Check commits instead of PR text for pull requests (mristin#122)

With this patch, we verify not only the latest commit message, but also
check that *all* commit messages are verified.

Fixes mristin#28.

.github/workflows/build-and-test.yml

@@ -5,6 +5,7 @@ on:
     branches:
       - master
       - dev
+      - check-all-commits
 
 jobs:
   build:
@@ -27,6 +28,15 @@ jobs:
           additional-verbs: 'chrusimusi, unit-test'
           path-to-additional-verbs: src/additional-verbs.txt
 
+#  test-pr-commits:
+#    runs-on: ubuntu-latest
+#    steps:
+#      - uses: actions/checkout@v4
+#      - uses: ./
+#        with:
+#          validate-pull-request-commits: true
+#          github-token: ${{ secrets.GITHUB_TOKEN }}
+
   test-allow-one-liners:
     runs-on: ubuntu-latest
     steps:

README.md

@@ -206,6 +206,52 @@ You can disable checking the body by setting the flag `skip-body-check`:
           skip-body-check: 'true'
 ```
 
+## Validating PR commit messages
+
+When triggered by a `pull_request` event, the action checks the title and the
+body of the pull request by default. GitHub does not include the content of the
+commit message in the workflow context, so checking all the commit messages of
+the PR requires additional API calls. If you want to check the commit messages
+for pull requests you can either:
+
+- Trigger the action on `push` events. This will check the commit messages of
+  each pushed commit, but it will run even for branches that do not have a PR 
+  associated with them.
+- Set the `validate-pull-request-commits` option to `true`. This will check the
+  messages of every commit in the PR. However, because it requires extra API calls
+  to retrieve the commit messages, setting this on option on _private_ repositories
+  require a GitHub token with at least `read` permission on the `contents` scope.
+
+```yaml
+    steps:
+      - name: Check
+        uses: mristin/[email protected]
+        with:
+          validate-pull-request-commits: 'true'
+          # Required for private repos
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+```
+
+#### Permissions
+
+The default permissions for a GitHub Actions workflow is sufficient for this action to work.
+You only need to check permissions if you are already customizing the permissions of the workflow
+See the [GitHub documentation](https://docs.github.com/en/actions/reference/authentication-in-a-workflow#permissions-for-the-github_token).
+
+```yaml
+jobs:
+  check-commits:
+    # If you have this line,
+    permissions:
+      # Make sure this you also have this line
+      contents: read
+    steps:
+      - uses: mristin/[email protected]
+        with:
+          validate-pull-request-commits: 'true'
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+```
+
 ## Enforce Sign-off
 
 Most projects do not require a sign-off on the commits.
@@ -232,19 +278,6 @@ Signed-off-by: Some Body <[email protected]>
 
 You usually sign off the commits using `git commit --signoff`. 
 
-## Known Issue
-
-Commit messages of the pull request are not verified unless you trigger the 
-workflow on the push as well. GitHub does not include the content of commit 
-messages in the context payload, so checking all the commit messages of 
-the pull request would involve various API call and additional complexity.
-
-To overcome this issue, run opinionated-commit-message both on `pull_request`
-and `push`. Please upvote [this issue](
-https://github.com/mristin/opinionated-commit-message/issues/28
-) to signal the visibility and so that we could judge when this feature merits 
-the effort.
-
 ## Contributing
 
 If you would like to report bugs or request a feature, please create 

action.yml

@@ -36,3 +36,11 @@ inputs:
     description: 'If set to "true", skip the body check'
     required: false
     default: ''
+  validate-pull-request-commits:
+    description: 'If set to "true", validate commits in pull requests instead of the pull request body'
+    required: false
+    default: ''
+  github-token:
+    description: 'GitHub token'
+    required: false
+    default: ''