Merge pull request #164 from pre-commit/remove-pushing

remove pushing behaviour

.github/workflows/main.yml

@@ -0,0 +1,14 @@
+name: main
+on:
+  pull_request:
+  push:
+    branches: [main, test-me-*]
+
+jobs:
+  main:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - uses: actions/setup-python@v3
+    - name: self test action
+      uses: ./

.pre-commit-config.yaml

@@ -5,8 +5,3 @@ repos:
     -   id: trailing-whitespace
     -   id: end-of-file-fixer
     -   id: check-yaml
--   repo: https://github.com/pre-commit/mirrors-eslint
-    rev: v8.16.0
-    hooks:
-    -   id: eslint
-        args: [--fix]

README.md

@@ -8,7 +8,7 @@ Please switch to using [pre-commit.ci] which is faster and has more features.
 ___
 
 [![pre-commit.ci status](https://results.pre-commit.ci/badge/github/pre-commit/action/main.svg)](https://results.pre-commit.ci/latest/github/pre-commit/action/main)
-[![Build Status](https://github.com/pre-commit/action/workflows/deploy/badge.svg)](https://github.com/pre-commit/action/actions)
+[![Build Status](https://github.com/pre-commit/action/workflows/main/badge.svg)](https://github.com/pre-commit/action/actions)
 
 pre-commit/action
 =================
@@ -32,8 +32,8 @@ jobs:
   pre-commit:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
-    - uses: actions/setup-python@v2
+    - uses: actions/checkout@v3
+    - uses: actions/setup-python@v3
     - uses: pre-commit/[email protected]
 ```
 
@@ -59,33 +59,26 @@ the files (use the template above except for the `pre-commit` action):
 
 ### using this action in private repositories
 
-this action also provides an additional behaviour when used in private
-repositories.  when configured with a github token, the action will push back
-fixes to the pull request branch.
+prior to v3.0.0, this action had custom behaviour which pushed changes back to
+the pull request when supplied with a `token`.
 
-using the template above, you'll make two replacements for individual actions:
+this behaviour was removed:
+- it required a PAT (didn't work with short-lived `GITHUB_TOKEN`)
+- properly hiding this `input` from the installation and execution of hooks
+  is intractable in github actions (it is readily available as `$INPUT_TOKEN`)
+- this meant potentially unvetted code could access the token via the
+  environment
 
-first is the checkout step, which needs to use unlimited fetch depth for
-pushing
+you can _likely_ achieve the same thing with an external action such as
+[git-auto-commit-action] though you may want to take precautions to clear `git`
+hooks or other ways that arbitrary code execution can occur when running
+`git commit` / `git push` (for example [core.fsmonitor]).
 
-```yaml
-    - uses: actions/checkout@v2
-      with:
-        fetch-depth: 0
-```
+while unrelated to this action, [pre-commit.ci] avoids these problems by
+installing and executing isolated from the short-lived repository-scoped
+[installation access token].
 
-next is passing the token to the pre-commit action
-
-```yaml
-    - uses: pre-commit/[email protected]
-      with:
-        token: ${{ secrets.GITHUB_TOKEN }}
-```
-
-note that `secrets.GITHUB_TOKEN` is automatically provisioned and will not
-require any special configuration.
-
-while you could _technically_ configure this for a public repository (using a
-personal access token), I can't think of a way to do this safely without
-exposing a privileged token to pull requests -- if you have any ideas, please
-leave an issue!
+[git-auto-commit-action]: https://github.com/stefanzweifel/git-auto-commit-action
+[core.fsmonitor]: https://github.blog/2022-04-12-git-security-vulnerability-announced/
+[pre-commit.ci]: https://pre-commit.ci
+[installation access token]: https://docs.github.com/en/rest/apps/apps#create-an-installation-access-token-for-an-app

action.yml

@@ -1,13 +1,20 @@
 name: pre-commit
-description: run pre-commit and optionally commit back to the pull request
+description: run pre-commit
 inputs:
   extra_args:
     description: options to pass to pre-commit run
     required: false
     default: '--all-files'
-  token:
-    description: github token to clone / push with
-    required: false
 runs:
-  using: 'node12'
-  main: 'dist/index.js'
+  using: composite
+  steps:
+  - run: python -m pip install pre-commit
+    shell: bash
+  - run: python -m pip freeze --local
+    shell: bash
+  - uses: actions/cache@v3
+    with:
+      path: ~/.cache/pre-commit
+      key: pre-commit-3|${{ env.pythonLocation }}|${{ hashFiles('.pre-commit-config.yaml') }}
+  - run: pre-commit run --show-diff-on-failure --color=always ${{ inputs.extra_args }}
+    shell: bash