diff --git a/README.md b/README.md index edb66b5..a92edcb 100644 --- a/README.md +++ b/README.md @@ -6,20 +6,34 @@ A GitHub Action that checks the commits of the current PR and fails if it contai ```yml name: Check signed commits in PR -on: pull_request +on: pull_request_target jobs: - build: - name: Check signed commits in PR + check-signed-commits: + name: Check signed commits in PR runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write steps: - - name: Check out code - uses: actions/checkout@v4 - - name: Check signed commits in PR uses: 1Password/check-signed-commits-action@v1 ``` +## `pull_request_target` vs. `pull_request` + +Workflows containing this action can be configured to run both on [`pull_request`](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request) events as on [`pull_request_target`](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target) events. + +The reason to prefer `pull_request_target` over `pull_request` is to allow the action to post comments on external PRs created from forks. The GitHub token that comes with the regular `pull_request` event does not support commenting on PRs in the upstream repo. + + When using `pull_request_target`, make sure to set the right permissions in the workflow: + +```yml +permissions: + contents: read + pull-requests: write +``` + ## Change PR Comment The comment that will be placed in the PR upon detecting unsigned commits can be changed using the `comment` field: diff --git a/action.yml b/action.yml index b6c8400..8f96730 100644 --- a/action.yml +++ b/action.yml @@ -58,21 +58,16 @@ runs: GITHUB_TOKEN: ${{ inputs.token }} COMMENT_TEXT: ${{ inputs.comment }} COMMENTS_URL: ${{ github.event.pull_request.comments_url }} + COMMITS_URL: ${{ github.event.pull_request.commits_url }} run: | - # Escape double quotes and newlines - COMMENT_TEXT="$(echo "$COMMENT_TEXT" | sed 's/"/\\"/g' | awk '{printf "%s\\n", $0}')" - - GITHUB_PR=$(echo $GITHUB_REF | sed -n 's/refs\/pull\/\([0-9]*\)\/merge/\1/p') - if [[ -z "$GITHUB_PR" ]]; then - echo "No PR found to scan for commits." - exit 0 - fi - - unsigned_commits="$(curl -s -H "Authorization: token $GITHUB_TOKEN" "${GITHUB_API_URL:-https://api.github.com}/repos/$GITHUB_REPOSITORY/pulls/$GITHUB_PR/commits" | jq '.[] | select(.commit.verification.verified == false) | .commit.message')" + unsigned_commits="$(curl -s -H "Authorization: token $GITHUB_TOKEN" "$COMMITS_URL" | jq '.[] | select(.commit.verification.verified == false) | .commit.message')" if [[ -n "$unsigned_commits" ]]; then echo "Found unsigned commits:" echo "$unsigned_commits" + # Escape double quotes and newlines in comment + COMMENT_TEXT="$(echo "$COMMENT_TEXT" | sed 's/"/\\"/g' | awk '{printf "%s\\n", $0}')" + curl -X POST $COMMENTS_URL \ -H "Content-Type: application/json" \ -H "Authorization: token $GITHUB_TOKEN" \