From c91b8fb449859051dc39d9684aa20a73788e5e5e Mon Sep 17 00:00:00 2001 From: Stefan Natter Date: Tue, 16 May 2023 10:24:56 +0200 Subject: [PATCH] docs: Add permissions (#215 by @natterstefan) Co-authored-by: Jan Amann --- .../lint-pr-title-preview-ignoreLabels.yml | 7 +- ...nt-pr-title-preview-outputErrorMessage.yml | 7 +- ...-pr-title-preview-validateSingleCommit.yml | 7 +- .github/workflows/lint-pr-title-preview.yml | 7 +- .github/workflows/lint-pr-title.yml | 7 +- .github/workflows/release.yml | 10 ++- .github/workflows/test.yml | 9 ++- .github/workflows/versioning.yml | 3 + README.md | 78 ++++++++++++++----- 9 files changed, 99 insertions(+), 36 deletions(-) diff --git a/.github/workflows/lint-pr-title-preview-ignoreLabels.yml b/.github/workflows/lint-pr-title-preview-ignoreLabels.yml index 537f017a9..1ba809c75 100644 --- a/.github/workflows/lint-pr-title-preview-ignoreLabels.yml +++ b/.github/workflows/lint-pr-title-preview-ignoreLabels.yml @@ -8,12 +8,15 @@ on: - labeled - unlabeled +permissions: + pull-requests: read + jobs: main: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - uses: actions/setup-node@v2 + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 with: node-version: 16 - run: yarn install diff --git a/.github/workflows/lint-pr-title-preview-outputErrorMessage.yml b/.github/workflows/lint-pr-title-preview-outputErrorMessage.yml index 0a1b9bdd6..bae904585 100644 --- a/.github/workflows/lint-pr-title-preview-outputErrorMessage.yml +++ b/.github/workflows/lint-pr-title-preview-outputErrorMessage.yml @@ -6,12 +6,15 @@ on: - edited - synchronize +permissions: + pull-requests: read + jobs: main: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - uses: actions/setup-node@v2 + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 with: node-version: 16 - run: yarn install diff --git a/.github/workflows/lint-pr-title-preview-validateSingleCommit.yml b/.github/workflows/lint-pr-title-preview-validateSingleCommit.yml index 80ec74eaa..0f548abab 100644 --- a/.github/workflows/lint-pr-title-preview-validateSingleCommit.yml +++ b/.github/workflows/lint-pr-title-preview-validateSingleCommit.yml @@ -6,12 +6,15 @@ on: - edited - synchronize +permissions: + pull-requests: read + jobs: main: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - uses: actions/setup-node@v2 + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 with: node-version: 16 - run: yarn install diff --git a/.github/workflows/lint-pr-title-preview.yml b/.github/workflows/lint-pr-title-preview.yml index c09563d2c..3263dcc5a 100644 --- a/.github/workflows/lint-pr-title-preview.yml +++ b/.github/workflows/lint-pr-title-preview.yml @@ -6,12 +6,15 @@ on: - edited - synchronize +permissions: + pull-requests: read + jobs: main: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - uses: actions/setup-node@v2 + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 with: node-version: 16 - run: yarn install diff --git a/.github/workflows/lint-pr-title.yml b/.github/workflows/lint-pr-title.yml index 818ab00bf..c8e5647cf 100644 --- a/.github/workflows/lint-pr-title.yml +++ b/.github/workflows/lint-pr-title.yml @@ -6,12 +6,15 @@ on: - edited - synchronize +permissions: + pull-requests: read + jobs: main: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - uses: actions/setup-node@v2 + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 with: node-version: 16 - uses: ./ diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6b554c05c..0a33a9108 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -4,12 +4,18 @@ on: branches: - main +permissions: + contents: read + deployments: write + issues: write + pull-requests: write + jobs: main: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v1 - - uses: actions/setup-node@v2 + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 with: node-version: 16 - run: yarn install diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 52af69529..d7988f365 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -6,12 +6,15 @@ on: - reopened - synchronize +permissions: + contents: read + jobs: main: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - uses: actions/setup-node@v2 + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 with: node-version: 16 - run: yarn install @@ -20,7 +23,7 @@ jobs: dist: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: fetch-depth: 0 - name: Check if `dist/` has been modified. diff --git a/.github/workflows/versioning.yml b/.github/workflows/versioning.yml index 107d96459..8e57d2d88 100644 --- a/.github/workflows/versioning.yml +++ b/.github/workflows/versioning.yml @@ -4,6 +4,9 @@ on: release: types: [published, edited] +permissions: + deployments: write + jobs: actions-tagger: runs-on: ubuntu-latest diff --git a/README.md b/README.md index 0b99b51ed..e01561baa 100644 --- a/README.md +++ b/README.md @@ -1,18 +1,18 @@ # action-semantic-pull-request -This is a GitHub Action that ensures your PR title matches the [Conventional Commits spec](https://www.conventionalcommits.org/). The typical use case is to use this in combination with a tool like [semantic-release](https://github.com/semantic-release/semantic-release) to automate releases. +This is a GitHub Action that ensures that your pull request titles match the [Conventional Commits spec](https://www.conventionalcommits.org/). Typically, this is used in combination with a tool like [semantic-release](https://github.com/semantic-release/semantic-release) to automate releases. Used by: [Apache](https://github.com/apache/pulsar) · [Vercel](https://github.com/vercel/ncc) · [Microsoft](https://github.com/microsoft/SynapseML) · [Firebase](https://github.com/firebase/flutterfire) · [AWS](https://github.com/aws-ia/terraform-aws-eks-blueprints) · [Electron](https://github.com/electron/forge) – and [many more](https://github.com/amannn/action-semantic-pull-request/network/dependents). ## Examples -**Valid PR titles:** +**Valid pull request titles:** - fix: Correct typo - feat: Add support for Node.js 18 - refactor!: Drop support for Node.js 12 - feat(ui): Add `Button` component -> Note that since PR titles only have a single line, you have to use `!` to indicate breaking changes. +> Note that since pull request titles only have a single line, you have to use `!` to indicate breaking changes. See [Conventional Commits](https://www.conventionalcommits.org/) for more examples. @@ -30,6 +30,9 @@ on: - edited - synchronize +permissions: + pull-requests: read + jobs: main: name: Validate PR title @@ -40,6 +43,8 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} ``` +See the [event triggers documentation](#event-triggers) below to learn more about what `pull_request_target` means. + ## Configuration The action works without configuration, however you can provide options for customization. @@ -102,15 +107,55 @@ feat(ui): Add `Button` component # See: https://github.com/conventional-changelog/conventional-changelog/tree/master/packages/conventional-commits-parser#headerpattern headerPattern: '^(\w*)(?:\(([\w$.\-*/ ]*)\))?: (.*)$' headerPatternCorrespondence: type, scope, subject - # For work-in-progress PRs you can typically use draft pull requests - # from GitHub. However, private repositories on the free plan don't have - # this option and therefore this action allows you to opt-in to using the - # special "[WIP]" prefix to indicate this state. This will avoid the - # validation of the PR title and the pull request checks remain pending. - # Note that a second check will be reported if this is enabled. +``` + +### Work-in-progress pull requests + +For work-in-progress PRs you can typically use [draft pull requests from GitHub](https://github.blog/2019-02-14-introducing-draft-pull-requests/). However, private repositories on the free plan don't have this option and therefore this action allows you to opt-in to using the special "[WIP]" prefix to indicate this state. + +**Example:** + +``` +[WIP] feat: Add support for Node.js 18 +``` + +This will prevent the PR title from being validated, and pull request checks will remain pending. + +**Attention**: If you want to use the this feature, you need to grant the `pull-requests: write` permission to the GitHub Action. This is because the action will update the status of the PR to remain in a pending state while `[WIP]` is present in the PR title. + +```yml +name: "Lint PR" + +permissions: + pull-requests: write + +jobs: + main: + name: Validate PR title + runs-on: ubuntu-latest + steps: + - uses: amannn/action-semantic-pull-request@v5 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: wip: true ``` +### Legacy configuration for validating single commits + +When using "Squash and merge" on a PR with only one commit, GitHub will suggest using that commit message instead of the PR title for the merge commit. As it's easy to commit this by mistake this action supports two configuration options to provide additional validation for this case. + +```yml + # If the PR only contains a single commit, the action will validate that + # it matches the configured pattern. + validateSingleCommit: true + # Related to `validateSingleCommit` you can opt-in to validate that the PR + # title matches a single commit to avoid confusion. + validateSingleCommitMatchesPrTitle: true +``` + +However, [GitHub has introduced an option to streamline this behaviour](https://github.blog/changelog/2022-05-11-default-to-pr-titles-for-squash-merge-commit-messages/), so using that instead should be preferred. + ## Event triggers There are two events that can be used as triggers for this action, each with different characteristics: @@ -137,6 +182,9 @@ on: - edited - synchronize +permissions: + pull-requests: read + jobs: main: name: Validate PR title @@ -174,15 +222,3 @@ jobs: -## Legacy configuration - -When using "Squash and merge" on a PR with only one commit, GitHub will suggest using that commit message instead of the PR title for the merge commit and it's easy to commit this by mistake. To help out in this situation this action supports two configuration options. However, [GitHub has introduced an option to streamline this behaviour](https://github.blog/changelog/2022-05-11-default-to-pr-titles-for-squash-merge-commit-messages/), so using that instead should be preferred. - -```yml - # If the PR only contains a single commit, the action will validate that - # it matches the configured pattern. - validateSingleCommit: true - # Related to `validateSingleCommit` you can opt-in to validate that the PR - # title matches a single commit to avoid confusion. - validateSingleCommitMatchesPrTitle: true -```