Merge pull request #21 from step-security/auto-cherry-pick

chore: Cherry-picked changes from upstream

Author: Raj-StepSecurity

README.md

@@ -59,9 +59,8 @@ The following is an extended example with all available options.
     # Defaults to "Apply automatic changes"
     commit_message: Automated Change
 
-    # Optional. Local and remote branch name where commit is going to be pushed
-    #  to. Defaults to the current branch.
-    #  You might need to set `create_branch: true` if the branch does not exist.
+    # Optional. Remote branch name where commit is going to be pushed to. 
+    # Defaults to the current branch.
     branch: feature-123
 
     # Optional. Options used by `git-commit`.
@@ -102,20 +101,11 @@ The following is an extended example with all available options.
 
     # Optional. Disable dirty check and always try to create a commit and push
     skip_dirty_check: true    
-    
-    # Optional. Skip internal call to `git fetch`
-    skip_fetch: true    
-    
-    # Optional. Skip internal call to `git checkout`
-    skip_checkout: true
 
     # Optional. Prevents the shell from expanding filenames. 
     # Details: https://www.gnu.org/software/bash/manual/html_node/Filename-Expansion.html
     disable_globbing: true
 
-    # Optional. Create given branch name in local and remote repository.
-    create_branch: true
-
     # Optional. Creates a new tag and pushes it to remote without creating a commit. 
     # Skips dirty check and changed files. Must be used with `tagging_message`.
     create_git_tag_only: false
@@ -416,7 +406,6 @@ The steps in your workflow might look like this:
     commit_message: ${{ steps.last-commit.outputs.message }}
     commit_options: '--amend --no-edit'
     push_options: '--force'
-    skip_fetch: true
 ```
 
 
@@ -452,10 +441,12 @@ If you create a fine-grained personal access token, apply the `Contents`-permiss
 ```yaml
 - uses: actions/checkout@v4
   with:
-    token: ${{ secrets.PAT }}
+    # We pass the "PAT" secret to the checkout action; if no PAT secret is available to the workflow runner (eg. Dependabot) we fall back to the default "GITHUB_TOKEN".
+    token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
 ```
 You can learn more about Personal Access Token in the [GitHub documentation](https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token).
 
+
 > [!TIP] 
 > If you're working in an organisation, and you don't want to create the PAT from your personal account, we recommend using a bot-account for such tokens.
 

action.yml

@@ -1,6 +1,8 @@
 name: Git Auto Commit
 description: 'Automatically commits files which have been changed during the workflow run and push changes back to remote repository.'
 
+author: step-security
+
 inputs:
   commit_message:
     description: Commit message
@@ -54,27 +56,28 @@ inputs:
     description: Skip the check if the git repository is dirty and always try to create a commit.
     required: false
     default: false
-  skip_fetch:
-    description: Skip the call to git-fetch.
-    required: false
-    default: false
-  skip_checkout:
-    description: Skip the call to git-checkout.
-    required: false
-    default: false
   disable_globbing:
     description: Stop the shell from expanding filenames (https://www.gnu.org/software/bash/manual/html_node/Filename-Expansion.html)
     default: false
-  create_branch:
-    description: Create new branch with the name of `branch`-input in local and remote repository, if it doesn't exist yet.
-    default: false
   create_git_tag_only:
     description: Perform a clean git tag and push, without commiting anything
     required: false
     default: false
   internal_git_binary:
     description: Internal use only! Path to git binary used to check if git is available. (Don't change this!)
     default: git
+  skip_fetch:
+    description: "Deprecated: skip_fetch has been removed in v6. It does not have any effect anymore."
+    required: false
+    default: false
+  skip_checkout:
+    description: "Deprecated: skip_checkout has been removed in v6. It does not have any effect anymore."
+    required: false
+    default: false
+  create_branch:
+    description: "Deprecated: create_branch has been removed in v6. It does not have any effect anymore."
+    default: false
+
 
 outputs:
   changes_detected:

dist/entrypoint.sh

@@ -27,9 +27,26 @@ _log() {
 }
 
 _main() {
+    if "$INPUT_SKIP_FETCH"; then
+        _log "warning" "git-auto-commit: skip_fetch has been removed in v6. It does not have any effect anymore.";
+    fi
+
+    if "$INPUT_SKIP_CHECKOUT"; then
+        _log "warning" "git-auto-commit: skip_checkout has been removed in v6. It does not have any effect anymore.";
+    fi
+
+    if "$INPUT_CREATE_BRANCH"; then
+        _log "warning" "git-auto-commit: create_branch has been removed in v6. It does not have any effect anymore.";
+    fi
+
     _check_if_git_is_available
 
     _switch_to_repository
+
+    _check_if_is_git_repository
+
+    _check_if_repository_is_in_detached_state
+
     if "$INPUT_CREATE_GIT_TAG_ONLY"; then
         _log "debug" "Create git tag only";
         _set_github_output "create_git_tag_only" "true"
@@ -39,8 +56,6 @@ _main() {
 
         _set_github_output "changes_detected" "true"
 
-        _switch_to_branch
-
         _add_files
 
         # Check dirty state of repo again using git-diff.
@@ -90,36 +105,25 @@ _git_is_dirty() {
     gitStatusMessage="$((git status -s $INPUT_STATUS_OPTIONS -- ${INPUT_FILE_PATTERN_EXPANDED:+${INPUT_FILE_PATTERN_EXPANDED[@]}} >/dev/null ) 2>&1)";
     # shellcheck disable=SC2086
     gitStatus="$(git status -s $INPUT_STATUS_OPTIONS -- ${INPUT_FILE_PATTERN_EXPANDED:+${INPUT_FILE_PATTERN_EXPANDED[@]}})";
-    if [ $? -ne 0 ]; then
-        _log "error" "git-status failed with:<$gitStatusMessage>";
-        exit 1;
-    fi
     [ -n "$gitStatus" ]
 }
 
-_switch_to_branch() {
-    echo "INPUT_BRANCH value: $INPUT_BRANCH";
-
-    # Fetch remote to make sure that repo can be switched to the right branch.
-    if "$INPUT_SKIP_FETCH"; then
-        _log "debug" "git-fetch will not be executed.";
+_check_if_is_git_repository() {
+    if [ -d ".git" ]; then
+        _log "debug" "Repository found.";
     else
-        git fetch --depth=1;
+        _log "error" "Not a git repository. Please make sure to run this action in a git repository. Adjust the `repository` input if necessary.";
+        exit 1;
     fi
+}
 
-    # If `skip_checkout`-input is true, skip the entire checkout step.
-    if "$INPUT_SKIP_CHECKOUT"; then
-        _log "debug" "git-checkout will not be executed.";
+_check_if_repository_is_in_detached_state() {
+    if [ -z "$(git symbolic-ref HEAD)" ]
+    then
+        _log "error" "Repository is in detached HEAD state. Please make sure you check out a branch. Adjust the `ref` input accordingly.";
+        exit 1;
     else
-        # Create new local branch if `create_branch`-input is true
-        if "$INPUT_CREATE_BRANCH"; then
-            # shellcheck disable=SC2086
-            git checkout -B $INPUT_BRANCH --;
-        else
-            # Switch to branch from current Workflow run
-            # shellcheck disable=SC2086
-            git checkout $INPUT_BRANCH --;
-        fi
+        _log "debug" "Repository is on a branch.";
     fi
 }
 
@@ -168,6 +172,8 @@ _tag_commit() {
 
 _push_to_github() {
 
+    echo "INPUT_BRANCH value: $INPUT_BRANCH";
+
     echo "INPUT_PUSH_OPTIONS: ${INPUT_PUSH_OPTIONS}";
     _log "debug" "Apply push options ${INPUT_PUSH_OPTIONS}";
 

entrypoint.sh

@@ -27,9 +27,26 @@ _log() {
 }
 
 _main() {
+    if "$INPUT_SKIP_FETCH"; then
+        _log "warning" "git-auto-commit: skip_fetch has been removed in v6. It does not have any effect anymore.";
+    fi
+
+    if "$INPUT_SKIP_CHECKOUT"; then
+        _log "warning" "git-auto-commit: skip_checkout has been removed in v6. It does not have any effect anymore.";
+    fi
+
+    if "$INPUT_CREATE_BRANCH"; then
+        _log "warning" "git-auto-commit: create_branch has been removed in v6. It does not have any effect anymore.";
+    fi
+
     _check_if_git_is_available
 
     _switch_to_repository
+
+    _check_if_is_git_repository
+
+    _check_if_repository_is_in_detached_state
+
     if "$INPUT_CREATE_GIT_TAG_ONLY"; then
         _log "debug" "Create git tag only";
         _set_github_output "create_git_tag_only" "true"
@@ -39,8 +56,6 @@ _main() {
 
         _set_github_output "changes_detected" "true"
 
-        _switch_to_branch
-
         _add_files
 
         # Check dirty state of repo again using git-diff.
@@ -90,36 +105,25 @@ _git_is_dirty() {
     gitStatusMessage="$((git status -s $INPUT_STATUS_OPTIONS -- ${INPUT_FILE_PATTERN_EXPANDED:+${INPUT_FILE_PATTERN_EXPANDED[@]}} >/dev/null ) 2>&1)";
     # shellcheck disable=SC2086
     gitStatus="$(git status -s $INPUT_STATUS_OPTIONS -- ${INPUT_FILE_PATTERN_EXPANDED:+${INPUT_FILE_PATTERN_EXPANDED[@]}})";
-    if [ $? -ne 0 ]; then
-        _log "error" "git-status failed with:<$gitStatusMessage>";
-        exit 1;
-    fi
     [ -n "$gitStatus" ]
 }
 
-_switch_to_branch() {
-    echo "INPUT_BRANCH value: $INPUT_BRANCH";
-
-    # Fetch remote to make sure that repo can be switched to the right branch.
-    if "$INPUT_SKIP_FETCH"; then
-        _log "debug" "git-fetch will not be executed.";
+_check_if_is_git_repository() {
+    if [ -d ".git" ]; then
+        _log "debug" "Repository found.";
     else
-        git fetch --depth=1;
+        _log "error" "Not a git repository. Please make sure to run this action in a git repository. Adjust the `repository` input if necessary.";
+        exit 1;
     fi
+}
 
-    # If `skip_checkout`-input is true, skip the entire checkout step.
-    if "$INPUT_SKIP_CHECKOUT"; then
-        _log "debug" "git-checkout will not be executed.";
+_check_if_repository_is_in_detached_state() {
+    if [ -z "$(git symbolic-ref HEAD)" ]
+    then
+        _log "error" "Repository is in detached HEAD state. Please make sure you check out a branch. Adjust the `ref` input accordingly.";
+        exit 1;
     else
-        # Create new local branch if `create_branch`-input is true
-        if "$INPUT_CREATE_BRANCH"; then
-            # shellcheck disable=SC2086
-            git checkout -B $INPUT_BRANCH --;
-        else
-            # Switch to branch from current Workflow run
-            # shellcheck disable=SC2086
-            git checkout $INPUT_BRANCH --;
-        fi
+        _log "debug" "Repository is on a branch.";
     fi
 }
 
@@ -168,6 +172,8 @@ _tag_commit() {
 
 _push_to_github() {
 
+    echo "INPUT_BRANCH value: $INPUT_BRANCH";
+
     echo "INPUT_PUSH_OPTIONS: ${INPUT_PUSH_OPTIONS}";
     _log "debug" "Apply push options ${INPUT_PUSH_OPTIONS}";