Merge pull request #168 from peter-evans/renovate/jest-monorepo

Update dependency jest to v25.5.3

.github/workflows/ci.yml

@@ -0,0 +1,119 @@
+name: CI
+on:
+  push:
+    branches: [master]
+  pull_request:
+    branches: [master]
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-node@v1
+        with:
+          node-version: 12.x
+      - uses: actions/setup-python@v2
+        with:
+          python-version: '3.x'
+      - run: npm ci
+      - run: npm run clean
+      - run: npm run test
+      - run: npm run package
+      - uses: actions/upload-artifact@v2
+        with:
+          name: dist
+          path: dist
+
+  test:
+    needs: [build]
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        target: [built, committed]
+    steps:
+      - if: github.event_name == 'push'
+        uses: actions/checkout@v2
+      - if: github.event_name == 'pull_request'
+        uses: actions/checkout@v2
+        with:
+          ref: ${{ github.head_ref }}
+      - if: matrix.target == 'built'
+        uses: actions/download-artifact@v2
+        with:
+          name: dist
+          path: dist
+
+      - name: Create change
+        run: date +%s > report.txt
+
+      - name: Create Pull Request
+        id: cpr
+        uses: ./
+        with:
+          commit-message: '[CI] test ${{ matrix.target }}'
+          committer: GitHub <noreply@github.com>
+          author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com>
+          title: '[CI] test ${{ matrix.target }}'
+          body: |
+            - CI test case for target '${{ matrix.target }}'
+
+            Auto-generated by [create-pull-request][1]
+
+            [1]: https://github.com/peter-evans/create-pull-request
+          branch: ci-test-${{ matrix.target }}
+
+      - name: Close Pull
+        uses: peter-evans/close-pull@v1
+        with:
+          pull-request-number: ${{ steps.cpr.outputs.pr_number }}
+          comment: '[CI] test ${{ matrix.target }}'
+          delete-branch: true
+
+  commentTestSuiteHelp:
+    if: github.event_name == 'pull_request'
+    needs: [test]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Find Comment
+        uses: peter-evans/find-comment@v1
+        id: fc
+        with:
+          issue-number: ${{ github.event.number }}
+          comment-author: 'github-actions[bot]'
+          body-includes: Full test suite slash command
+
+      - if: steps.fc.outputs.comment-id == ''
+        name: Create comment
+        uses: peter-evans/create-or-update-comment@v1
+        with:
+          issue-number: ${{ github.event.number }}
+          body: |
+            Full test suite slash command (repository admin only)
+            ```
+            /test repository=${{ github.event.pull_request.head.repo.full_name }} branch=${{ github.event.pull_request.head.ref }} build=true
+            ```
+
+  package:
+    if: github.event_name == 'push' && github.ref == 'refs/heads/master'
+    needs: [test]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/download-artifact@v2
+        with:
+          name: dist
+          path: dist
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v2
+        with:
+          commit-message: Update distribution
+          committer: GitHub <noreply@github.com>
+          author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com>
+          title: Update distribution
+          body: |
+            - Updates the distribution for changes on `master`
+
+            Auto-generated by [create-pull-request][1]
+
+            [1]: https://github.com/peter-evans/create-pull-request
+          branch: update-distribution

.github/workflows/cpr-example-command.yml

@@ -14,7 +14,8 @@ jobs:
         uses: ./
         with:
           commit-message: Add report file
-          committer: Peter Evans <peter-evans@users.noreply.github.com>
+          committer: GitHub <noreply@github.com>
+          author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com>
           title: '[Example] Add report file'
           body: |
             New report
@@ -38,7 +39,6 @@ jobs:
       - name: Add reaction
         uses: peter-evans/create-or-update-comment@v1
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
           repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
           comment-id: ${{ github.event.client_payload.github.payload.comment.id }}
           reaction-type: hooray

README.md

@@ -35,7 +35,7 @@ You can also pin to a [specific release](https://github.com/peter-evans/create-p
 
 All inputs are **optional**. If not set, sensible default values will be used.
 
-**Note**: If you want pull requests created by this action to trigger an `on: push` or `on: pull_request` workflow then you must use a [Personal Access Token](https://help.github.com/en/articles/creating-a-personal-access-token-for-the-command-line) instead of the default `GITHUB_TOKEN`. Alternatively, allow the action to [push using SSH](https://github.com/peter-evans/create-pull-request/blob/master/docs/concepts-guidelines.md#push-using-ssh-deploy-keys) by configuring a deploy key.
+**Note**: If you want pull requests created by this action to trigger an `on: push` or `on: pull_request` workflow then you cannot use the default `GITHUB_TOKEN`. See the [documentation here](https://github.com/peter-evans/create-pull-request/blob/master/docs/concepts-guidelines.md#triggering-further-workflow-runs) for workarounds.
 
 | Name | Description | Default |
 | --- | --- | --- |
@@ -49,7 +49,7 @@ All inputs are **optional**. If not set, sensible default values will be used.
 | `labels` | A comma separated list of labels. | |
 | `assignees` | A comma separated list of assignees (GitHub usernames). | |
 | `reviewers` | A comma separated list of reviewers (GitHub usernames) to request a review from. | |
-| `team-reviewers` | A comma separated list of GitHub teams to request a review from. | |
+| `team-reviewers` | A comma separated list of GitHub teams to request a review from. A `repo` scoped [PAT](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line) may be required. See [this issue](https://github.com/peter-evans/create-pull-request/issues/155). | |
 | `milestone` | The number of the milestone to associate this pull request with. | |
 | `project` | The name of the project for which a card should be created. Requires `project-column`. | |
 | `project-column` | The name of the project column under which a card should be created. Requires `project`. | |
@@ -112,12 +112,13 @@ If there are files or directories you want to ignore you can simply add them to
 
 If neither `committer` or `author` inputs are supplied the action will default to making commits that appear to be made by the GitHub Actions bot user.
 
-In most cases, where the committer and author are the same, just the committer can be set.
+The following configuration can be used to have commits authored by the user who triggered the workflow event.
 ```yml
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@v2
         with:
-          committer: Peter Evans <peter-evans@users.noreply.github.com>
+          committer: GitHub <noreply@github.com>
+          author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com>
 ```
 
 ### Controlling commits
@@ -164,8 +165,8 @@ jobs:
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           commit-message: Add report file
-          committer: Peter Evans <peter-evans@users.noreply.github.com>
-          author: Peter Evans <peter-evans@users.noreply.github.com>
+          committer: GitHub <noreply@github.com>
+          author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com>
           title: '[Example] Add report file'
           body: |
             New report

dist/cpr/requirements.txt

@@ -1,2 +1,4 @@
-GitPython==3.1.0
-PyGithub==1.47
+setuptools==46.1.3
+wheel==0.34.2
+GitPython==3.1.1
+PyGithub==1.50

docs/concepts-guidelines.md

@@ -9,6 +9,7 @@ This document covers terminology, how the action works, general usage guidelines
   - [Providing a consistent base](#providing-a-consistent-base)
   - [Pull request events](#pull-request-events)
   - [Restrictions on forked repositories](#restrictions-on-forked-repositories)
+  - [Triggering further workflow runs](#triggering-further-workflow-runs)
   - [Security](#security)
 - [Advanced usage](#advanced-usage)
   - [Creating pull requests in a remote repository](#creating-pull-requests-in-a-remote-repository)
@@ -113,6 +114,23 @@ jobs:
     if: github.event.pull_request.head.repo.full_name == github.repository
 ```
 
+### Triggering further workflow runs
+
+Pull requests created by the action using the default `GITHUB_TOKEN` cannot trigger other workflows. If you have `on: pull_request` or `on: push` workflows acting as checks on pull requests, they will not run.
+
+> When you use the repository's GITHUB_TOKEN to perform tasks on behalf of the GitHub Actions app, events triggered by the GITHUB_TOKEN will not create a new workflow run.
+
+[GitHub Actions: Events that trigger workflows](https://help.github.com/en/actions/reference/events-that-trigger-workflows#triggering-new-workflows-using-a-personal-access-token)
+
+#### Workarounds to trigger further workflow runs
+
+There are a number of workarounds with different pros and cons.
+
+- Use the default `GITHUB_TOKEN` and allow the action to create pull requests that have no checks enabled. Manually close pull requests and immediately reopen them. This will enable `on: pull_request` workflows to run and be added as checks.
+- Use a `repo` scoped [Personal Access Token (PAT)](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line) created on an account that has write access to the repository that pull requests are being created in. This is the standard workaround and [recommended by GitHub](https://help.github.com/en/actions/reference/events-that-trigger-workflows#triggering-new-workflows-using-a-personal-access-token). However, the PAT cannot be scoped to a specific repository so the token becomes a very sensitive secret. If this is a concern, the PAT can instead be created for a dedicated [machine account](https://help.github.com/en/github/site-policy/github-terms-of-service#3-account-requirements) that has collaborator access to the repository. Also note that because the account that owns the PAT will be the creator of pull requests, that user account will be unable to perform actions such as request changes or approve the pull request.
+- Use [SSH (deploy keys)](#push-using-ssh-deploy-keys) to push the pull request branch. This is arguably more secure than using a PAT because deploy keys can be set per repository. However, this method will only trigger `on: push` workflows.
+- Use a [machine account that creates pull requests from its own fork](#push-pull-request-branches-to-a-fork). This is the most secure because the PAT created only grants access to the machine account's fork, not the main repository. This method will trigger `on: pull_request` workflows to run. Workflows triggered `on: push` will not run because the push event is in the fork.
+
 ### Security
 
 From a security perspective it's good practice to fork third-party actions, review the code, and use your fork of the action in workflows.
@@ -194,15 +212,15 @@ It will use their own fork to push code and create the pull request.
       - uses: actions/checkout@v2
 
       - run: |
-          git config user.password ${{ secrets.PAT }}
-          git remote set-url origin https://github.com/bot-user/fork-project
+          git config user.password ${{ secrets.MACHINE_USER_PAT }}
+          git remote set-url origin https://github.com/machine-user/fork-of-repository
           git fetch --unshallow -p origin
 
       # Make changes to pull request here
 
       - uses: peter-evans/create-pull-request@v2
         with:
-          token: ${{ secrets.PAT }}
+          token: ${{ secrets.MACHINE_USER_PAT }}
           request-on-parent: true
 ```
 

package.json

@@ -23,14 +23,14 @@
   },
   "homepage": "https://github.com/peter-evans/create-pull-request",
   "dependencies": {
-    "@actions/core": "^1.1.1",
-    "@actions/exec": "^1.0.1",
-    "@actions/tool-cache": "^1.1.2",
-    "is-docker": "^2.0.0"
+    "@actions/core": "1.2.0",
+    "@actions/exec": "1.0.2",
+    "@actions/tool-cache": "1.1.2",
+    "is-docker": "2.0.0"
   },
   "devDependencies": {
-    "@zeit/ncc": "0.22.0",
+    "@zeit/ncc": "0.22.1",
     "eslint": "6.8.0",
-    "jest": "25.2.7"
+    "jest": "25.5.3"
   }
 }

renovate.json

@@ -1,5 +1,11 @@
 {
   "extends": [
     "config:base"
+  ],
+  "packageRules": [
+    {
+      "depTypeList": ["devDependencies"],
+      "automerge": true
+    }
   ]
 }

src/cpr/requirements.txt

@@ -1,2 +1,4 @@
-GitPython==3.1.0
-PyGithub==1.47
+setuptools==46.1.3
+wheel==0.34.2
+GitPython==3.1.1
+PyGithub==1.50