Feat/add gh prs

CONTRIBUTING.md

@@ -0,0 +1,70 @@
+## Contributing
+
+### Format and Styling
+
+```
+make format
+make lint
+```
+
+### Running tests
+```
+make test
+```
+
+### Run with poetry
+```
+poetry run trestle-bot
+```
+
+### Local testing
+
+For this guide, we will be using `podman` to test trestlebot in a running container.
+
+1. Build the image
+
+```bash
+podman build -f Dockerfile -t localhost:5000/trestlebot:latest
+```
+
+2. Create an environment variables file if testing with the entrypoint script.
+
+> The entrypoint script is where the logic for GitHub specific integrations should be. The environment variables file will contain variables set by GitHub Actions.
+
+Example file named `envfile`
+
+```
+cat envfile
+...
+
+GITHUB_OUTPUT=
+INPUT_SKIP_ITEMS=
+INPUT_CHECK_ONLY=true
+INPUT_SKIP_ASSEMBLE=false
+INPUT_SKIP_REGENERATE=false
+INPUT_REPOSITORY=.
+INPUT_BRANCH=test
+INPUT_MARKDOWN_PATH=markdown/profiles
+INPUT_OSCAL_MODEL=profile
+INPUT_SSP_INDEX_PATH=
+INPUT_COMMIT_MESSAGE=
+INPUT_COMMIT_USER_NAME=testuser
+[email protected]
+INPUT_FILE_PATTERN=*.md,*.json
+INPUT_COMMIT_AUTHOR_NAME=
+INPUT_COMMIT_AUTHOR_EMAIL=
+INPUT_TARGET_BRANCH=
+GITHUB_ACTIONS=true
+
+```
+3. Use `podman secret` to store sensitive information like API tokens
+
+```bash
+cat my-token.txt | podman secret create repo-secret -
+```
+
+4. Run the container
+
+```bash
+podman run --entrypoint /entrypoint.sh --secret repo-secret,type=env,target=GITHUB_TOKEN --env-file=envfile -v my-trestle-space:/data -w /data localhost:5000/trestlebot:latest
+```

README.md

@@ -41,24 +41,4 @@ Checkout [`action.yml`](./action.yml) for a full list of supported inputs and ou
                 "comp2"
             ]
         },
-```
-
-
-## Contributing
-
-### Format and Styling
-
-```
-make format
-make lint
-```
-
-### Running tests
-```
-make test
-```
-
-### Run with poetry
-```
-poetry run trestle-bot
 ```

TROUBLESHOOTING.md

@@ -5,7 +5,7 @@
 
 Verify the trigger you are using. The default branch is set to `github.ref_name`. If triggered on a pull request, you may notice this set to `pr-number/merge`. Set the branch field to `github.heaf_ref` which is set during pull request triggered workflows.
 
-## Action does not have permission to commit
+## Action does not have permission to commit/pull_request
 
 If your workflow requires that this action make changes to your branch, ensure the token being used has `content: write` permissions and the token is being set.
 
@@ -16,4 +16,17 @@ If your workflow requires that this action make changes to your branch, ensure t
     token: ${{ secrets.TOKEN }}
 ```
 
+If your workflow requires that this action create a pull request (`target_branch` is set), ensure the token being used has `pull_request: write` permissions and the token is being set.
+
+```yaml
+# github_token has no default. 
+# To use default token use ${{ secrets.GITHUB_TOKEN }}
+- uses: RedHatProductSecurity/trestle-bot@main
+  with:
+    markdown_path: "markdown/profiles"
+    assemble_model: "profile"
+    target_branch: "main"
+    github_token: ${{ secrets.TOKEN }}
+```
+
 > Note: Using the GitHub token provided with GitHub Actions to commit to a branch will [NOT trigger additional workflows](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow).

action.yml

@@ -13,6 +13,9 @@ inputs:
     description: "Runs tasks and exits with an error if there is a diff. Defaults to false"
     required: false
     default: false
+  github_token:
+    description: "GitHub token used to make authenticated API requests"
+    required: false
   skip_assemble:
     description: "Skip assembly task. Defaults to false"
     required: false
@@ -24,7 +27,6 @@ inputs:
   skip_items:
     description: "Comma-separated list of content by Trestle name to skip during task execution. For example `profile_x,profile_y`."
     required: false
-    default: ""
   ssp_index_path:
     description: Path relative to the repository path where the ssp index is located. See project README.md for information about the ssp index.
     required: false
@@ -34,9 +36,12 @@ inputs:
     required: false
     default: "Sync automatic updates"
   branch:
-    description: Git branch name, where changes should be pushed too. Required if Action is used on the `pull_request` event
+    description: Name of the Git branch to which modifications should be pushed. Required if Action is used on the `pull_request` event.
     required: false
     default: ${{ github.ref_name }}
+  target_branch:
+    description: Target branch (or base branch) to create a pull request against. If unset, no pull request will be created. If set, a pull request will be created using the `branch` field as the head branch.
+    required: false
   file_pattern:
     description: Comma separated file pattern list used for `git add`. For example `component-definitions/*,*json`. Defaults to (`.`)
     required: false
@@ -72,6 +77,8 @@ runs:
   using: "docker"
   image: "Dockerfile"
   entrypoint: "/entrypoint.sh"
+  env:
+    GITHUB_TOKEN: ${{ inputs.github_token }}
 
 branding:
   icon: "check"

entrypoint.sh

@@ -32,6 +32,7 @@ command="python3.8 -m trestlebot \
         --author-name=\"${INPUT_COMMIT_AUTHOR_NAME}\" \
         --author-email=\"${INPUT_COMMIT_AUTHOR_EMAIL}\" \
         --working-dir=\"${INPUT_REPOSITORY}\" \
+        --target-branch=\"${INPUT_TARGET_BRANCH}\" \
         --skip-items=\"${INPUT_SKIP_ITEMS}\""
 
 # Conditionally include flags
@@ -47,6 +48,16 @@ if [[ ${INPUT_CHECK_ONLY} == true ]]; then
     command+=" --check-only"
 fi
 
+# Only set the token value when is a target branch so pull requests can be created
+if [[ -n ${INPUT_TARGET_BRANCH} ]]; then
+  if [[ -z ${GITHUB_TOKEN} ]]; then
+    echo "Set the GITHUB_TOKEN env variable."
+    exit 1
+  fi
+
+  command+=" --with-token - <<<\"${GITHUB_TOKEN}\""
+fi
+
 exec 3>&1
 output=$(eval "$command" > >(tee /dev/fd/3) 2>&1)