remove pushing behaviour

README.md

@@ -8,7 +8,7 @@ Please switch to using [pre-commit.ci] which is faster and has more features.
 ___
 
 [![pre-commit.ci status](https://results.pre-commit.ci/badge/github/pre-commit/action/main.svg)](https://results.pre-commit.ci/latest/github/pre-commit/action/main)
-[![Build Status](https://github.com/pre-commit/action/workflows/deploy/badge.svg)](https://github.com/pre-commit/action/actions)
+[![Build Status](https://github.com/pre-commit/action/workflows/main/badge.svg)](https://github.com/pre-commit/action/actions)
 
 pre-commit/action
 =================
@@ -32,8 +32,8 @@ jobs:
   pre-commit:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
-    - uses: actions/setup-python@v2
+    - uses: actions/checkout@v3
+    - uses: actions/setup-python@v3
     - uses: pre-commit/action@v2.0.3
 ```
 
@@ -59,33 +59,26 @@ the files (use the template above except for the `pre-commit` action):
 
 ### using this action in private repositories
 
-this action also provides an additional behaviour when used in private
-repositories.  when configured with a github token, the action will push back
-fixes to the pull request branch.
+prior to v3.0.0, this action had custom behaviour which pushed changes back to
+the pull request when supplied with a `token`.
 
-using the template above, you'll make two replacements for individual actions:
+this behaviour was removed:
+- it required a PAT (didn't work with short-lived `GITHUB_TOKEN`)
+- properly hiding this `input` from the installation and execution of hooks
+  is intractable in github actions (it is readily available as `$INPUT_TOKEN`)
+- this meant potentially unvetted code could access the token via the
+  environment
 
-first is the checkout step, which needs to use unlimited fetch depth for
-pushing
+you can _likely_ achieve the same thing with an external action such as
+[git-auto-commit-action] though you may want to take precautions to clear `git`
+hooks or other ways that arbitrary code execution can occur when running
+`git commit` / `git push` (for example [core.fsmonitor]).
 
-```yaml
-    - uses: actions/checkout@v2
-      with:
-        fetch-depth: 0
-```
+while unrelated to this action, [pre-commit.ci] avoids these problems by
+installing and executing isolated from the short-lived repository-scoped
+[installation access token].
 
-next is passing the token to the pre-commit action
-
-```yaml
-    - uses: pre-commit/action@v2.0.3
-      with:
-        token: ${{ secrets.GITHUB_TOKEN }}
-```
-
-note that `secrets.GITHUB_TOKEN` is automatically provisioned and will not
-require any special configuration.
-
-while you could _technically_ configure this for a public repository (using a
-personal access token), I can't think of a way to do this safely without
-exposing a privileged token to pull requests -- if you have any ideas, please
-leave an issue!
+[git-auto-commit-action]: https://github.com/stefanzweifel/git-auto-commit-action
+[core.fsmonitor]: https://github.blog/2022-04-12-git-security-vulnerability-announced/
+[pre-commit.ci]: https://pre-commit.ci
+[installation access token]: https://docs.github.com/en/rest/apps/apps#create-an-installation-access-token-for-an-app