8000 feat: support pushing a commit to other repository and branch by suzuki-shunsuke · Pull Request #123 · csm-actions/securefix-action · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

feat: support pushing a commit to other repository and branch #123

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 90 commits into from
Jul 4, 2025
Merged

feat: support pushing a commit to other repository and branch #123

merged 90 commits into from
Jul 4, 2025

Conversation

suzuki-shunsuke
Copy link
Contributor
@suzuki-shunsuke suzuki-shunsuke commented Jun 15, 2025
edited
Loading

Overview

  • Features
    • Support pushing a commit to another repository and branch
    • Support creating a pull request when pushing a commit to another repository and branch
    • Support specifying files to be pushed
  • Bug Fixes
    • Fix a bug that it fails to push a commit if hidden files are included

This pull request enables this action to change the repository and branch where a commit is pushed.
And it also enables this action to create a pull request.

Why?

By default, Securefix Action pushes a commit to the repository and branch where the action is run.
But actually there are usecases that you want to push a commit to other repository and branch.

  • Scaffold a pull request by workflow_dispatch
  • Update GitHub Pages
  • Create a pull request to the repository A when the repository B is updated
  • etc

Security

Allowing to push any repository and branch without any restriction is dangerous, so by default changing the repository and branch isn't allowed, meaning it the action fails.
You can change the repository and branch only if they are allowed.

⚠️ Additional Permissions

Additional Permissions of the server app are required if some inputs are given.

  • issues:write: This is required if the input pull_request_labels is set
  • members:read: This is required if the input pull_request_team_reviewers is set

How to use

  1. (Optional) Grant additional permissions to the server app (issues:write and members:read)
  2. Add the input config or config_file to csm-actions/securefix-action/server/prepare in the server workflow:
- uses: csm-actions/securefix-action/server/prepare@latest
  id: prepare
  with:
    app_id: ${{ vars.APP_ID }}
    app_private_key: ${{ secrets.APP_PRIVATE_KEY }}
    config: |
      entries:
        - client:
            repositories:
              - suzuki-shunsuke/tfaction-example
            branches:
              - main
          push:
            repositories:
              - suzuki-shunsuke/tfaction-example
            branches:
              - "scaffold-working-directory-*" # Glob
              - "follow-up-*" # Glob
        - client:
            repositories:
              - suzuki-shunsuke/tfaction
            branches:
              - main
          push:
            repositories:
              - suzuki-shunsuke/tfaction-docs
            branches:
              - gh-pages

💡 To improve the maintainability, it's good to manage config in a dedicated file and read it from action.

e.g.

- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
  with:
    persist-credentials: false
    sparse-checkout: |
      config.yaml
    sparse-checkout-cone-mode: false
- uses: csm-actions/securefix-action/server/prepare@latest
  id: prepare
  with:
    app_id: ${{ vars.AUTOFIX_APP_ID }}
    app_private_key: ${{ secrets.AUTOFIX_APP_PRIVATE_KEY }}
    config_file: config.yaml
  1. (Optional) Add the workflow to validate config in the server repository

e.g.

---
name: Validate Config
on: pull_request
jobs:
  validate-config:
    runs-on: ubuntu-24.04
    timeout-minutes: 10
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false
          sparse-checkout: |
            config.yaml
          sparse-checkout-cone-mode: false

      - uses: csm-actions/securefix-action/js@latest
        with:
          action: validate-config
          config_file: config.yaml
  1. Specify the repository and branch to be pushed in the client workflow:
- uses: csm-actions/securefix-action@latest
  with:
    app_id: ${{ vars.APP_ID }}
    app_private_key: ${{ secrets.APP_PRIVATE_KEY }}
    server_repository: securefix-demo-server
    # Push csm-actions/demo-client's foo branch
    repository: csm-actions/demo-client
    branch: foo

New Inputs and Outputs of actions

All of them are optional.

csm-actions/securefix-action

repository or branch is required if you want to change them.

  • repository: A repository full name where a commit will be pushed. By default, this is $GITHUB_REPOSITORY
  • branch: A branch where a commit will be pushed. By default, this is a branch where the action is run

--

pull_request_title and pull_request_base_branch are required if you want to create a pull request.

  • pull_request_title: A pull request title
  • pull_request_body: A pull request description
  • pull_request_labels: Pull request labels. This requires issues:write permission
  • pull_request_draft: If true, create a pull request as draft
  • pull_request_reviewers: Pull request reviewers
  • pull_request_team_reviewers: Pull request team reviewers. This requires the members:read permission
  • pull_request_assignees: Pull request assignees
  • pull_request_comment: Pull request comment

--

  • fail_if_changes: If true, the action fails if there are changes

By default, the client action fails if any files are changed, but if a commit is pushed to the other repository or branch, the action succeeds.
If fail_if_changes is true, the client action fails if any files are changed.
If fail_if_changes is false, the client action succeeds even if any files are changed.

csm-actions/securefix-action/server/prepare

Either config or config_file is required to change the repository and branch.

  • config: YAML config to push other repositories and branches
  • config_file: A file path to YAML config
# yaml-language-server: $schema=https://raw.githubusercontent.com/csm-actions/securefix-action/main/json-schema/config.json
entries:
  - source:
      repositories:
        - suzuki-shunsuke/tfaction-example
      branches:
        - main
    destination:
      pull_request: true
      repositories:
        - suzuki-shunsuke/tfaction-example
      branches:
        - "scaffold-working-directory-*" # Glob
        - "follow-up-*" # Glob
  - source:
      repositories:
        - suzuki-shunsuke/tfaction
      branches:
        - main
    destination:
      repositories:
        - suzuki-shunsuke/tfaction-docs
      branches:
        - gh-pages

config is ignored if no repository or branch is set by the client action.
If branch or repository is set, they are validated config.
If there is no entry matching with source repository and branch and destination repository and branch.

suzuki-shunsuke and others added 17 commits June 17, 2025 05:44
@suzuki-shunsuke
ci: set up CI
7ca1536
@suzuki-shunsuke
ci: fix permissions
551ea4e
@suzuki-shunsuke
chore: update dependencies
57926a5
@suzuki-shunsuke
ci: fix workflows
4d8027f
@suzuki-shunsuke
Merge branch 'main' into feat-push-to-other-repo-and-branch
d44b116
@suzuki-shunsuke
chore: configure pinact
fec1de5
@suzuki-shunsuke
fix: fix a bug that action fails if inputs.config is empty
7dbef83
@suzuki-shunsuke
ci: update release-js-action
747d5ea
@suzuki-shunsuke
fix: fix the error of post step
88251d5 
```
Error: The template is not valid. csm-actions/securefix-action/pr/123/server/prepare/action.yaml (Line: 50, Col: 12): Error reading JToken from JsonReader. Path '', line 0,
```
@suzuki-shunsuke
fix: make the input pullRequest optional
7beb873
@suzuki-shunsuke
fix: fix the input branch of commit-action
1870c64
@suzuki-shunsuke
fix: fix the default repsository and branch
44ebb2d
@suzuki-shunsuke
fix: return error if repository or branch is set but config isn't set
04a5ea6
@suzuki-shunsuke
fix: fix a bug that notify doesn't work
29ed795
@suzuki-shunsuke
fix: fix source
8729614
@suzuki-shunsuke
fix: return
137d5be
@suzuki-shunsuke
fix: add fail_if_changes
7c4027a
@suzuki-shunsuke suzuki-shunsuke added the enhancement New feature or request label Jun 17, 2025
suzuki-shunsuke and others added 20 commits June 21, 2025 07:52
@suzuki-shunsuke suzuki-shunsuke mentioned this pull request Jun 23, 2025
Open
21 tasks
@suzuki-shunsuke suzuki-shunsuke marked this pull request as ready for review July 4, 2025 12:28
@suzuki-shunsuke suzuki-shunsuke merged commit fc242fd into main Jul 4, 2025
8 checks passed
@suzuki-shunsuke suzuki-shunsuke deleted the feat-push-to-other-repo-and-branch branch July 4, 2025 12:28
@github-project-automation github-project-automation bot moved this to Done in main Jul 4, 2025
@suzuki-shunsuke suzuki-shunsuke added this to the v0.2.0 milestone Jul 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
breaking changes enhancement New feature or request
Projects
None yet
Milestone
v0.1.1
Development

Successfully merging this pull request may close these issues.
1 participant
@suzuki-shunsuke
0