Merge pull request #804 from peter-evans/gpg-sign-fix

fix: remove unnecessary gpg-sign input

.eslintrc.json

@@ -9,8 +9,7 @@
     "plugin:import/errors",
     "plugin:import/warnings",
     "plugin:import/typescript",
-    "plugin:prettier/recommended",
-    "prettier/@typescript-eslint"
+    "plugin:prettier/recommended"
   ],
   "plugins": ["@typescript-eslint"],
   "rules": {

README.md

@@ -66,7 +66,13 @@ All inputs are **optional**. If not set, sensible defaults will be used.
 
 ### Action outputs
 
-The pull request number and URL are available as step outputs.
+The following outputs can be used by subsequent workflow steps.
+
+- `pull-request-number` - The pull request number.
+- `pull-request-url` - The URL of the pull request.
+- `pull-request-operation` - The pull request operation performed by the action, `created`, `updated` or `closed`.
+
+Step outputs can be accessed as in the following example.
 Note that in order to read the step outputs the action step must have an id.
 
 ```yml
@@ -151,6 +157,11 @@ To create a project card for the pull request, pass the `pull-request-number` st
           issue-number: ${{ steps.cpr.outputs.pull-request-number }}
 ```
 
+### Auto-merge
+
+Auto-merge can be enabled on a pull request allowing it to be automatically merged once requirements have been satisfied.
+See [enable-pull-request-automerge](https://github.com/peter-evans/enable-pull-request-automerge) action for usage details.
+
 ## Reference Example
 
 The following workflow sets many of the action's inputs for reference purposes.

docs/concepts-guidelines.md

@@ -16,6 +16,7 @@ This document covers terminology, how the action works, general usage guidelines
   - [Push using SSH (deploy keys)](#push-using-ssh-deploy-keys)
   - [Push pull request branches to a fork](#push-pull-request-branches-to-a-fork)
   - [Authenticating with GitHub App generated tokens](#authenticating-with-github-app-generated-tokens)
+  - [GPG commit signature verification](#gpg-commit-signature-verification)
   - [Running in a container or on self-hosted runners](#running-in-a-container-or-on-self-hosted-runners)
 
 ## Terminology
@@ -129,6 +130,8 @@ jobs:
     if: github.event.pull_request.head.repo.full_name == github.repository
 ```
 
+For further reading regarding the security of pull requests, see this GitHub blog post titled [Keeping your GitHub Actions and workflows secure: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)
+
 ### Triggering further workflow runs
 
 Pull requests created by the action using the default `GITHUB_TOKEN` cannot trigger other workflows. If you have `on: pull_request` or `on: push` workflows acting as checks on pull requests, they will not run.
@@ -272,6 +275,48 @@ GitHub App generated tokens are more secure than using a PAT because GitHub App
           token: ${{ steps.generate-token.outputs.token }}
 ```
 
+### GPG commit signature verification
+
+The action can use GPG to sign commits with a GPG key that you generate yourself.
+
+1. Follow GitHub's guide to [generate a new GPG key](https://docs.github.com/en/github/authenticating-to-github/generating-a-new-gpg-key).
+
+2. [Add the public key](https://docs.github.com/en/github/authenticating-to-github/adding-a-new-gpg-key-to-your-github-account) to the user account associated with the [Personal Access Token (PAT)](https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token) that you will use with the action.
+
+3. Copy the private key to your clipboard, replacing `email@example.com` with the email address of your GPG key.
+   ```
+   # macOS
+   gpg --armor --export-secret-key email@example.com | pbcopy
+   ```
+
+4. Paste the private key into a repository secret where the workflow will run. e.g. `GPG_PRIVATE_KEY`
+
+5. Create another repository secret for the key's passphrase, if applicable. e.g. `GPG_PASSPHRASE`
+
+6. The following example workflow shows how to use [crazy-max/ghaction-import-gpg](https://github.com/crazy-max/ghaction-import-gpg) to import your GPG key and allow the action to sign commits.
+
+   Note that the `committer` email address *MUST* match the email address used to create your GPG key.
+
+```yaml
+    steps:
+      - uses: actions/checkout@v2
+
+      - uses: crazy-max/ghaction-import-gpg@v3
+        with:
+          gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.GPG_PASSPHRASE }}
+          git-user-signingkey: true
+          git-commit-gpgsign: true
+
+      # Make changes to pull request here
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v3
+        with:
+          token: ${{ secrets.PAT }}
+          committer: example <email@example.com>
+```
+
 ### Running in a container or on self-hosted runners
 
 This action can be run inside a container, or on [self-hosted runners](https://docs.github.com/en/actions/hosting-your-own-runners), by installing the necessary dependencies.

docs/examples.md

@@ -21,6 +21,7 @@
   - [Filtering push events](#filtering-push-events)
   - [Dynamic configuration using variables](#dynamic-configuration-using-variables)
   - [Setting the pull request body from a file](#setting-the-pull-request-body-from-a-file)
+  - [Using a markdown template](#using-a-markdown-template)
   - [Debugging GitHub Actions](#debugging-github-actions)
 
 
@@ -560,6 +561,31 @@ The content must be [escaped to preserve newlines](https://github.community/t/se
           body: ${{ steps.get-pr-body.outputs.body }}
 ```
 
+### Using a markdown template
+
+In this example, a markdown template file is added to the repository at `.github/pull-request-template.md` with the following content.
+```
+This is a test pull request template
+Render template variables such as {{ .foo }} and {{ .bar }}.
+```
+
+The template is rendered using the [render-template](https://github.com/chuhlomin/render-template) action and the result is used to create the pull request.
+```yml
+      - name: Render template
+        id: template
+        uses: chuhlomin/render-template@v1.2
+        with:
+          template: .github/pull-request-template.md
+          vars: |
+            foo: this
+            bar: that
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v3
+        with:
+          body: ${{ steps.template.outputs.result }}
+```
+
 ### Debugging GitHub Actions
 
 #### Runner Diagnostic Logging

package.json

@@ -31,24 +31,24 @@
   "dependencies": {
     "@actions/core": "1.2.6",
     "@actions/exec": "1.0.4",
-    "@octokit/core": "3.1.2",
-    "@octokit/plugin-paginate-rest": "2.4.0",
-    "@octokit/plugin-rest-endpoint-methods": "4.2.0",
-    "uuid": "8.3.0"
+    "@octokit/core": "3.3.2",
+    "@octokit/plugin-paginate-rest": "2.13.3",
+    "@octokit/plugin-rest-endpoint-methods": "5.0.0",
+    "uuid": "8.3.2"
   },
   "devDependencies": {
-    "@types/jest": "26.0.14",
-    "@types/node": "14.10.3",
-    "@typescript-eslint/parser": "4.1.1",
-    "@vercel/ncc": "0.24.1",
-    "eslint": "7.9.0",
-    "eslint-plugin-github": "4.1.1",
-    "eslint-plugin-jest": "24.0.1",
-    "jest": "26.4.2",
-    "jest-circus": "26.4.2",
-    "js-yaml": "3.14.0",
-    "prettier": "2.1.2",
-    "ts-jest": "26.3.0",
-    "typescript": "4.0.2"
+    "@types/jest": "26.0.22",
+    "@types/node": "14.14.37",
+    "@typescript-eslint/parser": "4.20.0",
+    "@vercel/ncc": "0.27.0",
+    "eslint": "7.23.0",
+    "eslint-plugin-github": "4.1.2",
+    "eslint-plugin-jest": "24.3.2",
+    "jest": "26.6.3",
+    "jest-circus": "26.6.3",
+    "js-yaml": "4.0.0",
+    "prettier": "2.2.1",
+    "ts-jest": "26.5.4",
+    "typescript": "4.2.3"
   }
 }

src/create-pull-request.ts

@@ -195,11 +195,24 @@ export async function createPullRequest(inputs: Inputs): Promise<void> {
 
     if (result.hasDiffWithBase) {
       // Create or update the pull request
-      await githubHelper.createOrUpdatePullRequest(
+      const pull = await githubHelper.createOrUpdatePullRequest(
         inputs,
         baseRemote.repository,
         branchRepository
       )
+
+      // Set outputs
+      core.startGroup('Setting outputs')
+      core.setOutput('pull-request-number', pull.number)
+      core.setOutput('pull-request-url', pull.html_url)
+      if (pull.created) {
+        core.setOutput('pull-request-operation', 'created')
+      } else if (result.action == 'updated') {
+        core.setOutput('pull-request-operation', 'updated')
+      }
+      // Deprecated
+      core.exportVariable('PULL_REQUEST_NUMBER', pull.number)
+      core.endGroup()
     } else {
       // There is no longer a diff with the base
       // Check we are in a state where a branch exists
@@ -215,6 +228,10 @@ export async function createPullRequest(inputs: Inputs): Promise<void> {
             branchRemoteName,
             `refs/heads/${inputs.branch}`
           ])
+          // Set outputs
+          core.startGroup('Setting outputs')
+          core.setOutput('pull-request-operation', 'closed')
+          core.endGroup()
         }
       }
     }

src/github-helper.ts

@@ -13,6 +13,7 @@ interface Repository {
 interface Pull {
   number: number
   html_url: string
+  created: boolean
 }
 
 export class GitHubHelper {
@@ -23,6 +24,7 @@ export class GitHubHelper {
     if (token) {
       options.auth = `${token}`
     }
+    options.baseUrl = process.env['GITHUB_API_URL'] || 'https://api.github.com'
     this.octokit = new Octokit(options)
   }
 
@@ -41,7 +43,7 @@ export class GitHubHelper {
   ): Promise<Pull> {
     // Try to create the pull request
     try {
-      const {data: pull} = await this.octokit.pulls.create({
+      const {data: pull} = await this.octokit.rest.pulls.create({
         ...this.parseRepository(baseRepository),
         title: inputs.title,
         head: headBranch,
@@ -54,7 +56,8 @@ export class GitHubHelper {
       )
       return {
         number: pull.number,
-        html_url: pull.html_url
+        html_url: pull.html_url,
+        created: true
       }
     } catch (e) {
       if (
@@ -68,13 +71,13 @@ export class GitHubHelper {
     }
 
     // Update the pull request that exists for this branch and base
-    const {data: pulls} = await this.octokit.pulls.list({
+    const {data: pulls} = await this.octokit.rest.pulls.list({
       ...this.parseRepository(baseRepository),
       state: 'open',
       head: headBranch,
       base: inputs.base
     })
-    const {data: pull} = await this.octokit.pulls.update({
+    const {data: pull} = await this.octokit.rest.pulls.update({
       ...this.parseRepository(baseRepository),
       pull_number: pulls[0].number,
       title: inputs.title,
@@ -86,12 +89,13 @@ export class GitHubHelper {
     )
     return {
       number: pull.number,
-      html_url: pull.html_url
+      html_url: pull.html_url,
+      created: false
     }
   }
 
   async getRepositoryParent(headRepository: string): Promise<string> {
-    const {data: headRepo} = await this.octokit.repos.get({
+    const {data: headRepo} = await this.octokit.rest.repos.get({
       ...this.parseRepository(headRepository)
     })
     if (!headRepo.parent) {
@@ -106,40 +110,38 @@ export class GitHubHelper {
     inputs: Inputs,
     baseRepository: string,
     headRepository: string
-  ): Promise<void> {
+  ): Promise<Pull> {
     const [headOwner] = headRepository.split('/')
     const headBranch = `${headOwner}:${inputs.branch}`
 
     // Create or update the pull request
     const pull = await this.createOrUpdate(inputs, baseRepository, headBranch)
 
-    // Set outputs
-    core.startGroup('Setting outputs')
-    core.setOutput('pull-request-number', pull.number)
-    core.setOutput('pull-request-url', pull.html_url)
-    // Deprecated
-    core.exportVariable('PULL_REQUEST_NUMBER', pull.number)
-    core.endGroup()
-
-    // Set milestone, labels and assignees
-    const updateIssueParams = {}
+    // Apply milestone
     if (inputs.milestone) {
-      updateIssueParams['milestone'] = inputs.milestone
       core.info(`Applying milestone '${inputs.milestone}'`)
-    }
-    if (inputs.labels.length > 0) {
-      updateIssueParams['labels'] = inputs.labels
-      core.info(`Applying labels '${inputs.labels}'`)
-    }
-    if (inputs.assignees.length > 0) {
-      updateIssueParams['assignees'] = inputs.assignees
-      core.info(`Applying assignees '${inputs.assignees}'`)
-    }
-    if (Object.keys(updateIssueParams).length > 0) {
-      await this.octokit.issues.update({
+      await this.octokit.rest.issues.update({
         ...this.parseRepository(baseRepository),
         issue_number: pull.number,
-        ...updateIssueParams
+        milestone: inputs.milestone
+      })
+    }
+    // Apply labels
+    if (inputs.labels.length > 0) {
+      core.info(`Applying labels '${inputs.labels}'`)
+      await this.octokit.rest.issues.addLabels({
+        ...this.parseRepository(baseRepository),
+        issue_number: pull.number,
+        labels: inputs.labels
+      })
+    }
+    // Apply assignees
+    if (inputs.assignees.length > 0) {
+      core.info(`Applying assignees '${inputs.assignees}'`)
+      await this.octokit.rest.issues.addAssignees({
+        ...this.parseRepository(baseRepository),
+        issue_number: pull.number,
+        assignees: inputs.assignees
       })
     }
 
@@ -155,7 +157,7 @@ export class GitHubHelper {
     }
     if (Object.keys(requestReviewersParams).length > 0) {
       try {
-        await this.octokit.pulls.requestReviewers({
+        await this.octokit.rest.pulls.requestReviewers({
           ...this.parseRepository(baseRepository),
           pull_number: pull.number,
           ...requestReviewersParams
@@ -168,5 +170,7 @@ export class GitHubHelper {
         }
       }
     }
+
+    return pull
   }
 }

src/utils.ts

@@ -39,8 +39,21 @@ interface RemoteDetail {
 export function getRemoteDetail(remoteUrl: string): RemoteDetail {
   // Parse the protocol and github repository from a URL
   // e.g. HTTPS, peter-evans/create-pull-request
-  const httpsUrlPattern = /^https:\/\/.*@?github.com\/(.+\/.+)$/i
-  const sshUrlPattern = /^git@github.com:(.+\/.+).git$/i
+  const githubUrl = process.env['GITHUB_SERVER_URL'] || 'https://github.com'
+
+  const githubServerMatch = githubUrl.match(/^https?:\/\/(.+)$/i)
+  if (!githubServerMatch) {
+    throw new Error('Could not parse GitHub Server name')
+  }
+
+  const httpsUrlPattern = new RegExp(
+    '^https?://.*@?' + githubServerMatch[1] + '/(.+/.+)$',
+    'i'
+  )
+  const sshUrlPattern = new RegExp(
+    '^git@' + githubServerMatch[1] + ':(.+/.+).git$',
+    'i'
+  )
 
   const httpsMatch = remoteUrl.match(httpsUrlPattern)
   if (httpsMatch) {