Remove not needed and not secure features

jangalda-nsc · jangalda-nsc · commit 83c424c34789 · 2024-10-04T15:27:15.000+02:00
All features, which require secrets, are considered as unsafe. Depending on how script-diff action is used, secrets can be compromised with prepared script to call.
diff --git a/README.md b/README.md
@@ -2,52 +2,16 @@
 
 * Execute given script
 * Generates a diff over a given file
-* Posts a comment to the PR with custom message if there is a diff
-* Posts a different comment if there is no diff
-* If there is diff and the PR author reacted with a defineable emote, an auto commit is added
+* Verify if content of generated and commited files equals 
 
 ## Usage
 ``` yaml
 
-- uses: nrfconnect/action-script-diff@v0.2
+- uses: nrfconnect/action-script-diff@v0.3
   with:
-    # Token needed to post comments and add commits
-    github-token: ''
-
-    # Comment message to post when a diff was detected
-    message_diff: ''
-
-    # Comment message to post when no diff was detected
-    message_success: ''
+    # Path to file which should be inspected - relative to GitHub workspace
+    diff_file: ''
 
     # Relative path and script name to be executed
     script_call: ''
-
-    # File to check for diff
-    diff_file: ''
-
-    # Path within the repo where the file to watch is present
-    diff_path: ''
-
-    # The root folder for the git diff
-    git_diff_root: ''
-
-    # User name to be used in the auto commit (Needs to be 'Firstname' 'Lastname')
-    git_user_name: '<Firstname> <Lastname>'
-
-    # E-Mail to be used in the auto commit (Needs to be the verified e-mail of the account to be used)
-    git_user_email: ''
-
-    # Github comment remote to check if present
-    # See https://docs.github.com/en/rest/reactions/reactions
-    # Available emotes:
-    # 👍 -1
-    # 👎 -1
-    # 😄 laugh
-    # 😕 confused
-    # ❤️ heart
-    # 🎉 hooray
-    # 🚀 rocket
-    # 👀 eyes
-    reaction_emote: ''
 ```
diff --git a/action.yml b/action.yml
@@ -1,51 +1,37 @@
-name: 'script diff push'
-description: 'Run a script, show git diff and push changes if allowed'
+name: 'Git diff after script call'
+description: |
+  Check if content of given file changed after calling a script.
+  Action can be used to check if content of commited autogenerated file is valid.
+  Expected content of file can be found in check action's summary and artifacts sections.
 inputs:
-  github-token:
-    description: 'The token to authenticate with'
-  message_diff:
-    description: 'Message if there is a diff'
-    required: true
-  message_success:
-    description: 'Message if no more diff'
-    required: true
   script_call:
-    description: 'Script call'
+    description: 'Script which should be called'
     required: true
   diff_file:
-    description: 'File to run diff on, full path within the git repo'
-    required: true
-  diff_path:
-    description: 'Diff file path within the repo'
-    required: true
-  git_diff_root:
-    description: 'Root path of the git diff'
-    required: true
-  git_user_name:
-    description: 'User name used for git push'
-    required: true
-  git_user_email:
-    description: 'User email used for git push'
-    required: true
-  reaction_emote:
-    description: 'Reaction to check by the PR author'
+    description: 'Path to file which should be inspected - relative to GitHub workspace'
     required: true
 runs:
   using: "composite"
   steps:
+    - name: 'Set env variables'
+      run: |
+        echo "DIFF_FILE_ABS='${{ github.workspace }}/${{ inputs.diff_file }}'" >> $GITHUB_ENV
+        echo "DIFF_FILE_DIR=$(dirname '${{ github.workspace }}/${{ inputs.diff_file }}')" >> $GITHUB_ENV
+        echo "DIFF_FILE_NAME=$(basename '${{ github.workspace }}/${{ inputs.diff_file }}')" >> $GITHUB_ENV
+      shell: bash
+
     - name: Execute ${{ inputs.script_call }}
-      working-directory: ${{ inputs.git_diff_root }}
       run: ${{ inputs.script_call }}
       shell: bash
 
     - name: 'Upload Artifact: ${{ inputs.diff_file }}'
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
-        name: ${{ inputs.diff_file }}
-        path: ${{ inputs.git_diff_root }}/${{ inputs.diff_path }}/${{ inputs.diff_file }}
+        name: ${{ env.DIFF_FILE_NAME }}
+        path: ${{ inputs.diff_file }}
 
     - name: Check for changes in ${{ inputs.diff_file }}
-      working-directory: ${{ inputs.git_diff_root }}
+      working-directory: ${{ env.DIFF_FILE_DIR }}
       id: diff
       shell: bash
       run: |
@@ -65,73 +51,30 @@ runs:
           echo EOF
         } >> $GITHUB_ENV
 
-    - name: Post diff comment
-      uses: nrfconnect/action-comment@v0.1
-      id: comment
-      if: ${{ steps.diff.outputs.diff_result == 1 }}
-      env:
-        REACT_EMOTE: ${{ inputs.reaction_emote }}
-      with:
-        github-token: ${{ inputs.github-token }}
-        reaction: "${{ env.REACT_EMOTE }}"
-        message: "${{ inputs.message_diff }}"
-
-    - name: Post success comment
-      uses: nrfconnect/action-comment@v0.1
-      env:
-        REACT_EMOTE: ${{ inputs.reaction_emote }}
-      if: ${{ steps.diff.outputs.diff_result == 0 }}
-      with:
-        github-token: ${{ inputs.github-token }}
-        reaction: "${{ env.REACT_EMOTE }}"
-        message: "${{ inputs.message_success }}"
-
-    - name: Add changed file
-      working-directory: ${{ inputs.git_diff_root }}
-      if: ${{ steps.comment.outputs.found_reaction == 'True' && steps.diff.outputs.diff_result == 1 }}
-      shell: bash
-      env:
-        GH_TOKEN: ${{ inputs.github-token }}
-      run: |
-        gh pr checkout ${{ github.event.pull_request.number }}
-        git config user.email "\"${{ inputs.git_user_email }}\""
-        git config user.name "\"${{ inputs.git_user_name }}\""
-        git add ${{ inputs.diff_path }}/${{ inputs.diff_file }}
-
-        echo -e '`${{ inputs.diff_file }}` has changed. Pushing to PR branch.' >> $GITHUB_STEP_SUMMARY
-        git config credential.helper store
-        echo "https://x-access-token:${{ inputs.github-token }}@github.com" >> ~/.git-credentials
-
-        git commit -s -m "ci: Updating ${{ inputs.diff_file }}" \
-                      -m 'This is an automated commit from github workflow by NordicBuilder'
-        git push
-        rm ~/.git-credentials
-        unset GH_TOKEN
-
     - name: Post summary
       if: ${{ !cancelled() }}
       shell: bash
       run: |
         if [[ 1 == ${{ steps.diff.outputs.diff_result }} ]]; then
           echo -e 'New ${{ inputs.diff_file }} file differs from the current file.' >> $GITHUB_STEP_SUMMARY
         fi
-        if [[ -e ${{ inputs.git_diff_root }}/${{ inputs.diff_path }}/${{ inputs.diff_file }} ]]; then
+        if [[ -e ${{ env.DIFF_FILE_ABS }} ]]; then
           echo -e '
           <details>
             <summary>${{ inputs.diff_file }}</summary>
 
           ```' >> $GITHUB_STEP_SUMMARY
-          cat ${{ inputs.git_diff_root }}/${{ inputs.diff_path }}/${{ inputs.diff_file }} >> $GITHUB_STEP_SUMMARY
+          cat ${{ env.DIFF_FILE_ABS }} >> $GITHUB_STEP_SUMMARY
           echo -e '```
 
           </details>' >> $GITHUB_STEP_SUMMARY
         else
-          echo -e 'Error during workflow, ${{ inputs.diff_file }} file was not created' >> GITHUB_STEP_SUMMARY
+          echo -e 'Error during workflow, ${{ inputs.diff_file }} file was not created' >> $GITHUB_STEP_SUMMARY
         fi
         if [[ -n $GITDIFF ]] && [[ 1 == ${{ steps.diff.outputs.diff_result}} ]]; then
           echo -e '
           <details>
-            <summary>${{ inputs.diff_file }} diff</summary>
+            <summary>${{ env.DIFF_FILE_NAME }} diff</summary>
 
           ``` diff' >> $GITHUB_STEP_SUMMARY
           echo "$GITDIFF" >> $GITHUB_STEP_SUMMARY
