From 11a221895d623ad84a8990e530093a465dcf1a89 Mon Sep 17 00:00:00 2001 From: amanstep Date: Thu, 18 Sep 2025 14:55:41 +0530 Subject: [PATCH 1/6] feat: Initial release --- .github/workflows/actions_release.yml | 22 +++ .github/workflows/auto_cherry_pick.yml | 23 +++ .github/workflows/ci.yaml | 16 ++ .github/workflows/docker.yaml | 55 +++++++ .github/workflows/licensing.yaml | 21 +++ .gitignore | 2 + Dockerfile | 16 ++ LICENSE | 203 +++++++++++++++++++++++++ Makefile | 13 ++ README.md | 73 ++++++++- SECURITY.md | 5 + action.yaml | 42 +++++ doc/dependency_decisions.yml | 31 ++++ docker-compose.yml | 14 ++ entrypoint.sh | 106 +++++++++++++ tests/entrypoint.bats | 79 ++++++++++ tests/fixtures/git-status.out-1 | Bin 0 -> 87 bytes 17 files changed, 720 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/actions_release.yml create mode 100644 .github/workflows/auto_cherry_pick.yml create mode 100644 .github/workflows/ci.yaml create mode 100644 .github/workflows/docker.yaml create mode 100644 .github/workflows/licensing.yaml create mode 100644 .gitignore create mode 100644 Dockerfile create mode 100644 LICENSE create mode 100644 Makefile create mode 100644 SECURITY.md create mode 100644 action.yaml create mode 100644 doc/dependency_decisions.yml create mode 100644 docker-compose.yml create mode 100755 entrypoint.sh create mode 100644 tests/entrypoint.bats create mode 100644 tests/fixtures/git-status.out-1 diff --git a/.github/workflows/actions_release.yml b/.github/workflows/actions_release.yml new file mode 100644 index 0000000..b2c7eb2 --- /dev/null +++ b/.github/workflows/actions_release.yml @@ -0,0 +1,22 @@ +name: Release GitHub Actions + +on: + workflow_dispatch: + inputs: + tag: + description: "Tag for the release" + required: true + +permissions: + contents: read + +jobs: + release: + permissions: + actions: read + id-token: write + contents: write + + uses: step-security/reusable-workflows/.github/workflows/actions_release.yaml@v1 + with: + tag: "${{ github.event.inputs.tag }}" \ No newline at end of file diff --git a/.github/workflows/auto_cherry_pick.yml b/.github/workflows/auto_cherry_pick.yml new file mode 100644 index 0000000..e3cdb0d --- /dev/null +++ b/.github/workflows/auto_cherry_pick.yml @@ -0,0 +1,23 @@ +name: Auto Cherry-Pick from Upstream + +on: + workflow_dispatch: + inputs: + base_branch: + description: "Base branch to create the PR against" + required: true + default: "main" + +permissions: + contents: write + pull-requests: write + packages: read + issues: write + +jobs: + cherry-pick: + uses: step-security/reusable-workflows/.github/workflows/auto_cherry_pick.yaml@v1 + with: + original-owner: "planetscale" + repo-name: "ghcommit-action" + base_branch: ${{ inputs.base_branch }} diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml new file mode 100644 index 0000000..e98e289 --- /dev/null +++ b/.github/workflows/ci.yaml @@ -0,0 +1,16 @@ +name: ci + +on: + pull_request: + push: + branches: + - '**' + +jobs: + test: + runs-on: ubuntu-latest + if: github.event_name == 'push' && !contains(toJson(github.event.commits), '[ci skip]') && !contains(toJson(github.event.commits), '[skip ci]') + steps: + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - run: make lint + - run: make test diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml new file mode 100644 index 0000000..a5bf556 --- /dev/null +++ b/.github/workflows/docker.yaml @@ -0,0 +1,55 @@ +name: Publish docker image + +on: + workflow_dispatch: + inputs: + release_tag: + description: 'Tag to release' + required: true + type: string + +permissions: + contents: read + packages: write + +jobs: + build: + runs-on: ubuntu-latest + if: startsWith(github.event.inputs.release_tag, 'v') + steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Validate tag format + run: | + TAG=${{ github.event.inputs.release_tag }} + if ! echo "$TAG" | grep -Eq '^v[0-9]+\.[0-9]+\.[0-9]+$'; then + echo "❌ Invalid tag format: $TAG" + exit 1 + fi + echo "✅ Valid semver tag: $TAG" + - name: Log in to GitHub Container Registry + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Set up QEMU for ARM builds + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 + + - name: Build and push Docker image + uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0 + with: + context: . + push: true + platforms: linux/amd64,linux/arm64 + tags: | + ghcr.io/${{ github.repository }}:${{ github.event.inputs.release_tag }} \ No newline at end of file diff --git a/.github/workflows/licensing.yaml b/.github/workflows/licensing.yaml new file mode 100644 index 0000000..481f402 --- /dev/null +++ b/.github/workflows/licensing.yaml @@ -0,0 +1,21 @@ +name: Verify dependency licenses + +on: + push: + branches: + - main + pull_request: + types: + - opened + - reopened + - synchronize + +jobs: + licensing: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + with: + fetch-depth: 0 + - run: sudo gem install license_finder + - run: license_finder diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..11d886b --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +Attic/ +HACK.md diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..e19fda3 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,16 @@ +FROM --platform=$TARGETARCH ghcr.io/planetscale/ghcommit:v0.1.74 AS ghcommit + +# hadolint ignore=DL3007 +FROM --platform=$TARGETARCH pscale.dev/wolfi-prod/base:latest AS base + +COPY --from=ghcommit /ghcommit /usr/bin/ghcommit + +# hadolint ignore=DL3018 +RUN apk add --no-cache \ + bash \ + git-crypt \ + git + +COPY entrypoint.sh /entrypoint.sh + +ENTRYPOINT ["/entrypoint.sh"] diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..2011fc4 --- /dev/null +++ b/LICENSE @@ -0,0 +1,203 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2023 PlanetScale, Inc. + Copyright 2025 Step Security. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. \ No newline at end of file diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..5116630 --- /dev/null +++ b/Makefile @@ -0,0 +1,13 @@ +lint: + @docker compose run --rm lint + +test: + @docker compose run --rm tests + @echo "run 'make clean' to stop and remove test containers" + +clean: + @docker compose down + +.DEFAULT_GOAL: test + +.PHONY: lint test clean \ No newline at end of file diff --git a/README.md b/README.md index 95ca7dd..66cff4e 100644 --- a/README.md +++ b/README.md @@ -1 +1,72 @@ -# ghcommit-action \ No newline at end of file +# ghcommit-action + +A GitHub Action to detect changed files during a Workflow run and to commit and +push them back to the GitHub repository using the [`ghcommit`](https://github.com/planetscale/ghcommit) utility. + +The advantage of using `ghcommit` is that the commits will be signed by GitHub's +GPG key and show as **Verified**. This is important for repositories that require +signed commits. + +The plugin is inspired by [stefanzweifel/git-auto-commit-action](https://github.com/stefanzweifel/git-auto-commit-action) +and uses some of the same input parameters. We expect to emulate more of its +parameters over time and PRs providing similar functionality will be considered. + +## Usage + +The plugin is currently implemented as a Docker style plugin. It must be run on +a Linux host, eg: `ubuntu-latest`. + +```yaml +name: fmt + +on: + # NOTE: Need to run on a PR so that the ${{ github.head_ref }} (branch) is non-null + pull_request: + types: + - opened + - synchronize + - reopened + +jobs: + fmt-code: + runs-on: ubuntu-latest + + permissions: + # Give the default GITHUB_TOKEN write permission to commit and push the + # added or changed files to the repository. + contents: write + + steps: + - uses: actions/checkout@v4 + # Include the pull request ref in the checkout action to prevent merge commit + # https://github.com/actions/checkout?tab=readme-ov-file#checkout-pull-request-head-commit-instead-of-merge-commit + with: + ref: ${{ github.event.pull_request.head.sha }} + + # Run steps that make changes to the local repo here. + + # Commit all changed files back to the repository + - uses: step-security/ghcommit-action@v0 + with: + commit_message: "🤖 fmt" + repo: ${{ github.repository }} + branch: ${{ github.head_ref || github.ref_name }} + env: + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} +``` + +Example showing all options: + +```yaml + - uses: step-security/ghcommit-action@v0 + with: + commit_message: "🤖 fmt" + repo: ${{ github.repository }} + branch: ${{ github.head_ref || github.ref_name }} + empty: true + file_pattern: '*.txt *.md *.json *.hcl' + env: + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} +``` + +See [`action.yaml`](./action.yaml) for current list of supported inputs. diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..77568b2 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,5 @@ +# Security Policy + +## Reporting a Vulnerability + +Please report security vulnerabilities to security@stepsecurity.io diff --git a/action.yaml b/action.yaml new file mode 100644 index 0000000..c45f72f --- /dev/null +++ b/action.yaml @@ -0,0 +1,42 @@ +name: "Commit git changes" +description: "Commit git changes directly to GitHub using the GraphQL API" +author: "step-security" + +branding: + color: "orange" + icon: "git-commit" + +inputs: + commit_message: + description: The commit message to use. + required: true + repo: + description: The name of the repo to commit to in "owner/repo" format. + required: true + branch: + description: The name of the branch to commit to. + required: true + empty: + description: Allow making an empty commit if there are no changes. + required: false + default: "false" + file_pattern: + description: File pattern used for `git add`. For example `src/*.js` + required: false + default: "." + +outputs: + commit-url: + description: The URL of the created commit. + commit-hash: + description: The hash of the created commit. + +runs: + using: "docker" + image: "Dockerfile" + args: + - ${{ inputs.commit_message }} + - ${{ inputs.repo }} + - ${{ inputs.branch }} + - ${{ inputs.empty }} + - ${{ inputs.file_pattern }} diff --git a/doc/dependency_decisions.yml b/doc/dependency_decisions.yml new file mode 100644 index 0000000..2f75f6f --- /dev/null +++ b/doc/dependency_decisions.yml @@ -0,0 +1,31 @@ +--- +- - :permit + - bsd-2-clause + - :who: + :why: + :versions: [] + :when: "2022-01-28 22:57:44.699976000 Z" +- - :permit + - bsd-3-clause + - :who: + :why: + :versions: [] + :when: "2022-01-28 22:57:47.442554000 Z" +- - :permit + - apache-2.0 + - :who: + :why: + :versions: [] + :when: "2022-01-28 22:58:10.290944000 Z" +- - :permit + - MIT + - :who: + :why: + :versions: [] + :when: "2022-01-28 23:02:00.154973000 Z" +- - :permit + - ISC + - :who: + :why: + :versions: [] + :when: "2022-01-28 23:02:02.680050000 Z" diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..bd74059 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,14 @@ +services: + lint: + image: koalaman/shellcheck-alpine:v0.10.0@sha256:5921d946dac740cbeec2fb1c898747b6105e585130cc7f0602eec9a10f7ddb63 + volumes: + - ".:/plugin:ro" + entrypoint: sh + command: + - -c + - 'shellcheck ./plugin/*.sh' + + tests: + image: buildkite/plugin-tester:v4.2.0@sha256:21067012f59af6b8316cceb95850e89a542b50338c72d209a68bbebb33aff8c3 + volumes: + - ".:/plugin:ro" diff --git a/entrypoint.sh b/entrypoint.sh new file mode 100755 index 0000000..30c367e --- /dev/null +++ b/entrypoint.sh @@ -0,0 +1,106 @@ +#!/usr/bin/env bash + +set -euo pipefail +[[ -n "${DEBUG:-}" ]] && set -x + +# validate subscription status +API_URL="https://agent.api.stepsecurity.io/v1/github/$GITHUB_REPOSITORY/actions/subscription" + +# Set a timeout for the curl command (3 seconds) +RESPONSE=$(curl --max-time 3 -s -w "%{http_code}" "$API_URL" -o /dev/null) || true +CURL_EXIT_CODE=$? + +# Decide based on curl exit code and HTTP status +if [ $CURL_EXIT_CODE -ne 0 ]; then + echo "Timeout or API not reachable. Continuing to next step." +elif [ "$RESPONSE" = "200" ]; then + : +elif [ "$RESPONSE" = "403" ]; then + echo "Subscription is not valid. Reach out to support@stepsecurity.io" + exit 1 +else + echo "Timeout or API not reachable. Continuing to next step." +fi + +COMMIT_MESSAGE="${1:?Missing commit_message input}" +REPO="${2:?Missing repo input}" +BRANCH="${3:?Missing branch input}" +EMPTY="${4:-false}" +read -r -a FILE_PATTERNS <<<"${5:?Missing file_pattern input}" + +git config --global --add safe.directory "$GITHUB_WORKSPACE" + +adds=() +deletes=() + +while IFS= read -r -d $'\0' line; do + [[ -n "${DEBUG:-}" ]] && echo "line: '$line'" + + # Extract the status in the tree and status in the index (first two characters) + index_status="${line:0:1}" + tree_status="${line:1:1}" + + # Renamed files have status code 'R' and two filenames separated by NUL. We need to read + # an additional chunk (up to the next NUL) to get the new filename. + if [[ "$index_status" == "R" || "$tree_status" == "R" ]]; then + IFS= read -r -d $'\0' old_filename + new_filename="${line:3}" + + echo "Renamed file detected:" + echo "Old Filename: $old_filename" + echo "New Filename: $new_filename" + echo "-----------------------------" + adds+=("$new_filename") + deletes+=("$old_filename") + continue + fi + + # Extract the filename by removing the first three characters (two statuses and a whitespace) + filename="${line:3}" + echo "Filename: $filename" + + # Print the parsed information, useful for debugging + echo "Index Status: $index_status" + echo "Tree Status: $tree_status" + echo "Filename: $filename" + echo "-----------------------------" + # https://git-scm.com/docs/git-status + + # handle adds (A), modifications (M), and type changes (T): + [[ "$tree_status" =~ A|M|T || "$index_status" =~ A|M|T ]] && adds+=("$filename") + + # handle deletes (D): + [[ "$tree_status" =~ D || "$index_status" =~ D ]] && deletes+=("$filename") + +done < <(git status -s --porcelain=v1 -z -- "${FILE_PATTERNS[@]}") + +if [[ "${#adds[@]}" -eq 0 && "${#deletes[@]}" -eq 0 && "$EMPTY" == "false" ]]; then + echo "No changes detected, exiting" + exit 0 +fi + +ghcommit_args=() +ghcommit_args+=(-b "$BRANCH") +ghcommit_args+=(-r "$REPO") +ghcommit_args+=(-m "$COMMIT_MESSAGE") + +if [[ "$EMPTY" =~ ^(true|1|yes)$ ]]; then + ghcommit_args+=(--empty) +fi + +ghcommit_args+=("${adds[@]/#/--add=}") +ghcommit_args+=("${deletes[@]/#/--delete=}") + +[[ -n "${DEBUG:-}" ]] && echo "ghcommit args: '${ghcommit_args[*]}'" + +output=$(ghcommit "${ghcommit_args[@]}" 2>&1) || { + # Show the output on error. This is needed since the exit immediately flag is set. + echo "$output" 1>&2; + exit 1 +} +echo "$output" + +commit_url=$(echo "$output" | grep "Success. New commit:" | awk '{print $NF}') +commit_hash=$(echo "$commit_url" | awk -F '/' '{print $NF}') +echo "commit-url=$commit_url" >> "$GITHUB_OUTPUT" +echo "commit-hash=$commit_hash" >> "$GITHUB_OUTPUT" diff --git a/tests/entrypoint.bats b/tests/entrypoint.bats new file mode 100644 index 0000000..4f5e9ff --- /dev/null +++ b/tests/entrypoint.bats @@ -0,0 +1,79 @@ +#!/usr/bin/env bats + +load "${BATS_PLUGIN_PATH}/load.bash" + +# uncomment to debug these stubs: +# export GIT_STUB_DEBUG=/dev/tty +# export GHCOMMIT_STUB_DEBUG=/dev/tty + +setup() { + export GITHUB_WORKSPACE=/tmp + export GITHUB_REPOSITORY=step-security/ghcommit-action + #export DEBUG=1 +} + +@test "parses git status output and generates correct flags for ghcommit" { + local commit_message='msg' + local repo='org/repo' + local branch='main' + local empty='false' + local file_pattern='.' + + export GITHUB_OUTPUT="$BATS_TEST_TMPDIR/github-output" + + # NOTE: we are passing our hand-crafted fixture through `tr` to convert newlines to nulls since + # we run `git status -z` which uses null terminators. The newlines are meant to make the file easier + # to modify and prevent cat from removing the leading space on lines/entries since that is a part + # of the git status output. + stub git \ + "config --global --add safe.directory $GITHUB_WORKSPACE : echo stubbed" \ + "status -s --porcelain=v1 -z -- . : cat ./tests/fixtures/git-status.out-1 | tr '\n' '\0'" + + stub ghcommit \ + '-b main -r org/repo -m msg --add=README.md --add=foo.txt --add=new.file --delete=old.file --delete=\""a path with spaces oh joy/file.txt\"" : echo Success. New commit: https://localhost/foo' + + run ./entrypoint.sh "$commit_message" "$repo" "$branch" "$empty" "$file_pattern" + assert_success + assert_output --partial "Success" + assert_file_exist "$GITHUB_OUTPUT" + assert_file_contains "$GITHUB_OUTPUT" "commit-url=https://localhost/foo" +} + +@test "no changes" { + local commit_message='msg' + local repo='org/repo' + local branch='main' + local empty='false' + local file_pattern='.' + + stub git \ + "config --global --add safe.directory $GITHUB_WORKSPACE : echo stubbed" \ + "status -s --porcelain=v1 -z -- . : echo" + + run ./entrypoint.sh "$commit_message" "$repo" "$branch" "$empty" "$file_pattern" + assert_success + assert_output --partial "No changes detected" +} + +@test "no changes with --empty flag creates empty commit" { + local commit_message='msg' + local repo='org/repo' + local branch='main' + local empty='true' + local file_pattern='.' + + export GITHUB_OUTPUT="$BATS_TEST_TMPDIR/github-output" + + stub git \ + "config --global --add safe.directory $GITHUB_WORKSPACE : echo stubbed" \ + "status -s --porcelain=v1 -z -- . : echo" + + stub ghcommit \ + '-b main -r org/repo -m msg --empty : echo Success. New commit: https://localhost/foo' + + run ./entrypoint.sh "$commit_message" "$repo" "$branch" "$empty" "$file_pattern" + assert_success + assert_output --partial "Success" + assert_file_exist "$GITHUB_OUTPUT" + assert_file_contains "$GITHUB_OUTPUT" "commit-url=https://localhost/foo" +} diff --git a/tests/fixtures/git-status.out-1 b/tests/fixtures/git-status.out-1 new file mode 100644 index 0000000000000000000000000000000000000000..36fd3bb13672b230c9a5c33df321b153bf27c833 GIT binary patch literal 87 zcmY%JRS0r*bn$i7%T3`@a8yXk&(|xdDB%iHP{>Oy*GtRHNoB~-NdYss6kHUP5)}#( hOEMJ7Gl4{LL1J=hu|j@^LRNmIK1eM{uM(F67XWsd8qNR! literal 0 HcmV?d00001 From acb48cc6e7b39078a81096c8c18eb25e0ceb504a Mon Sep 17 00:00:00 2001 From: amanstep Date: Thu, 18 Sep 2025 14:58:29 +0530 Subject: [PATCH 2/6] ci: remove PR trigger from ci workflow --- .github/workflows/ci.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index e98e289..efefada 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -1,7 +1,6 @@ name: ci on: - pull_request: push: branches: - '**' From a384f8aec517ad0909ce2e6141b9b64af67cdca5 Mon Sep 17 00:00:00 2001 From: amanstep Date: Thu, 18 Sep 2025 17:11:31 +0530 Subject: [PATCH 3/6] docs: update readme and made changes to docker workflow --- .github/workflows/docker.yaml | 12 ++++++------ README.md | 4 ---- 2 files changed, 6 insertions(+), 10 deletions(-) diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index a5bf556..6e91af9 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -18,12 +18,12 @@ jobs: if: startsWith(github.event.inputs.release_tag, 'v') steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + uses: step-security/harden-runner@v2 with: egress-policy: audit - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@v5 - name: Validate tag format run: | TAG=${{ github.event.inputs.release_tag }} @@ -33,20 +33,20 @@ jobs: fi echo "✅ Valid semver tag: $TAG" - name: Log in to GitHub Container Registry - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Set up QEMU for ARM builds - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 + uses: docker/setup-buildx-action@v3 - name: Build and push Docker image - uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0 + uses: docker/build-push-action@v6 with: context: . push: true diff --git a/README.md b/README.md index 66cff4e..9d30c2d 100644 --- a/README.md +++ b/README.md @@ -7,10 +7,6 @@ The advantage of using `ghcommit` is that the commits will be signed by GitHub's GPG key and show as **Verified**. This is important for repositories that require signed commits. -The plugin is inspired by [stefanzweifel/git-auto-commit-action](https://github.com/stefanzweifel/git-auto-commit-action) -and uses some of the same input parameters. We expect to emulate more of its -parameters over time and PRs providing similar functionality will be considered. - ## Usage The plugin is currently implemented as a Docker style plugin. It must be run on From ef1ef09fc4f1ee6b368d16a5bed6e456b7bfcc4d Mon Sep 17 00:00:00 2001 From: amanstep Date: Thu, 18 Sep 2025 17:14:37 +0530 Subject: [PATCH 4/6] docs: updated readme --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9d30c2d..83950e0 100644 --- a/README.md +++ b/README.md @@ -33,7 +33,7 @@ jobs: contents: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 # Include the pull request ref in the checkout action to prevent merge commit # https://github.com/actions/checkout?tab=readme-ov-file#checkout-pull-request-head-commit-instead-of-merge-commit with: From 94e33f8ff3a887d5515812affb7111445fe93ce6 Mon Sep 17 00:00:00 2001 From: amanstep Date: Fri, 19 Sep 2025 01:25:58 +0530 Subject: [PATCH 5/6] feat: added curl to docker so that subscription check gets evaluated --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index e19fda3..bd25bc4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -9,6 +9,7 @@ COPY --from=ghcommit /ghcommit /usr/bin/ghcommit RUN apk add --no-cache \ bash \ git-crypt \ + curl \ git COPY entrypoint.sh /entrypoint.sh From 5ba69f0f2a65c097d60c366fe04062b95afe857a Mon Sep 17 00:00:00 2001 From: amanstep Date: Fri, 19 Sep 2025 18:22:45 +0530 Subject: [PATCH 6/6] feat: made changes to Dockerfile addressing security concerns --- .github/workflows/licensing.yaml | 21 --------------------- Dockerfile | 20 ++++++++++---------- doc/dependency_decisions.yml | 31 ------------------------------- 3 files changed, 10 insertions(+), 62 deletions(-) delete mode 100644 .github/workflows/licensing.yaml delete mode 100644 doc/dependency_decisions.yml diff --git a/.github/workflows/licensing.yaml b/.github/workflows/licensing.yaml deleted file mode 100644 index 481f402..0000000 --- a/.github/workflows/licensing.yaml +++ /dev/null @@ -1,21 +0,0 @@ -name: Verify dependency licenses - -on: - push: - branches: - - main - pull_request: - types: - - opened - - reopened - - synchronize - -jobs: - licensing: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - with: - fetch-depth: 0 - - run: sudo gem install license_finder - - run: license_finder diff --git a/Dockerfile b/Dockerfile index bd25bc4..403c9c6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,17 +1,17 @@ -FROM --platform=$TARGETARCH ghcr.io/planetscale/ghcommit:v0.1.74 AS ghcommit +FROM golang:1.25-alpine3.22 -# hadolint ignore=DL3007 -FROM --platform=$TARGETARCH pscale.dev/wolfi-prod/base:latest AS base - -COPY --from=ghcommit /ghcommit /usr/bin/ghcommit +ARG GHCOMMIT_VERSION=v0.1.75 # hadolint ignore=DL3018 -RUN apk add --no-cache \ - bash \ - git-crypt \ - curl \ - git +RUN apk add --no-cache bash git-crypt curl git + +# Download and build ghcommit from source +RUN git clone --depth 1 --branch "${GHCOMMIT_VERSION}" https://github.com/planetscale/ghcommit.git /ghcommit +WORKDIR /ghcommit +RUN go mod download +RUN CGO_ENABLED=0 go build -o /usr/bin/ghcommit . COPY entrypoint.sh /entrypoint.sh +RUN chmod +x /entrypoint.sh /usr/bin/ghcommit ENTRYPOINT ["/entrypoint.sh"] diff --git a/doc/dependency_decisions.yml b/doc/dependency_decisions.yml deleted file mode 100644 index 2f75f6f..0000000 --- a/doc/dependency_decisions.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- -- - :permit - - bsd-2-clause - - :who: - :why: - :versions: [] - :when: "2022-01-28 22:57:44.699976000 Z" -- - :permit - - bsd-3-clause - - :who: - :why: - :versions: [] - :when: "2022-01-28 22:57:47.442554000 Z" -- - :permit - - apache-2.0 - - :who: - :why: - :versions: [] - :when: "2022-01-28 22:58:10.290944000 Z" -- - :permit - - MIT - - :who: - :why: - :versions: [] - :when: "2022-01-28 23:02:00.154973000 Z" -- - :permit - - ISC - - :who: - :why: - :versions: [] - :when: "2022-01-28 23:02:02.680050000 Z"