From b674cd3ec44b3d627899d44e7cd5c649566d291a Mon Sep 17 00:00:00 2001
From: Wagner Santos <wagnermecsantos@gmail.com>
Date: Thu, 28 Jan 2021 19:30:01 -0300
Subject: [PATCH] fix: remove output generation

After the CVE-2020-15228 vulnerability,
we can't issue commands with sensitive data on this action anymore.

Due to that, the JSON output that this action generated was removed.
---
 README.md              |  8 ----
 src/action.js          |  3 --
 src/action.test.js     | 99 ------------------------------------------
 src/generateOutputs.js | 24 ----------
 4 files changed, 134 deletions(-)
 delete mode 100644 src/generateOutputs.js

diff --git a/README.md b/README.md
index 3213ff8..2ea7aa8 100644
--- a/README.md
+++ b/README.md
@@ -62,14 +62,6 @@ You can see more info about GitHub's default token [here](https://docs.github.co
 
 default: `${{ github.token }}`
 
-## Outputs
-
-### `results`
-
-The error and warning messages for each one of the analyzed commits. This is useful if you want to use the commitlint results in a JSON format in other jobs. See [the documentation](https://docs.github.com/en/actions/reference/context-and-expression-syntax-for-github-actions#fromjson) on how to read JSON information from outputs.
-
-Below you can see an example text output together with its corresponding JSON output:
-
 ```
 You have commit messages with errors
 
diff --git a/src/action.js b/src/action.js
index e74bf13..e8dcaa8 100644
--- a/src/action.js
+++ b/src/action.js
@@ -7,7 +7,6 @@ const lint = require('@commitlint/lint').default
 const { format } = require('@commitlint/format')
 const load = require('@commitlint/load').default
 const gitCommits = require('./gitCommits')
-const generateOutputs = require('./generateOutputs')
 
 const pullRequestEvent = 'pull_request'
 
@@ -136,8 +135,6 @@ const showLintResults = async ([from, to]) => {
   )
   const formattedResults = formatErrors(lintedCommits)
 
-  generateOutputs(lintedCommits)
-
   // disable workflow commands
   const token = uuidv4()
   console.log(`::stop-commands::${token}`)
diff --git a/src/action.test.js b/src/action.test.js
index 50eef2e..22ed7aa 100644
--- a/src/action.test.js
+++ b/src/action.test.js
@@ -11,8 +11,6 @@ const {
   updatePullRequestEnvVars,
 } = require('./testUtils')
 
-const resultsOutputId = 'results'
-
 const {
   matchers: { contains },
 } = td
@@ -44,7 +42,6 @@ describe('Commit Linter action', () => {
   beforeEach(() => {
     core = require('@actions/core')
     td.replace(core, 'getInput')
-    td.replace(core, 'setOutput')
     td.replace(console, 'log')
     td.replace(console, 'error')
     td.when(core.getInput('configFile')).thenReturn('./commitlint.config.js')
@@ -262,7 +259,6 @@ describe('Commit Linter action', () => {
   })
 
   describe('when there are multiple commits failing in the pull request', () => {
-    let expectedResultsOutput
     const firstMessage = 'wrong message 1'
     const secondMessage = 'wrong message 2'
 
@@ -285,23 +281,6 @@ describe('Commit Linter action', () => {
         data: [first, to].map(sha => ({ sha })),
       })
       td.replace(process, 'cwd', () => cwd)
-
-      expectedResultsOutput = [
-        {
-          hash: to,
-          message: secondMessage,
-          valid: false,
-          errors: ['subject may not be empty', 'type may not be empty'],
-          warnings: [],
-        },
-        {
-          hash: first,
-          message: firstMessage,
-          valid: false,
-          errors: ['subject may not be empty', 'type may not be empty'],
-          warnings: [],
-        },
-      ]
     })
 
     it('should NOT show errors for a message from before the push', async () => {
@@ -323,12 +302,6 @@ describe('Commit Linter action', () => {
 
       td.verify(console.error(contains(secondMessage)))
     })
-
-    it('should generate a JSON output of the errors', async () => {
-      await runAction()
-
-      td.verify(core.setOutput(resultsOutputId, expectedResultsOutput))
-    })
   })
 
   describe('when it fails to fetch commits', () => {
@@ -392,27 +365,9 @@ describe('Commit Linter action', () => {
 
       td.verify(console.log('Lint free! 🎉'))
     })
-
-    it('should generate a JSON output of the messages', async () => {
-      const expectedResultsOutput = [
-        {
-          hash: commitHash,
-          message: 'chore: correct message',
-          valid: true,
-          errors: [],
-          warnings: [],
-        },
-      ]
-
-      await runAction()
-
-      td.verify(core.setOutput(resultsOutputId, expectedResultsOutput))
-    })
   })
 
   describe('when all errors are just warnings', () => {
-    let expectedResultsOutput
-
     beforeEach(async () => {
       cwd = await git.bootstrap('fixtures/conventional')
       await gitEmptyCommit(cwd, 'chore: previous commit')
@@ -426,24 +381,6 @@ describe('Commit Linter action', () => {
       updatePushEnvVars(cwd, to)
       td.replace(process, 'cwd', () => cwd)
       td.replace(console, 'log')
-
-      expectedResultsOutput = [
-        {
-          hash: to,
-          message:
-            'chore: correct message\n\nsome context without leading blank line',
-          valid: true,
-          errors: [],
-          warnings: ['body must have leading blank line'],
-        },
-        {
-          hash: from,
-          message: 'chore: correct message with no warnings',
-          valid: true,
-          errors: [],
-          warnings: [],
-        },
-      ]
     })
 
     it('should pass and show that warnings exist', async () => {
@@ -453,12 +390,6 @@ describe('Commit Linter action', () => {
       td.verify(console.log(contains('You have commit messages with warnings')))
     })
 
-    it('should show the results in an output', async () => {
-      await runAction()
-
-      td.verify(core.setOutput(resultsOutputId, expectedResultsOutput))
-    })
-
     describe('and failOnWarnings is set to true', () => {
       beforeEach(() => {
         td.when(core.getInput('failOnWarnings')).thenReturn('true')
@@ -471,12 +402,6 @@ describe('Commit Linter action', () => {
           console.error(contains('You have commit messages with errors')),
         )
       })
-
-      it('should show the results in an output', async () => {
-        await runAction()
-
-        td.verify(core.setOutput(resultsOutputId, expectedResultsOutput))
-      })
     })
   })
 
@@ -507,30 +432,6 @@ describe('Commit Linter action', () => {
       td.verify(console.error(contains('You have commit messages with errors')))
     })
 
-    it('should show the results in an output', async () => {
-      const expectedResultsOutput = [
-        {
-          hash: secondHash,
-          message: 'wrong message',
-          valid: false,
-          errors: ['subject may not be empty', 'type may not be empty'],
-          warnings: [],
-        },
-        {
-          hash: firstHash,
-          message:
-            'chore: correct message\n\nsome context without leading blank line',
-          valid: true,
-          errors: [],
-          warnings: ['body must have leading blank line'],
-        },
-      ]
-
-      await runAction()
-
-      td.verify(core.setOutput(resultsOutputId, expectedResultsOutput))
-    })
-
     describe('and failOnWarnings is set to true', () => {
       beforeEach(() => {
         td.when(core.getInput('failOnWarnings')).thenReturn('true')
diff --git a/src/generateOutputs.js b/src/generateOutputs.js
deleted file mode 100644
index 9fc8f0a..0000000
--- a/src/generateOutputs.js
+++ /dev/null
@@ -1,24 +0,0 @@
-const core = require('@actions/core')
-
-const resultsOutputId = 'results'
-
-const mapMessageValidation = item => item.message
-
-const mapResultOutput = ({
-  hash,
-  lintResult: { valid, errors, warnings, input },
-}) => ({
-  hash,
-  message: input,
-  valid,
-  errors: errors.map(mapMessageValidation),
-  warnings: warnings.map(mapMessageValidation),
-})
-
-const generateOutputs = lintedCommits => {
-  const resultsOutput = lintedCommits.map(mapResultOutput)
-
-  core.setOutput(resultsOutputId, resultsOutput)
-}
-
-module.exports = generateOutputs