Merge tag 'v3.0.0' into release

2025-11-07 02:36:55 +00:00 · 2022-06-05 16:05:03 -04:00 · 2022-06-05 16:05:03 -04:00 · cf04e2f816
commit cf04e2f816
parent f6b535d040 646c83fcd0
5 changed files with 58 additions and 51 deletions
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@ -0,0 +1,14 @@
+name: main
+on:
+  pull_request:
+  push:
+    branches: [main, test-me-*]
+
+jobs:
+  main:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - uses: actions/setup-python@v3
+    - name: self test action
+      uses: ./
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -0,0 +1,7 @@
+repos:
+-   repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.2.0
+    hooks:
+    -   id: trailing-whitespace
+    -   id: end-of-file-fixer
+    -   id: check-yaml
--- a/README.md
+++ b/README.md
@ -8,7 +8,7 @@ Please switch to using [pre-commit.ci] which is faster and has more features.
 ___

 [![pre-commit.ci status](https://results.pre-commit.ci/badge/github/pre-commit/action/main.svg)](https://results.pre-commit.ci/latest/github/pre-commit/action/main)
-[![Build Status](https://github.com/pre-commit/action/workflows/deploy/badge.svg)](https://github.com/pre-commit/action/actions)
+[![Build Status](https://github.com/pre-commit/action/workflows/main/badge.svg)](https://github.com/pre-commit/action/actions)

 pre-commit/action
 =================
@ -32,9 +32,9 @@ jobs:
  pre-commit:
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@v2
-    - uses: actions/setup-python@v2
-    - uses: pre-commit/action@v2.0.3
+    - uses: actions/checkout@v3
+    - uses: actions/setup-python@v3
+    - uses: pre-commit/action@v3.0.0
 ```

 This does a few things:
@ -52,40 +52,33 @@ Here's a sample step configuration that only runs the `flake8` hook against all
 the files (use the template above except for the `pre-commit` action):

 ```yaml
-    - uses: pre-commit/action@v2.0.3
+    - uses: pre-commit/action@v3.0.0
      with:
        extra_args: flake8 --all-files
 ```

 ### using this action in private repositories

-this action also provides an additional behaviour when used in private
-repositories.  when configured with a github token, the action will push back
-fixes to the pull request branch.
+prior to v3.0.0, this action had custom behaviour which pushed changes back to
+the pull request when supplied with a `token`.

-using the template above, you'll make two replacements for individual actions:
+this behaviour was removed:
+- it required a PAT (didn't work with short-lived `GITHUB_TOKEN`)
+- properly hiding this `input` from the installation and execution of hooks
+  is intractable in github actions (it is readily available as `$INPUT_TOKEN`)
+- this meant potentially unvetted code could access the token via the
+  environment

-first is the checkout step, which needs to use unlimited fetch depth for
-pushing
+you can _likely_ achieve the same thing with an external action such as
+[git-auto-commit-action] though you may want to take precautions to clear `git`
+hooks or other ways that arbitrary code execution can occur when running
+`git commit` / `git push` (for example [core.fsmonitor]).

-```yaml
-    - uses: actions/checkout@v2
-      with:
-        fetch-depth: 0
-```
+while unrelated to this action, [pre-commit.ci] avoids these problems by
+installing and executing isolated from the short-lived repository-scoped
+[installation access token].

-next is passing the token to the pre-commit action
-
-```yaml
-    - uses: pre-commit/action@v2.0.3
-      with:
-        token: ${{ secrets.GITHUB_TOKEN }}
-```
-
-note that `secrets.GITHUB_TOKEN` is automatically provisioned and will not
-require any special configuration.
-
-while you could _technically_ configure this for a public repository (using a
-personal access token), I can't think of a way to do this safely without
-exposing a privileged token to pull requests -- if you have any ideas, please
-leave an issue!
+[git-auto-commit-action]: https://github.com/stefanzweifel/git-auto-commit-action
+[core.fsmonitor]: https://github.blog/2022-04-12-git-security-vulnerability-announced/
+[pre-commit.ci]: https://pre-commit.ci
+[installation access token]: https://docs.github.com/en/rest/apps/apps#create-an-installation-access-token-for-an-app
--- a/action.yml
+++ b/action.yml
@ -1,13 +1,20 @@
 name: pre-commit
-description: run pre-commit and optionally commit back to the pull request
+description: run pre-commit
 inputs:
  extra_args:
    description: options to pass to pre-commit run
    required: false
    default: '--all-files'
-  token:
-    description: github token to clone / push with
-    required: false
 runs:
-  using: 'node12'
-  main: 'dist/index.js'
+  using: composite
+  steps:
+  - run: python -m pip install pre-commit
+    shell: bash
+  - run: python -m pip freeze --local
+    shell: bash
+  - uses: actions/cache@v3
+    with:
+      path: ~/.cache/pre-commit
+      key: pre-commit-3|${{ env.pythonLocation }}|${{ hashFiles('.pre-commit-config.yaml') }}
+  - run: pre-commit run --show-diff-on-failure --color=always ${{ inputs.extra_args }}
+    shell: bash
--- a/dist/index.js
+++ b/dist/index.js