Add report file

Update dependency jest to v25.3.0

.github/workflows/cpr-example-command.yml

@@ -14,7 +14,8 @@ jobs:
         uses: ./
         with:
           commit-message: Add report file
-          committer: Peter Evans <peter-evans@users.noreply.github.com>
+          committer: GitHub <noreply@github.com>
+          author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com>
           title: '[Example] Add report file'
           body: |
             New report
@@ -38,7 +39,6 @@ jobs:
       - name: Add reaction
         uses: peter-evans/create-or-update-comment@v1
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
           repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
           comment-id: ${{ github.event.client_payload.github.payload.comment.id }}
           reaction-type: hooray

README.md

@@ -35,7 +35,7 @@ You can also pin to a [specific release](https://github.com/peter-evans/create-p
 
 All inputs are **optional**. If not set, sensible default values will be used.
 
-**Note**: If you want pull requests created by this action to trigger an `on: push` or `on: pull_request` workflow then you must use a [Personal Access Token](https://help.github.com/en/articles/creating-a-personal-access-token-for-the-command-line) instead of the default `GITHUB_TOKEN`. Alternatively, allow the action to [push using SSH](https://github.com/peter-evans/create-pull-request/blob/master/docs/concepts-guidelines.md#push-using-ssh-deploy-keys) by configuring a deploy key.
+**Note**: If you want pull requests created by this action to trigger an `on: push` or `on: pull_request` workflow then you cannot use the default `GITHUB_TOKEN`. See the [documentation here](https://github.com/peter-evans/create-pull-request/blob/master/docs/concepts-guidelines.md#triggering-further-workflow-runs) for workarounds.
 
 | Name | Description | Default |
 | --- | --- | --- |
@@ -112,12 +112,13 @@ If there are files or directories you want to ignore you can simply add them to
 
 If neither `committer` or `author` inputs are supplied the action will default to making commits that appear to be made by the GitHub Actions bot user.
 
-In most cases, where the committer and author are the same, just the committer can be set.
+The following configuration can be used to have commits authored by the user who triggered the workflow event.
 ```yml
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@v2
         with:
-          committer: Peter Evans <peter-evans@users.noreply.github.com>
+          committer: GitHub <noreply@github.com>
+          author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com>
 ```
 
 ### Controlling commits
@@ -164,8 +165,8 @@ jobs:
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           commit-message: Add report file
-          committer: Peter Evans <peter-evans@users.noreply.github.com>
-          author: Peter Evans <peter-evans@users.noreply.github.com>
+          committer: GitHub <noreply@github.com>
+          author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com>
           title: '[Example] Add report file'
           body: |
             New report

docs/concepts-guidelines.md

@@ -9,6 +9,7 @@ This document covers terminology, how the action works, general usage guidelines
   - [Providing a consistent base](#providing-a-consistent-base)
   - [Pull request events](#pull-request-events)
   - [Restrictions on forked repositories](#restrictions-on-forked-repositories)
+  - [Triggering further workflow runs](#triggering-further-workflow-runs)
   - [Security](#security)
 - [Advanced usage](#advanced-usage)
   - [Creating pull requests in a remote repository](#creating-pull-requests-in-a-remote-repository)
@@ -113,6 +114,23 @@ jobs:
     if: github.event.pull_request.head.repo.full_name == github.repository
 ```
 
+### Triggering further workflow runs
+
+Pull requests created by the action using the default `GITHUB_TOKEN` cannot trigger other workflows. If you have `on: pull_request` or `on: push` workflows acting as checks on pull requests, they will not run.
+
+> When you use the repository's GITHUB_TOKEN to perform tasks on behalf of the GitHub Actions app, events triggered by the GITHUB_TOKEN will not create a new workflow run.
+
+[GitHub Actions: Events that trigger workflows](https://help.github.com/en/actions/reference/events-that-trigger-workflows#triggering-new-workflows-using-a-personal-access-token)
+
+#### Workarounds to trigger further workflow runs
+
+There are a number of workarounds with different pros and cons.
+
+- Use the default `GITHUB_TOKEN` and allow the action to create pull requests that have no checks enabled. Manually close pull requests and immediately reopen them. This will enable `on: pull_request` workflows to run and be added as checks.
+- Use a `repo` scoped [Personal Access Token (PAT)](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line) created on an account that has write access to the repository that pull requests are being created in. This is the standard workaround and [recommended by GitHub](https://help.github.com/en/actions/reference/events-that-trigger-workflows#triggering-new-workflows-using-a-personal-access-token). However, the PAT cannot be scoped to a specific repository so the token becomes a very sensitive secret. If this is a concern, the PAT can instead be created for a dedicated [machine account](https://help.github.com/en/github/site-policy/github-terms-of-service#3-account-requirements) that has collaborator access to the repository. Also note that because the account that owns the PAT will be the creator of pull requests, that user account will be unable to perform actions such as request changes or approve the pull request.
+- Use [SSH (deploy keys)](#push-using-ssh-deploy-keys) to push the pull request branch. This is arguably more secure than using a PAT because deploy keys can be set per repository. However, this method will only trigger `on: push` workflows.
+- Use a [machine account that creates pull requests from its own fork](#push-pull-request-branches-to-a-fork). This is the most secure because the PAT created only has access to its own fork, not the main repository. This method will trigger `on: pull_request` workflows to run. Workflows triggered `on: push` will not run because the push event is in the fork.
+
 ### Security
 
 From a security perspective it's good practice to fork third-party actions, review the code, and use your fork of the action in workflows.
@@ -194,15 +212,15 @@ It will use their own fork to push code and create the pull request.
       - uses: actions/checkout@v2
 
       - run: |
-          git config user.password ${{ secrets.PAT }}
-          git remote set-url origin https://github.com/bot-user/fork-project
+          git config user.password ${{ secrets.MACHINE_USER_PAT }}
+          git remote set-url origin https://github.com/machine-user/fork-of-repository
           git fetch --unshallow -p origin
 
       # Make changes to pull request here
 
       - uses: peter-evans/create-pull-request@v2
         with:
-          token: ${{ secrets.PAT }}
+          token: ${{ secrets.MACHINE_USER_PAT }}
           request-on-parent: true
 ```
 

package.json

@@ -29,8 +29,8 @@
     "is-docker": "^2.0.0"
   },
   "devDependencies": {
-    "@zeit/ncc": "0.22.0",
+    "@zeit/ncc": "0.22.1",
     "eslint": "6.8.0",
-    "jest": "25.2.7"
+    "jest": "25.3.0"
   }
 }

report.txt

@@ -0,0 +1 @@
+1586506368