Determine Git commit author from token

[robo9k]

For release-plz/release-plz#999

Determine Git user.name and user.email from the GitHub token.

Examples

Default token:

name: github-actions[bot]
email: 41898282+github-actions[bot]@users.noreply.github.com

Personal Access Token (@robo9k):
Note that this doesn not leak the user email, even if they have one set to publically visible on their profile https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/setting-your-commit-email-address#setting-your-commit-email-address-on-github
https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-user-account-settings/changing-your-github-username#your-git-commits

name: robot9001
email: [email protected]

GitHub App (arbeitsmaschine):

name: arbeitsmaschine[bot]
email: 146221907+arbeitsmaschine[bot]@users.noreply.github.com

Note that the previously hardcoded release-plz <[email protected]> will NOT be used anymore.

[robo9k]

Some references to docs:

• https://docs.github.com/en/actions/using-workflows/using-github-cli-in-workflows
• https://github.com/actions/runner-images/blob/ubuntu22/20230924.1/images/linux/Ubuntu2204-Readme.md#tools
• https://github.com/actions/runner-images/blob/ubuntu22/20230924.1/images/macos/macos-13-Readme.md#utilities
• https://github.com/actions/runner-images/blob/ubuntu22/20230924.1/images/win/Windows2022-Readme.md#tools

[MarcoIeni]

what's the purpose of this comment? Is the GITHUB_TOKEN env variable used in gh here or we need to do something else?

[MarcoIeni]

my concern is that if we don't use a token for the gh cli we could get rate-limited. 🤔

[MarcoIeni]

Here it says that we can set the GH_TOKEN env variable. Should we run gh as GH_TOKEN=GITHUB_TOKEN gh api ...?

[robo9k]

The comment just says that the GITHUB_TOKEN environment variable is implicit and used/required here, just like in the other steps in the action.yml further below it.
IMHO the better design would be instead of:

      - name: Run release-plz
        uses: MarcoIeni/[email protected]
        with: # <--- Input variables
          command: release-pr
          registry: my-registry
          project_manifest: rust-crates/my-crate/Cargo.toml
          version: release-plz-v0.2.45
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

To use an explicit input variable for the token:
In action.yml:

inputs:
  token:
    description: "INPUT: GitHub token with access as per https://release-plz.ieni.dev/docs/github/trigger "
    required: false
    default: ${{ github.token }}

In a user workflow:

      - name: Run release-plz
        uses: MarcoIeni/[email protected]
        with: # <--- Input variables
          command: release-pr
          registry: my-registry
          project_manifest: rust-crates/my-crate/Cargo.toml
          version: release-plz-v0.2.45
          # no token (i.e. default)
          # or Personal Access Token
          token: ${{ secrets.MY_PAT }}
          # or App token from `actions/create-github-app-token`
          # token: ${{ steps.generate-token.outputs.token }}

In action.yml:

- run: |
    …
  env:
    GITHUB_TOKEN: ${{ inputs.token }}

But that would be an unrelated change for this pull request.

The gh CLI needs a token either as GH_TOKEN / GITHUB_TOKEN env var (as per the documentation you linked or https://cli.github.com/manual/gh_help_environment or the one in #85 (comment) ). We need it to use the token we use in our Action, because we want to determine the "viewer" data from that very token (i.e. default / PAT / App). It is unlikely we get rate limited since we always use a token per design here, this step doesn't work without authn token.
GitHub Actions always at least have the default token available as GITHUB_TOKEN env or ${{ github.token }} variable ( https://docs.github.com/en/actions/learn-github-actions/contexts#github-context ) or ${{ secrets.GITHUB_TOKEN }} secret ( https://docs.github.com/en/actions/security-guides/automatic-token-authentication ).

[robo9k]

Or in other words, it says that the following is implicit:

- run: |
    …
  env:
    GITHUB_TOKEN: ${{ env.GITHUB_TOKEN }}

because it is redundant.

[robo9k]

@MarcoIeni any updates on this?

I can create a new pull request for the Action to take the token as an input and then rebase this one here onto it once you've merged the other one.

Would you like me to change the code or explain something?

I could add tests for the PAT and App cases, but those would require you to add repository secrets.

[MarcoIeni]

Hey, sorry, but I didn't have the time to look into this yet. I will try to have a look in the following days 👍

[MarcoIeni]

Merged it, seems to work fine!
You can already use it by using the main branch (or specific commit) of this github action.
Let me know if it works fine for you. 👍

[robo9k]

Merged it, seems to work fine! You can already use it by using the main branch (or specific commit) of this github action. Let me know if it works fine for you. 👍

I`ve used 5c035ca and successfully had it create a release as expected robo9k/rust-magic#136 (comment)

The commits are now correctly attributed to my GitHub App https://github.com/robo9k/rust-magic/commits?author=arbeitsmaschine%5Bbot%5D