Co-Authored-By: Peter Evans <peter-evans@users.noreply.github.com>
13 KiB
Concepts, guidelines and advanced usage
This document covers terminology, how the action works, general usage guidelines, and advanced usage.
Terminology
Pull requests are proposed changes to a repository branch that can be reviewed by a repository's collaborators before being accepted or rejected.
A pull request references two branches:
- The
base
of a pull request is the branch you intend to change once the proposed changes are merged. - The
branch
of a pull request represents what you intend thebase
to look like when merged. It is thebase
branch plus changes that have been made to it.
Events and checkout
For each event type there is a default GITHUB_SHA
that will be checked out by the GitHub Actions checkout action.
The majority of events will default to checking out the "last commit on default branch," which in most cases will be the latest commit on master
.
The default can be overridden by specifying a ref
on checkout.
- uses: actions/checkout@v2
with:
ref: develop
How the action works
By default, the action expects to be executed on the pull request base
—the branch you intend to modify with the proposed changes.
Workflow steps:
- Checkout the
base
branch - Make changes
- Execute
create-pull-request
action
The following git diagram shows how the action creates and updates a pull request branch.
Guidelines
Providing a consistent base
For the action to work correctly it should be executed in a workflow that checks out a consistent base branch. This will be the base of the pull request unless overridden with the base
input.
This means your workflow should be consistently checking out the branch that you intend to modify once the PR is merged.
In the following example, the push
and create
events both trigger the same workflow. This will cause the checkout action to checkout commits from inconsistent branches. Do not do this. It will cause multiple pull requests to be created for each additional base
the action is executed against.
on:
push:
create:
jobs:
example:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
Although rare, there may be use cases where it makes sense to execute the workflow on a branch that is not the base of the pull request. In these cases, the base branch can be specified with the base
action input. The action will attempt to rebase changes made during the workflow on to the actual base.
Pull request events
Workflows triggered by pull_request
events will by default check out a merge commit. To prevent the merge commit being included in created pull requests it is necessary to checkout the head_ref
.
- uses: actions/checkout@v2
with:
ref: ${{ github.head_ref }}
Restrictions on forked repositories
GitHub Actions have imposed restrictions on events triggered by a forked repository. For example, the pull_request
event triggered by a fork opening a pull request in the upstream repository.
-
Events from forks cannot access secrets, except for for the default
GITHUB_TOKEN
.With the exception of GITHUB_TOKEN, secrets are not passed to the runner when a workflow is triggered from a forked repository.
-
The
GITHUB_TOKEN
has read-only access when an event is triggered by a forked repository.
These restrictions mean that during a pull_request
event triggered by a forked repository the action will be unable to commit changes to a branch.
A job condition can be added to prevent workflows from executing when triggered by a repository fork.
on: pull_request
jobs:
example:
runs-on: ubuntu-latest
# Check if the event is not triggered by a fork
if: github.event.pull_request.head.repo.full_name == github.repository
Security
From a security perspective it's good practice to fork third-party actions, review the code, and use your fork of the action in workflows. By using third-party actions directly the risk exists that it could be modified to do something malicious, such as capturing secrets.
This action uses ncc to compile the Node.js code and dependencies into a single file. Python dependencies are vendored and committed to the repository here. No dependencies are downloaded during the action execution.
Vendored Python dependencies can be reviewed by rebuilding the dist directory and redownloading dependencies. The following commands require Node and Python 3.
npm install
npm run clean
npm run package
The dist
directory should be rebuilt leaving no git diff.
Advanced usage
Creating pull requests in a remote repository
Checking out a branch from a different repository from where the workflow is executing will make that repository the target for the created pull request. In this case, a repo
scoped Personal Access Token (PAT) is required.
- uses: actions/checkout@v2
with:
token: ${{ secrets.PAT }}
repository: owner/repo
# Make changes to pull request here
- uses: peter-evans/create-pull-request@v2
with:
token: ${{ secrets.PAT }}
Push using SSH (deploy keys)
Deploy keys can be set per repository and so are arguably more secure than using a repo
scoped Personal Access Token (PAT).
Allowing the action to push with a configured deploy key will trigger on: push
workflows. This makes it an alternative to using a PAT to trigger checks for pull requests.
How to use SSH (deploy keys) with create-pull-request action:
- Create a new SSH key pair for your repository. Do not set a passphrase.
- Copy the contents of the public key (.pub file) to a new repository deploy key and check the box to "Allow write access."
- Add a secret to the repository containing the entire contents of the private key.
- As shown in the example steps below, use the
webfactory/ssh-agent
action to install the private key and clone your repository. Remember to checkout thebase
of your pull request if it's not the default branch, e.g.git checkout my-branch
.
steps:
- uses: webfactory/ssh-agent@v0.2.0
with:
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
- name: Checkout via SSH
run: git clone git@github.com:peter-evans/create-pull-request.git .
# Make changes to pull request here
- name: Create Pull Request
uses: peter-evans/create-pull-request@v2
with:
token: ${{ secrets.GITHUB_TOKEN }}
Push pull request branches to a fork
To enforce security, you can use a dedicated user using machine account. This user has no access to the main repository, it will use their own fork to push code and create the pull request.
- Create a new github user, then login with this user.
- fork the repository.
- create a Personal Access Token (PAT).
- logout and go back to your main user.
- Add a secret to the repository containing the above PAT.
- As shown in the example below, switch the git remote to the fork's url after checkout and set the action input
request-on-parent
totrue
.
- uses: actions/checkout@v2
- run: |
git config user.password ${{ secrets.PAT }}
git remote set-url origin https://github.com/bot-user/fork-project
git fetch --unshallow -p origin
# Make changes to pull request here
- uses: peter-evans/create-pull-request@v2
with:
token: ${{ secrets.PAT }}
request-on-parent: true
Running in a container
This action can be run inside a container by installing the action's dependencies either in the Docker image itself, or during the workflow.
The action requires python3
, pip3
and git
to be installed and on the PATH
.
Note that actions/checkout
requires Git 2.18 or higher to be installed, otherwise it will just download the source of the repository instead of cloning it.
Alpine container example:
jobs:
createPullRequestAlpine:
runs-on: ubuntu-latest
container:
image: alpine
steps:
- name: Install dependencies
run: apk --no-cache add git python3
- uses: actions/checkout@v2
# Make changes to pull request here
- name: Create Pull Request
uses: peter-evans/create-pull-request@v2
with:
token: ${{ secrets.GITHUB_TOKEN }}
Ubuntu container example:
jobs:
createPullRequestAlpine:
runs-on: ubuntu-latest
container:
image: ubuntu
steps:
- name: Install dependencies
run: |
apt-get update
apt-get install -y software-properties-common
add-apt-repository -y ppa:git-core/ppa
apt-get install -y python3 python3-pip git
- uses: actions/checkout@v2
# Make changes to pull request here
- name: Create Pull Request
uses: peter-evans/create-pull-request@v2
with:
token: ${{ secrets.GITHUB_TOKEN }}
Creating pull requests on tag push
An on: push
workflow will also trigger when tags are pushed.
During these events, the actions/checkout
action will check out the ref/tags/<tag>
git ref by default.
This means the repository will not be checked out on an active branch.
If you would like to run create-pull-request
action on the tagged commit you can achieve this by creating a temporary branch as follows.
on:
push:
tags:
- 'v*.*.*'
jobs:
example:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Create a temporary tag branch
run: |
git config --global user.name 'GitHub'
git config --global user.email 'noreply@github.com'
git checkout -b temp-${GITHUB_REF:10}
git push --set-upstream origin temp-${GITHUB_REF:10}
# Make changes to pull request here
- name: Create Pull Request
uses: peter-evans/create-pull-request@v2
with:
token: ${{ secrets.GITHUB_TOKEN }}
base: master
- name: Delete tag branch
run: |
git push --delete origin temp-${GITHUB_REF:10}
This is an alternative, simpler workflow to the one above. However, this is not guaranteed to checkout the tagged commit.
There is a chance that in between the tag being pushed and checking out the master
branch in the workflow, another commit is made to master
. If that possibility is not a concern, this workflow will work fine.
on:
push:
tags:
- 'v*.*.*'
jobs:
example:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
ref: master
# Make changes to pull request here
- name: Create Pull Request
uses: peter-evans/create-pull-request@v2
with:
token: ${{ secrets.GITHUB_TOKEN }}