
             # Get the pull request
             pull_request = github_repo.get_pulls(
                 state="open", base=base, head=head_branch
             )[0]
             # Update title and body
             pull_request.as_issue().edit(title=title, body=body)
-            print(f"Updated pull request #{pull_request.number} ({branch} => {base})")
+            print(f"Updated pull request #{pull_request.number} ({head_branch} => {github_repo.owner.login}:{base})")
         else:
             print(str(e))
             raise

dist/cpr/create_pull_request.py

@@ -1,5 +1,6 @@
 #!/usr/bin/env python3
 """ Create Pull Request """
+import base64
 import common as cmn
 import create_or_update_branch as coub
 import create_or_update_pull_request as coupr
@@ -31,7 +32,7 @@ def get_git_config_value(repo, name):
         return None
 
 
-def get_repository_detail():
+def get_repository_detail(repo):
     remote_origin_url = get_git_config_value(repo, "remote.origin.url")
     if remote_origin_url is None:
         raise ValueError("Failed to fetch 'remote.origin.url' from git config")
@@ -116,9 +117,21 @@ repo = Repo(path)
 
 # Determine the GitHub repository from git config
 # This will be the target repository for the pull request
-repo_url, protocol, github_repository = get_repository_detail()
+repo_url, protocol, github_repository = get_repository_detail(repo)
 print(f"Target repository set to {github_repository}")
 
+if protocol == "HTTPS":
+    print(f"::debug::Using HTTPS protocol")
+    # Encode and configure the basic credential for HTTPS access
+    basic_credential = base64.b64encode(
+        f"x-access-token:{github_token}".encode("utf-8")
+    ).decode("utf-8")
+    # Mask the basic credential in logs and debug output
+    print(f"::add-mask::{basic_credential}")
+    repo.git.set_persistent_git_options(
+        c=f"http.https://github.com/.extraheader=AUTHORIZATION: basic {basic_credential}"
+    )
+
 # Determine if the checked out ref is a valid base for a pull request
 # The action needs the checked out HEAD ref to be a branch
 # This check will fail in the following cases:
@@ -174,11 +187,6 @@ except ValueError as e:
     print(f"::error::{e} " + "Unable to continue. Exiting.")
     sys.exit(1)
 
-# Set the auth token in the repo URL
-# This supports checkout@v1. From v2 the auth token is saved for further use.
-if protocol == "HTTPS":
-    repo_url = f"https://x-access-token:{github_token}@github.com/{github_repository}"
-
 # Create or update the pull request branch
 result = coub.create_or_update_branch(repo, repo_url, commit_message, base, branch)
 
@@ -216,4 +224,5 @@ if result["action"] in ["created", "updated"]:
         os.environ.get("CPR_TEAM_REVIEWERS"),
         os.environ.get("CPR_PROJECT_NAME"),
         os.environ.get("CPR_PROJECT_COLUMN_NAME"),
+        os.environ.get("CPR_REQUEST_TO_PARENT"),
     )

dist/cpr/requirements.txt

@@ -0,0 +1,2 @@
+GitPython==3.1.0
+PyGithub==1.47

dist/index.js

@@ -34,7 +34,7 @@ module.exports =
 /******/ 	// the startup function
 /******/ 	function startup() {
 /******/ 		// Load entry module and return exports
-/******/ 		return __webpack_require__(104);
+/******/ 		return __webpack_require__(676);
 /******/ 	};
 /******/
 /******/ 	// run startup
@@ -973,21 +973,6 @@ module.exports = util.assign(
 
 module.exports = require("tls");
 
-/***/ }),
-
-/***/ 58:
-/***/ (function(module, __unusedexports, __webpack_require__) {
-
-// Unique ID creation requires a high quality random # generator.  In node.js
-// this is pretty straight-forward - we use the crypto API.
-
-var crypto = __webpack_require__(417);
-
-module.exports = function nodeRNG() {
-  return crypto.randomBytes(16);
-};
-
-
 /***/ }),
 
 /***/ 87:
@@ -998,109 +983,6 @@ module.exports = require("os");
 /***/ }),
 
 /***/ 104:
-/***/ (function(__unusedmodule, __unusedexports, __webpack_require__) {
-
-const { inspect } = __webpack_require__(669);
-const isDocker = __webpack_require__(160);
-const core = __webpack_require__(470);
-const exec = __webpack_require__(986);
-const setupPython = __webpack_require__(139);
-
-async function run() {
-  try {
-    // Allows ncc to find assets to be included in the distribution
-    const src = __webpack_require__.ab + "src";
-    core.debug(`src: ${src}`);
-
-    // Determine how to access python and pip
-    const { pip, python } = (function() {
-      if (isDocker()) {
-        core.info("Running inside a Docker container");
-        // Python 3 assumed to be installed and on the PATH
-        return {
-          pip: "pip3",
-          python: "python3"
-        };
-      } else {
-        // Setup Python from the tool cache
-        setupPython("3.x", "x64");
-        return {
-          pip: "pip",
-          python: "python"
-        };
-      }
-    })();
-
-    // Install requirements
-    await exec.exec(pip, [
-      "install",
-      "--requirement",
-      `${src}/requirements.txt`,
-      "--no-index",
-      `--find-links=${__dirname}/vendor`
-    ]);
-
-    // Fetch action inputs
-    const inputs = {
-      token: core.getInput("token"),
-      path: core.getInput("path"),
-      commitMessage: core.getInput("commit-message"),
-      committer: core.getInput("committer"),
-      author: core.getInput("author"),
-      title: core.getInput("title"),
-      body: core.getInput("body"),
-      labels: core.getInput("labels"),
-      assignees: core.getInput("assignees"),
-      reviewers: core.getInput("reviewers"),
-      teamReviewers: core.getInput("team-reviewers"),
-      milestone: core.getInput("milestone"),
-      project: core.getInput("project"),
-      projectColumn: core.getInput("project-column"),
-      branch: core.getInput("branch"),
-      base: core.getInput("base"),
-      branchSuffix: core.getInput("branch-suffix")
-    };
-    core.debug(`Inputs: ${inspect(inputs)}`);
-
-    // Set environment variables from inputs.
-    if (inputs.token) process.env.GITHUB_TOKEN = inputs.token;
-    if (inputs.path) process.env.CPR_PATH = inputs.path;
-    if (inputs.commitMessage) process.env.CPR_COMMIT_MESSAGE = inputs.commitMessage;
-    if (inputs.committer) process.env.CPR_COMMITTER = inputs.committer;
-    if (inputs.author) process.env.CPR_AUTHOR = inputs.author;
-    if (inputs.title) process.env.CPR_TITLE = inputs.title;
-    if (inputs.body) process.env.CPR_BODY = inputs.body;
-    if (inputs.labels) process.env.CPR_LABELS = inputs.labels;
-    if (inputs.assignees) process.env.CPR_ASSIGNEES = inputs.assignees;
-    if (inputs.reviewers) process.env.CPR_REVIEWERS = inputs.reviewers;
-    if (inputs.teamReviewers) process.env.CPR_TEAM_REVIEWERS = inputs.teamReviewers;
-    if (inputs.milestone) process.env.CPR_MILESTONE = inputs.milestone;
-    if (inputs.project) process.env.CPR_PROJECT_NAME = inputs.project;
-    if (inputs.projectColumn) process.env.CPR_PROJECT_COLUMN_NAME = inputs.projectColumn;
-    if (inputs.branch) process.env.CPR_BRANCH = inputs.branch;
-    if (inputs.base) process.env.CPR_BASE = inputs.base;
-    if (inputs.branchSuffix) process.env.CPR_BRANCH_SUFFIX = inputs.branchSuffix;
-
-    // Execute python script
-    await exec.exec(python, [`${src}/create_pull_request.py`]);
-  } catch (error) {
-    core.setFailed(error.message);
-  }
-}
-
-run();
-
-
-/***/ }),
-
-/***/ 129:
-/***/ (function(module) {
-
-module.exports = require("child_process");
-
-/***/ }),
-
-/***/ 139:
 /***/ (function(module, __unusedexports, __webpack_require__) {
 
 const core = __webpack_require__(470);
@@ -1157,6 +1039,28 @@ let setupPython = function(versionSpec, arch) {
 module.exports = setupPython;
 
 
+/***/ }),
+
+/***/ 129:
+/***/ (function(module) {
+
+module.exports = require("child_process");
+
+/***/ }),
+
+/***/ 139:
+/***/ (function(module, __unusedexports, __webpack_require__) {
+
+// Unique ID creation requires a high quality random # generator.  In node.js
+// this is pretty straight-forward - we use the crypto API.
+
+var crypto = __webpack_require__(417);
+
+module.exports = function nodeRNG() {
+  return crypto.randomBytes(16);
+};
+
+
 /***/ }),
 
 /***/ 141:
@@ -4301,6 +4205,237 @@ function isUnixExecutable(stats) {
 }
 //# sourceMappingURL=io-util.js.map
 
+/***/ }),
+
+/***/ 676:
+/***/ (function(__unusedmodule, __unusedexports, __webpack_require__) {
+
+const { inspect } = __webpack_require__(669);
+const isDocker = __webpack_require__(160);
+const core = __webpack_require__(470);
+const exec = __webpack_require__(986);
+const setupPython = __webpack_require__(104);
+const {
+  getRepoPath,
+  getAndUnsetConfigOption,
+  addConfigOption
+} = __webpack_require__(718);
+
+const EXTRAHEADER_OPTION = "http.https://github.com/.extraheader";
+const EXTRAHEADER_VALUE_REGEX = "^AUTHORIZATION:";
+
+async function run() {
+  try {
+    // Allows ncc to find assets to be included in the distribution
+    const cpr = __webpack_require__.ab + "cpr";
+    core.debug(`cpr: ${cpr}`);
+
+    // Determine how to access python and pip
+    const { pip, python } = (function() {
+      if (isDocker()) {
+        core.info("Running inside a Docker container");
+        // Python 3 assumed to be installed and on the PATH
+        return {
+          pip: "pip3",
+          python: "python3"
+        };
+      } else {
+        // Setup Python from the tool cache
+        setupPython("3.x", "x64");
+        return {
+          pip: "pip",
+          python: "python"
+        };
+      }
+    })();
+
+    // Install requirements
+    await exec.exec(pip, [
+      "install",
+      "--requirement",
+      `${cpr}/requirements.txt`,
+      "--no-index",
+      `--find-links=${__dirname}/vendor`
+    ]);
+
+    // Fetch action inputs
+    const inputs = {
+      token: core.getInput("token"),
+      path: core.getInput("path"),
+      commitMessage: core.getInput("commit-message"),
+      committer: core.getInput("committer"),
+      author: core.getInput("author"),
+      title: core.getInput("title"),
+      body: core.getInput("body"),
+      labels: core.getInput("labels"),
+      assignees: core.getInput("assignees"),
+      reviewers: core.getInput("reviewers"),
+      teamReviewers: core.getInput("team-reviewers"),
+      milestone: core.getInput("milestone"),
+      project: core.getInput("project"),
+      projectColumn: core.getInput("project-column"),
+      branch: core.getInput("branch"),
+      request_to_parent: core.getInput("request-to-parent"),
+      base: core.getInput("base"),
+      branchSuffix: core.getInput("branch-suffix")
+    };
+    core.debug(`Inputs: ${inspect(inputs)}`);
+
+    // Set environment variables from inputs.
+    if (inputs.token) process.env.GITHUB_TOKEN = inputs.token;
+    if (inputs.path) process.env.CPR_PATH = inputs.path;
+    if (inputs.commitMessage) process.env.CPR_COMMIT_MESSAGE = inputs.commitMessage;
+    if (inputs.committer) process.env.CPR_COMMITTER = inputs.committer;
+    if (inputs.author) process.env.CPR_AUTHOR = inputs.author;
+    if (inputs.title) process.env.CPR_TITLE = inputs.title;
+    if (inputs.body) process.env.CPR_BODY = inputs.body;
+    if (inputs.labels) process.env.CPR_LABELS = inputs.labels;
+    if (inputs.assignees) process.env.CPR_ASSIGNEES = inputs.assignees;
+    if (inputs.reviewers) process.env.CPR_REVIEWERS = inputs.reviewers;
+    if (inputs.teamReviewers) process.env.CPR_TEAM_REVIEWERS = inputs.teamReviewers;
+    if (inputs.milestone) process.env.CPR_MILESTONE = inputs.milestone;
+    if (inputs.project) process.env.CPR_PROJECT_NAME = inputs.project;
+    if (inputs.projectColumn) process.env.CPR_PROJECT_COLUMN_NAME = inputs.projectColumn;
+    if (inputs.branch) process.env.CPR_BRANCH = inputs.branch;
+    if (inputs.request_to_parent) process.env.CPR_REQUEST_TO_PARENT = inputs.request_to_parent;
+    if (inputs.base) process.env.CPR_BASE = inputs.base;
+    if (inputs.branchSuffix) process.env.CPR_BRANCH_SUFFIX = inputs.branchSuffix;
+
+    // Get the repository path
+    var repoPath = getRepoPath(inputs.path);
+    // Get the extraheader config option if it exists
+    var extraHeaderOption = await getAndUnsetConfigOption(
+      repoPath,
+      EXTRAHEADER_OPTION,
+      EXTRAHEADER_VALUE_REGEX
+    );
+
+    // Execute create pull request
+    await exec.exec(python, [`${cpr}/create_pull_request.py`]);
+  } catch (error) {
+    core.setFailed(error.message);
+  } finally {
+    // Restore the extraheader config option
+    if (extraHeaderOption) {
+      if (
+        await addConfigOption(
+          repoPath,
+          EXTRAHEADER_OPTION,
+          extraHeaderOption.value
+        )
+      )
+        core.debug(`Restored config option '${EXTRAHEADER_OPTION}'`);
+    }
+  }
+}
+
+run();
+
+
+/***/ }),
+
+/***/ 718:
+/***/ (function(module, __unusedexports, __webpack_require__) {
+
+const core = __webpack_require__(470);
+const exec = __webpack_require__(986);
+const path = __webpack_require__(622);
+
+function getRepoPath(relativePath) {
+  let githubWorkspacePath = process.env["GITHUB_WORKSPACE"];
+  if (!githubWorkspacePath) {
+    throw new Error("GITHUB_WORKSPACE not defined");
+  }
+  githubWorkspacePath = path.resolve(githubWorkspacePath);
+  core.debug(`githubWorkspacePath: ${githubWorkspacePath}`);
+
+  repoPath = githubWorkspacePath;
+  if (relativePath) repoPath = path.resolve(repoPath, relativePath);
+
+  core.debug(`repoPath: ${repoPath}`);
+  return repoPath;
+}
+
+async function execGit(repoPath, args, ignoreReturnCode = false) {
+  const stdout = [];
+  const options = {
+    cwd: repoPath,
+    ignoreReturnCode: ignoreReturnCode,
+    listeners: {
+      stdout: data => {
+        stdout.push(data.toString());
+      }
+    }
+  };
+
+  var result = {};
+  result.exitCode = await exec.exec("git", args, options);
+  result.stdout = stdout.join("");
+  return result;
+}
+
+async function addConfigOption(repoPath, name, value) {
+  const result = await execGit(
+    repoPath,
+    ["config", "--local", "--add", name, value],
+    true
+  );
+  return result.exitCode === 0;
+}
+
+async function unsetConfigOption(repoPath, name, valueRegex=".") {
+  const result = await execGit(
+    repoPath,
+    ["config", "--local", "--unset", name, valueRegex],
+    true
+  );
+  return result.exitCode === 0;
+}
+
+async function configOptionExists(repoPath, name, valueRegex=".") {
+  const result = await execGit(
+    repoPath,
+    ["config", "--local", "--name-only", "--get-regexp", name, valueRegex],
+    true
+  );
+  return result.exitCode === 0;
+}
+
+async function getConfigOption(repoPath, name, valueRegex=".") {
+  const result = await execGit(
+    repoPath,
+    ["config", "--local", "--get-regexp", name, valueRegex],
+    true
+  );
+  const option = result.stdout.trim().split(`${name} `);
+  return {
+    name: name,
+    value: option[1]
+  }
+}
+
+async function getAndUnsetConfigOption(repoPath, name, valueRegex=".") {
+  if (await configOptionExists(repoPath, name, valueRegex)) {
+    const option = await getConfigOption(repoPath, name, valueRegex);
+    if (await unsetConfigOption(repoPath, name, valueRegex)) {
+      core.debug(`Unset config option '${name}'`);
+      return option;
+    }
+  }
+  return null;
+}
+
+module.exports = {
+  getRepoPath,
+  execGit,
+  addConfigOption,
+  unsetConfigOption,
+  configOptionExists,
+  getConfigOption,
+  getAndUnsetConfigOption
+};
+
+
 /***/ }),
 
 /***/ 722:
@@ -4733,7 +4868,7 @@ module.exports = require("zlib");
 /***/ 826:
 /***/ (function(module, __unusedexports, __webpack_require__) {
 
-var rng = __webpack_require__(58);
+var rng = __webpack_require__(139);
 var bytesToUuid = __webpack_require__(722);
 
 function v4(options, buf, offset) {

dist/src/requirements.txt

@@ -1,2 +0,0 @@
-GitPython==3.0.7
-PyGithub==1.46

dist/src/setup-python.js

@@ -1,52 +0,0 @@
-const core = require("@actions/core");
-const tc = require("@actions/tool-cache");
-const path = require("path");
-const semver = require("semver");
-
-/**
- * Setup for Python from the GitHub Actions tool cache
- * Converted from https://github.com/actions/setup-python
- *
- * @param {string} versionSpec version of Python
- * @param {string} arch architecture (x64|x32)
- */
-let setupPython = function(versionSpec, arch) {
-  return new Promise((resolve, reject) => {
-    const IS_WINDOWS = process.platform === "win32";
-
-    // Find the version of Python we want in the tool cache
-    const installDir = tc.find("Python", versionSpec, arch);
-    core.debug(`installDir: ${installDir}`);
-
-    // Set paths
-    core.exportVariable("pythonLocation", installDir);
-    core.addPath(installDir);
-    if (IS_WINDOWS) {
-      core.addPath(path.join(installDir, "Scripts"));
-    } else {
-      core.addPath(path.join(installDir, "bin"));
-    }
-
-    if (IS_WINDOWS) {
-      // Add --user directory
-      // `installDir` from tool cache should look like $AGENT_TOOLSDIRECTORY/Python/<semantic version>/x64/
-      // So if `findLocalTool` succeeded above, we must have a conformant `installDir`
-      const version = path.basename(path.dirname(installDir));
-      const major = semver.major(version);
-      const minor = semver.minor(version);
-
-      const userScriptsDir = path.join(
-        process.env["APPDATA"] || "",
-        "Python",
-        `Python${major}${minor}`,
-        "Scripts"
-      );
-      core.addPath(userScriptsDir);
-    }
-    // On Linux and macOS, pip will create the --user directory and add it to PATH as needed.
-
-    resolve();
-  });
-};
-
-module.exports = setupPython;

docs/concepts-guidelines.md

@@ -13,7 +13,8 @@ This document covers terminology, how the action works, general usage guidelines
 - [Advanced usage](#advanced-usage)
   - [Creating pull requests in a remote repository](#creating-pull-requests-in-a-remote-repository)
   - [Push using SSH (deploy keys)](#push-using-ssh-deploy-keys)
-  - [Using in an alpine linux container](#using-in-an-alpine-linux-container)
+  - [Push pull request branches to a fork](#push-pull-request-branches-to-a-fork)
+  - [Running in a container](#running-in-a-container)
   - [Creating pull requests on tag push](#creating-pull-requests-on-tag-push)
 
 ## Terminology
@@ -158,7 +159,7 @@ Allowing the action to push with a configured deploy key will trigger `on: push`
 
 How to use SSH (deploy keys) with create-pull-request action:
 
-1. [Create an new SSH key pair](https://help.github.com/en/github/authenticating-to-github/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent#generating-a-new-ssh-key) for your repository. Do not set a passphrase.
+1. [Create a new SSH key pair](https://help.github.com/en/github/authenticating-to-github/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent#generating-a-new-ssh-key) for your repository. Do not set a passphrase.
 2. Copy the contents of the public key (.pub file) to a new repository [deploy key](https://developer.github.com/v3/guides/managing-deploy-keys/#deploy-keys) and check the box to "Allow write access."
 3. Add a secret to the repository containing the entire contents of the private key.
 4. As shown in the example steps below, use the [`webfactory/ssh-agent`](https://github.com/webfactory/ssh-agent) action to install the private key and clone your repository. Remember to checkout the `base` of your pull request if it's not the default branch, e.g. `git checkout my-branch`.
@@ -176,16 +177,47 @@ How to use SSH (deploy keys) with create-pull-request action:
 
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@v2
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
 ```
 
-### Using in an alpine linux container
+### Push pull request branches to a fork
 
-This action can be run inside an Alpine Linux container by pre-installing the correct binaries for the action's dependencies.
+Instead of pushing pull request branches to the repository you want to update, you can push them to a fork of that repository.
+This allows you to employ the [principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege) by using a dedicated user acting as a [machine account](https://help.github.com/en/github/site-policy/github-terms-of-service#3-account-requirements).
+This user has no access to the main repository.
+It will use their own fork to push code and create the pull request.
 
-The following example workflow installs git and Python dependencies at the start of the job. You can also bake these dependencies into your own Alpine Docker image if you prefer. Note that git must be installed *before* running `actions/checkout`, otherwise it will just download the source of the repository instead of cloning it.
+1. Create a new GitHub user and login.
+2. Fork the repository that you will be creating pull requests in.
+3. Create a [Personal Access Token (PAT)](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line).
+4. Logout and log back in to your main user account.
+5. Add a secret to your repository containing the above PAT.
+6. As shown in the following example workflow, switch the git remote to the fork's URL after checkout and set the action input `request-on-parent` to `true`.
 
+```yaml
+      - uses: actions/checkout@v2
+
+      - run: |
+          git config user.password ${{ secrets.PAT }}
+          git remote set-url origin https://github.com/bot-user/fork-project
+          git fetch --unshallow -p origin
+
+      # Make changes to pull request here
+
+      - uses: peter-evans/create-pull-request@v2
+        with:
+          token: ${{ secrets.PAT }}
+          request-on-parent: true
+```
+
+### Running in a container
+
+This action can be run inside a container by installing the action's dependencies either in the Docker image itself, or during the workflow.
+
+The action requires `python3`, `pip3` and `git` to be installed and on the `PATH`.
+
+Note that `actions/checkout` requires Git 2.18 or higher to be installed, otherwise it will just download the source of the repository instead of cloning it.
+
+**Alpine container example:**
 ```yml
 jobs:
   createPullRequestAlpine:
@@ -194,10 +226,30 @@ jobs:
       image: alpine
     steps:
       - name: Install dependencies
-        run: |
-          apk --no-cache add git python3
-          ln -sf python3 /usr/bin/python
-          ln -sf pip3 /usr/bin/pip
+        run: apk --no-cache add git python3
+
+      - uses: actions/checkout@v2
+
+      # Make changes to pull request here
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v2
+```
+
+**Ubuntu container example:**
+```yml
+jobs:
+  createPullRequestAlpine:
+    runs-on: ubuntu-latest
+    container:
+      image: ubuntu
+    steps:
+      - name: Install dependencies
+        run: |
+          apt-get update
+          apt-get install -y software-properties-common
+          add-apt-repository -y ppa:git-core/ppa
+          apt-get install -y python3 python3-pip git
 
       - uses: actions/checkout@v2
 
@@ -205,8 +257,6 @@ jobs:
 
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@v2
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
 ```
 
 ### Creating pull requests on tag push
@@ -240,7 +290,6 @@ jobs:
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@v2
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
           base: master
 
       - name: Delete tag branch
@@ -268,6 +317,4 @@ jobs:
 
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@v2
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
 ```

docs/examples.md

@@ -45,7 +45,6 @@ jobs:
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@v2
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
           commit-message: update authors
           title: Update AUTHORS
           body: Credit new contributors by updating AUTHORS
@@ -78,7 +77,6 @@ jobs:
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@v2
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
           branch: production-promotion
 ```
 
@@ -110,7 +108,6 @@ jobs:
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@v2
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
           commit-message: update dependencies
           title: Automated Dependency Updates
           body: This is an auto-generated PR with dependency updates.
@@ -161,7 +158,6 @@ jobs:
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@v2
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
           commit-message: Update swagger-ui to ${{ steps.swagger-ui.outputs.release_tag }}
           title: Update SwaggerUI to ${{ steps.swagger-ui.outputs.release_tag }}
           body: |
@@ -204,7 +200,6 @@ jobs:
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@v2
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
           commit-message: update local website copy
           title: Automated Updates to Local Website Copy
           body: This is an auto-generated PR with website updates.
@@ -299,7 +294,6 @@ jobs:
         if: steps.autopep8.outputs.exit-code == 2
         uses: peter-evans/create-pull-request@v2
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
           commit-message: autopep8 action fixes
           title: Fixes by autopep8 action
           body: This is an auto-generated PR with fixes by autopep8.
@@ -358,7 +352,6 @@ The recommended method is to use [`set-output`](https://help.github.com/en/githu
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@v2
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
           title: ${{ steps.vars.outputs.pr_title }}
           body: ${{ steps.vars.outputs.pr_body }}
 ```
@@ -374,7 +367,6 @@ Alternatively, [`set-env`](https://help.github.com/en/github/automating-your-wor
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@v2
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
           title: ${{ env.PULL_REQUEST_TITLE }}
           body: ${{ env.PULL_REQUEST_BODY }}
 ```

jest.config.js

@@ -0,0 +1,3 @@
+process.env = Object.assign(process.env, {
+  GITHUB_WORKSPACE: __dirname
+});

package.json

@@ -5,8 +5,10 @@
   "main": "index.js",
   "scripts": {
     "clean": "rm -rf dist",
-    "build": "ncc build index.js -o dist",
-    "vendor-deps": "pip download -r src/requirements.txt --no-binary=:all: -d dist/vendor",
+    "lint": "eslint src/index.js",
+    "test": "eslint src/index.js && jest",
+    "build": "ncc build src/index.js -o dist",
+    "vendor-deps": "pip download -r src/cpr/requirements.txt --no-binary=:all: -d dist/vendor",
     "package": "npm run build && npm run vendor-deps"
   },
   "repository": {
@@ -27,6 +29,8 @@
     "is-docker": "^2.0.0"
   },
   "devDependencies": {
-    "@zeit/ncc": "0.21.1"
+    "@zeit/ncc": "0.22.0",
+    "eslint": "6.8.0",
+    "jest": "25.2.4"
   }
 }

src/cpr/create_or_update_pull_request.py

@@ -56,25 +56,37 @@ def create_or_update_pull_request(
     team_reviewers,
     project_name,
     project_column_name,
+    request_to_parent,
 ):
+    if request_to_parent is None:
+        request_to_parent = False
+    else:
+        request_to_parent = request_to_parent.lower() in ['true', '1', 't', 'y', 'yes', 'on']
+
+    github_repo = head_repo = Github(github_token).get_repo(github_repository)
+    if request_to_parent:
+        github_repo = github_repo.parent
+        if github_repo is None:
+            raise ValueError("The checked out repository is not a fork. Input 'request-to-parent' should be set to false.")
+
+    head_branch = f"{head_repo.owner.login}:{branch}"
+
     # Create the pull request
-    github_repo = Github(github_token).get_repo(github_repository)
     try:
         pull_request = github_repo.create_pull(
-            title=title, body=body, base=base, head=branch
+            title=title, body=body, base=base, head=head_branch
         )
-        print(f"Created pull request #{pull_request.number} ({branch} => {base})")
+        print(f"Created pull request #{pull_request.number} ({head_branch} => {github_repo.owner.login}:{base})")
     except GithubException as e:
         if e.status == 422:
             # A pull request exists for this branch and base
-            head_branch = "{}:{}".format(github_repository.split("/")[0], branch)
             # Get the pull request
             pull_request = github_repo.get_pulls(
                 state="open", base=base, head=head_branch
             )[0]
             # Update title and body
             pull_request.as_issue().edit(title=title, body=body)
-            print(f"Updated pull request #{pull_request.number} ({branch} => {base})")
+            print(f"Updated pull request #{pull_request.number} ({head_branch} => {github_repo.owner.login}:{base})")
         else:
             print(str(e))
             raise

src/cpr/create_pull_request.py

@@ -1,5 +1,6 @@
 #!/usr/bin/env python3
 """ Create Pull Request """
+import base64
 import common as cmn
 import create_or_update_branch as coub
 import create_or_update_pull_request as coupr
@@ -31,7 +32,7 @@ def get_git_config_value(repo, name):
         return None
 
 
-def get_repository_detail():
+def get_repository_detail(repo):
     remote_origin_url = get_git_config_value(repo, "remote.origin.url")
     if remote_origin_url is None:
         raise ValueError("Failed to fetch 'remote.origin.url' from git config")
@@ -116,9 +117,21 @@ repo = Repo(path)
 
 # Determine the GitHub repository from git config
 # This will be the target repository for the pull request
-repo_url, protocol, github_repository = get_repository_detail()
+repo_url, protocol, github_repository = get_repository_detail(repo)
 print(f"Target repository set to {github_repository}")
 
+if protocol == "HTTPS":
+    print(f"::debug::Using HTTPS protocol")
+    # Encode and configure the basic credential for HTTPS access
+    basic_credential = base64.b64encode(
+        f"x-access-token:{github_token}".encode("utf-8")
+    ).decode("utf-8")
+    # Mask the basic credential in logs and debug output
+    print(f"::add-mask::{basic_credential}")
+    repo.git.set_persistent_git_options(
+        c=f"http.https://github.com/.extraheader=AUTHORIZATION: basic {basic_credential}"
+    )
+
 # Determine if the checked out ref is a valid base for a pull request
 # The action needs the checked out HEAD ref to be a branch
 # This check will fail in the following cases:
@@ -174,17 +187,12 @@ except ValueError as e:
     print(f"::error::{e} " + "Unable to continue. Exiting.")
     sys.exit(1)
 
-# Set the auth token in the repo URL
-# This supports checkout@v1. From v2 the auth token is saved for further use.
-if protocol == "HTTPS":
-    repo_url = f"https://x-access-token:{github_token}@github.com/{github_repository}"
-
 # Create or update the pull request branch
 result = coub.create_or_update_branch(repo, repo_url, commit_message, base, branch)
 
 if result["action"] in ["created", "updated"]:
     # The branch was created or updated
-    print(f"Pushing pull request branch to 'origin/{branch}'")
+    print(f"Pushing pull request branch to '{repo.full_name}/{branch}'")
     repo.git.push("--force", repo_url, f"HEAD:refs/heads/{branch}")
 
     # Set the base. It would have been 'None' if not specified as an input
@@ -216,4 +224,5 @@ if result["action"] in ["created", "updated"]:
         os.environ.get("CPR_TEAM_REVIEWERS"),
         os.environ.get("CPR_PROJECT_NAME"),
         os.environ.get("CPR_PROJECT_COLUMN_NAME"),
+        os.environ.get("CPR_REQUEST_TO_PARENT"),
     )

src/cpr/requirements.txt

@@ -0,0 +1,2 @@
+GitPython==3.1.0
+PyGithub==1.47

src/git.js

@@ -0,0 +1,97 @@
+const core = require("@actions/core");
+const exec = require("@actions/exec");
+const path = require("path");
+
+function getRepoPath(relativePath) {
+  let githubWorkspacePath = process.env["GITHUB_WORKSPACE"];
+  if (!githubWorkspacePath) {
+    throw new Error("GITHUB_WORKSPACE not defined");
+  }
+  githubWorkspacePath = path.resolve(githubWorkspacePath);
+  core.debug(`githubWorkspacePath: ${githubWorkspacePath}`);
+
+  repoPath = githubWorkspacePath;
+  if (relativePath) repoPath = path.resolve(repoPath, relativePath);
+
+  core.debug(`repoPath: ${repoPath}`);
+  return repoPath;
+}
+
+async function execGit(repoPath, args, ignoreReturnCode = false) {
+  const stdout = [];
+  const options = {
+    cwd: repoPath,
+    ignoreReturnCode: ignoreReturnCode,
+    listeners: {
+      stdout: data => {
+        stdout.push(data.toString());
+      }
+    }
+  };
+
+  var result = {};
+  result.exitCode = await exec.exec("git", args, options);
+  result.stdout = stdout.join("");
+  return result;
+}
+
+async function addConfigOption(repoPath, name, value) {
+  const result = await execGit(
+    repoPath,
+    ["config", "--local", "--add", name, value],
+    true
+  );
+  return result.exitCode === 0;
+}
+
+async function unsetConfigOption(repoPath, name, valueRegex=".") {
+  const result = await execGit(
+    repoPath,
+    ["config", "--local", "--unset", name, valueRegex],
+    true
+  );
+  return result.exitCode === 0;
+}
+
+async function configOptionExists(repoPath, name, valueRegex=".") {
+  const result = await execGit(
+    repoPath,
+    ["config", "--local", "--name-only", "--get-regexp", name, valueRegex],
+    true
+  );
+  return result.exitCode === 0;
+}
+
+async function getConfigOption(repoPath, name, valueRegex=".") {
+  const result = await execGit(
+    repoPath,
+    ["config", "--local", "--get-regexp", name, valueRegex],
+    true
+  );
+  const option = result.stdout.trim().split(`${name} `);
+  return {
+    name: name,
+    value: option[1]
+  }
+}
+
+async function getAndUnsetConfigOption(repoPath, name, valueRegex=".") {
+  if (await configOptionExists(repoPath, name, valueRegex)) {
+    const option = await getConfigOption(repoPath, name, valueRegex);
+    if (await unsetConfigOption(repoPath, name, valueRegex)) {
+      core.debug(`Unset config option '${name}'`);
+      return option;
+    }
+  }
+  return null;
+}
+
+module.exports = {
+  getRepoPath,
+  execGit,
+  addConfigOption,
+  unsetConfigOption,
+  configOptionExists,
+  getConfigOption,
+  getAndUnsetConfigOption
+};

src/git.test.js

@@ -0,0 +1,98 @@
+const path = require("path");
+const {
+  getRepoPath,
+  execGit,
+  addConfigOption,
+  unsetConfigOption,
+  configOptionExists,
+  getConfigOption,
+  getAndUnsetConfigOption
+} = require("./git");
+
+test("getRepoPath", async () => {
+  expect(getRepoPath()).toEqual(process.env["GITHUB_WORKSPACE"]);
+  expect(getRepoPath("foo")).toEqual(
+    path.resolve(process.env["GITHUB_WORKSPACE"], "foo")
+  );
+});
+
+test("execGit", async () => {
+  const repoPath = getRepoPath();
+  const result = await execGit(
+    repoPath,
+    ["config", "--local", "--name-only", "--get-regexp", "remote.origin.url"],
+    true
+  );
+  expect(result.exitCode).toEqual(0);
+  expect(result.stdout.trim()).toEqual("remote.origin.url");
+});
+
+test("add and unset config option", async () => {
+  const repoPath = getRepoPath();
+  const add = await addConfigOption(repoPath, "test.add.and.unset.config.option", "foo");
+  expect(add).toBeTruthy();
+  const unset = await unsetConfigOption(repoPath, "test.add.and.unset.config.option");
+  expect(unset).toBeTruthy();
+});
+
+test("add and unset config option with value regex", async () => {
+  const repoPath = getRepoPath();
+  const add = await addConfigOption(repoPath, "test.add.and.unset.config.option", "foo bar");
+  expect(add).toBeTruthy();
+  const unset = await unsetConfigOption(repoPath, "test.add.and.unset.config.option", "^foo");
+  expect(unset).toBeTruthy();
+});
+
+test("configOptionExists returns true", async () => {
+  const repoPath = getRepoPath();
+  const result = await configOptionExists(repoPath, "remote.origin.url");
+  expect(result).toBeTruthy();
+});
+
+test("configOptionExists returns false", async () => {
+  const repoPath = getRepoPath();
+  const result = await configOptionExists(repoPath, "this.key.does.not.exist");
+  expect(result).toBeFalsy();
+});
+
+test("get config option", async () => {
+  const repoPath = getRepoPath();
+  const add = await addConfigOption(repoPath, "test.get.config.option", "foo");
+  expect(add).toBeTruthy();
+  const option = await getConfigOption(repoPath, "test.get.config.option");
+  expect(option.value).toEqual("foo");
+  const unset = await unsetConfigOption(repoPath, "test.get.config.option");
+  expect(unset).toBeTruthy();
+});
+
+test("get config option with value regex", async () => {
+  const repoPath = getRepoPath();
+  const add = await addConfigOption(repoPath, "test.get.config.option", "foo bar");
+  expect(add).toBeTruthy();
+  const option = await getConfigOption(repoPath, "test.get.config.option", "^foo");
+  expect(option.value).toEqual("foo bar");
+  const unset = await unsetConfigOption(repoPath, "test.get.config.option", "^foo");
+  expect(unset).toBeTruthy();
+});
+
+test("get and unset config option is successful", async () => {
+  const repoPath = getRepoPath();
+  const add = await addConfigOption(repoPath, "test.get.and.unset.config.option", "foo");
+  expect(add).toBeTruthy();
+  const getAndUnset = await getAndUnsetConfigOption(repoPath, "test.get.and.unset.config.option");
+  expect(getAndUnset.value).toEqual("foo");
+});
+
+test("get and unset config option is successful with value regex", async () => {
+  const repoPath = getRepoPath();
+  const add = await addConfigOption(repoPath, "test.get.and.unset.config.option", "foo bar");
+  expect(add).toBeTruthy();
+  const getAndUnset = await getAndUnsetConfigOption(repoPath, "test.get.and.unset.config.option", "^foo");
+  expect(getAndUnset.value).toEqual("foo bar");
+});
+
+test("get and unset config option is unsuccessful", async () => {
+  const repoPath = getRepoPath();
+  const getAndUnset = await getAndUnsetConfigOption(repoPath, "this.key.does.not.exist");
+  expect(getAndUnset).toBeNull();
+});

src/index.js

@@ -2,13 +2,21 @@ const { inspect } = require("util");
 const isDocker = require("is-docker");
 const core = require("@actions/core");
 const exec = require("@actions/exec");
-const setupPython = require("./src/setup-python");
+const setupPython = require("./setup-python");
+const {
+  getRepoPath,
+  getAndUnsetConfigOption,
+  addConfigOption
+} = require("./git");
+
+const EXTRAHEADER_OPTION = "http.https://github.com/.extraheader";
+const EXTRAHEADER_VALUE_REGEX = "^AUTHORIZATION:";
 
 async function run() {
   try {
     // Allows ncc to find assets to be included in the distribution
-    const src = __dirname + "/src";
-    core.debug(`src: ${src}`);
+    const cpr = __dirname + "/cpr";
+    core.debug(`cpr: ${cpr}`);
 
     // Determine how to access python and pip
     const { pip, python } = (function() {
@@ -33,7 +41,7 @@ async function run() {
     await exec.exec(pip, [
       "install",
       "--requirement",
-      `${src}/requirements.txt`,
+      `${cpr}/requirements.txt`,
       "--no-index",
       `--find-links=${__dirname}/vendor`
     ]);
@@ -55,6 +63,7 @@ async function run() {
       project: core.getInput("project"),
       projectColumn: core.getInput("project-column"),
       branch: core.getInput("branch"),
+      request_to_parent: core.getInput("request-to-parent"),
       base: core.getInput("base"),
       branchSuffix: core.getInput("branch-suffix")
     };
@@ -76,13 +85,35 @@ async function run() {
     if (inputs.project) process.env.CPR_PROJECT_NAME = inputs.project;
     if (inputs.projectColumn) process.env.CPR_PROJECT_COLUMN_NAME = inputs.projectColumn;
     if (inputs.branch) process.env.CPR_BRANCH = inputs.branch;
+    if (inputs.request_to_parent) process.env.CPR_REQUEST_TO_PARENT = inputs.request_to_parent;
     if (inputs.base) process.env.CPR_BASE = inputs.base;
     if (inputs.branchSuffix) process.env.CPR_BRANCH_SUFFIX = inputs.branchSuffix;
 
-    // Execute python script
-    await exec.exec(python, [`${src}/create_pull_request.py`]);
+    // Get the repository path
+    var repoPath = getRepoPath(inputs.path);
+    // Get the extraheader config option if it exists
+    var extraHeaderOption = await getAndUnsetConfigOption(
+      repoPath,
+      EXTRAHEADER_OPTION,
+      EXTRAHEADER_VALUE_REGEX
+    );
+
+    // Execute create pull request
+    await exec.exec(python, [`${cpr}/create_pull_request.py`]);
   } catch (error) {
     core.setFailed(error.message);
+  } finally {
+    // Restore the extraheader config option
+    if (extraHeaderOption) {
+      if (
+        await addConfigOption(
+          repoPath,
+          EXTRAHEADER_OPTION,
+          extraHeaderOption.value
+        )
+      )
+        core.debug(`Restored config option '${EXTRAHEADER_OPTION}'`);
+    }
   }
 }
 

src/requirements.txt

@@ -1,2 +0,0 @@
-GitPython==3.0.7
-PyGithub==1.46