@@ -8,7 +8,7 @@ Please switch to using [pre-commit.ci] which is faster and has more features.
88___
99
1010[ ![ pre-commit.ci status] ( https://results.pre-commit.ci/badge/github/pre-commit/action/main.svg )] ( https://results.pre-commit.ci/latest/github/pre-commit/action/main )
11- [ ![ Build Status] ( https://github.com/pre-commit/action/workflows/deploy /badge.svg )] ( https://github.com/pre-commit/action/actions )
11+ [ ![ Build Status] ( https://github.com/pre-commit/action/workflows/main /badge.svg )] ( https://github.com/pre-commit/action/actions )
1212
1313pre-commit/action
1414=================
3232 pre-commit :
3333 runs-on : ubuntu-latest
3434 steps :
35- - uses : actions/checkout@v2
36- - uses : actions/setup-python@v2
35+ - uses : actions/checkout@v3
36+ - uses : actions/setup-python@v3
3737 -
uses :
pre-commit/[email protected] 3838` ` `
3939
@@ -59,33 +59,26 @@ the files (use the template above except for the `pre-commit` action):
5959
6060# ## using this action in private repositories
6161
62- this action also provides an additional behaviour when used in private
63- repositories. when configured with a github token, the action will push back
64- fixes to the pull request branch.
62+ prior to v3.0.0, this action had custom behaviour which pushed changes back to
63+ the pull request when supplied with a `token`.
6564
66- using the template above, you'll make two replacements for individual actions :
65+ this behaviour was removed :
66+ - it required a PAT (didn't work with short-lived `GITHUB_TOKEN`)
67+ - properly hiding this `input` from the installation and execution of hooks
68+ is intractable in github actions (it is readily available as `$INPUT_TOKEN`)
69+ - this meant potentially unvetted code could access the token via the
70+ environment
6771
68- first is the checkout step, which needs to use unlimited fetch depth for
69- pushing
72+ you can _likely_ achieve the same thing with an external action such as
73+ [git-auto-commit-action] though you may want to take precautions to clear `git`
74+ hooks or other ways that arbitrary code execution can occur when running
75+ ` git commit` / `git push` (for example [core.fsmonitor]).
7076
71- ` ` ` yaml
72- - uses: actions/checkout@v2
73- with:
74- fetch-depth: 0
75- ` ` `
77+ while unrelated to this action, [pre-commit.ci] avoids these problems by
78+ installing and executing isolated from the short-lived repository-scoped
79+ [installation access token].
7680
77- next is passing the token to the pre-commit action
78-
79- ` ` ` yaml
80- - uses: pre-commit/[email protected] 81- with:
82- token: ${{ secrets.GITHUB_TOKEN }}
83- ` ` `
84-
85- note that `secrets.GITHUB_TOKEN` is automatically provisioned and will not
86- require any special configuration.
87-
88- while you could _technically_ configure this for a public repository (using a
89- personal access token), I can't think of a way to do this safely without
90- exposing a privileged token to pull requests -- if you have any ideas, please
91- leave an issue!
81+ [git-auto-commit-action] : https://github.com/stefanzweifel/git-auto-commit-action
82+ [core.fsmonitor] : https://github.blog/2022-04-12-git-security-vulnerability-announced/
83+ [pre-commit.ci] : https://pre-commit.ci
84+ [installation access token] : https://docs.github.com/en/rest/apps/apps#create-an-installation-access-token-for-an-app
0 commit comments