action: client uploads fixed files and metadata to GitHub Actions Artifacts and creates and deletes a GitHub Issue label to request fixing code to a server workflow.
name: securefix
on: pull_request
jobs:
test:
runs-on: ubuntu-24.04
timeout-minutes: 10
permissions:
contents: read
steps:
- uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta
with:
persist-credentials: false
# Fix code as you like
- run: npm i -g prettier
- run: prettier -w .
# Send a request to a server workflow
- uses: csm-actions/securefix-action@latest
with:
action: client
app_id: ${{vars.DEMO_CLIENT_APP_ID}}
app_private_key: ${{secrets.DEMO_CLIENT_PRIVATE_KEY}}
server_repository: demo-server- uses: csm-actions/securefix-action@latest
with:
action: client
app_id: ${{vars.DEMO_CLIENT_APP_ID}}
app_private_key: ${{secrets.DEMO_CLIENT_PRIVATE_KEY}}
server_repository: demo-server
# Push csm-actions/demo-client's foo branch
repository: csm-actions/demo-client
branch: foo- uses: csm-actions/securefix-action@latest
with:
action: client
app_id: ${{vars.DEMO_CLIENT_APP_ID}}
app_private_key: ${{secrets.DEMO_CLIENT_PRIVATE_KEY}}
server_repository: demo-server
# Push csm-actions/demo-client's foo branch
repository: csm-actions/demo-client
branch: foo
# pull_request_title is required
pull_request_title: TitleYou can also configure pull request body, labels, reviewers, assignees, milestone, and so on.
- uses: csm-actions/securefix-action@latest
with:
action: client
app_id: ${{vars.AUTOFIX_TRIGGER_APP_ID}}
app_private_key: ${{secrets.AUTOFIX_TRIGGER_APP_PRIVATE_KEY}}
server_repository: securefix-demo-server
repository: szksh-lab/test-delete-branch
branch: test-2
pull_request_title: PR title
pull_request_base_branch: main
pull_request_body: PR Body
pull_request_draft: true
pull_request_assignees: |
suzuki-shunsuke
pull_request_reviewers: |
suzuki-shunsuke
pull_request_team_reviewers: |
sre
pull_request_labels: |
enhancement
yo
pull_request_comment: Hello, @suzuki-shunsuke
milestone: 1
automerge_method: squash
project_owner: szksh-lab
# project_number: 1
project_id: PVT_kwDOCabuec4AlJMyaction: This must beclientapp_id: A GitHub App IDapp_private_key: A GitHub App Private Keyserver_repository: A GitHub Repository name where a server workflow works
Some inputs like pull_request_labels accept multiple values separated by a newline.
pull_request_labels: |
enhancement
yocommit_message(v0.1.0): A commit messagefail_if_changes(v0.2.0): If true, the action fails if there are changesrepository(v0.2.0): A repository full name where a commit will be pushed. The Server GitHub App must be installed into this repositorybranch(v0.2.0): A branch where a commit will be pushedroot_dir(v0.2.2): A root directory of fixed filesuse_git_ls_files(v0.5.1): If true, usegit ls-filesto get files to commit. The default is true.files(v0.2.0): A fixed files. By default,git ls-files --modified --others --exclude-standard. Ifroot_diris given,filesmust be relative paths fromroot_dir. Each file is separated by a newline.pull_request_title(v0.2.0): A pull request titlepull_request_base_branch(v0.2.0): A pull request base branch. From v0.3.4,pull_request_base_branchbecomes optional. By default the default branch is usedpull_request_body(v0.2.0): A pull request descriptionpull_request_labels(v0.2.0): Pull request labels. Each label is separated by a newline. The action doesn't create labels, so labels must exist.pull_request_draft(v0.2.0): If true, create a pull request as draftpull_request_reviewers(v0.2.0): Pull request reviewers. Each reviewer is separated by a newline.pull_request_team_reviewers(v0.2.0): Pull request team reviewers. Each reviewer is separated by a newline.
Warning
pull_request_team_reviewers requires the members:read permission
pull_request_assignees(v0.2.0): Pull request assignees. Each assignee is separated by a newline.pull_request_comment(v0.2.0): Pull request commentproject_owner(v0.3.2): GitHub Project Ownerproject_number(v0.3.2): GitHub Project Numberproject_id(v0.4.0): GitHub Project ID.project_idis better thanproject_numberbecauseproject_numberrequires a GitHub API call to retrieve the project id everytime.
You can retrieve the project id from project number using GitHub CLI:
# e.g. gh project view --owner szksh-lab 1 --format json --jq ".id"
gh project view --owner "<Project Owner>" "<Project Number>" --format json --jq ".id"Warning
Adding pull requests to GitHub Projects requires Organization's projects:write permission. Also allow_organization_projects_write must be true in the server side.
- uses: csm-actions/securefix-action@latest
id: prepare
with:
action: prepare
app_id: ${{ vars.AUTOFIX_APP_ID }}
app_private_key: ${{ secrets.AUTOFIX_APP_PRIVATE_KEY }}
allow_organization_projects_write: true # Requiredmilestone_number(v0.3.3): Milestone Numberautomerge_method(v0.3.5): auto-merge method. One ofmerge,squash, andrebase. By default, auto-merge is disabled.
By default, this action fails if any files are changed, but if a commit is pushed to the other repository or branch, the action succeeds.
If fail_if_changes is true, this action fails if any files are changed.
If fail_if_changes is false, this action succeeds even if any files are changed.
By default, this action lists all added, modified, and deleted files by git ls-files --modified --others --exclude-standard in root_dir (The default is .).
The input files is used as arguments of git ls-files.
If the input use_git_ls_files is set to false (the default is true), the action uses the input files as files to be committed without git ls-files.
The repository needs to be checked out before using this action unless use_git_ls_files is set to false.
The input files is a list of relative paths from root_dir.
Nothing.