Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 27 additions & 0 deletions .github/workflows/actions_release.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
name: Release GitHub Actions

on:
workflow_dispatch:
inputs:
tag:
description: "Tag for the release"
required: true
node_version:
description: "Node.js version to use"
required: false
default: "24"

permissions:
contents: read

jobs:
release:
permissions:
actions: read
id-token: write
contents: write

uses: step-security/reusable-workflows/.github/workflows/actions_release.yaml@v1
with:
tag: "${{ github.event.inputs.tag }}"
node_version: ${{ inputs.node_version || '24' }}
33 changes: 33 additions & 0 deletions .github/workflows/audit_package.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
name: NPM Audit Fix Run

on:
workflow_dispatch:
inputs:
force:
description: "Use --force flag for npm audit fix?"
required: true
type: boolean
base_branch:
description: "Specify a base branch"
required: false
default: "main"
node_version:
description: "Node.js version to use"
required: false
default: "24"
schedule:
- cron: "0 0 * * 1"

jobs:
audit-fix:
uses: step-security/reusable-workflows/.github/workflows/audit_fix.yml@v1
with:
force: ${{ inputs.force || false }}
base_branch: ${{ inputs.base_branch || 'main' }}
node_version: ${{ inputs.node_version || '24' }}

permissions:
Comment thread
anurag-stepsecurity marked this conversation as resolved.
contents: write
pull-requests: write
packages: read
issues: write
42 changes: 42 additions & 0 deletions .github/workflows/auto_cherry_pick.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
name: Auto Cherry-Pick from Upstream

on:
workflow_run:
workflows: [ "Release GitHub Actions" ]
types:
- completed

workflow_dispatch:
inputs:
base_branch:
description: "Base branch to create the PR against"
required: true
default: "main"
mode:
description: "Run mode: cherry-pick or verify"
required: false
default: "cherry-pick"
node_version:
description: "Node.js version to use"
required: false
default: "24"

pull_request:
types: [ opened, synchronize, labeled ]

permissions:
contents: write
pull-requests: write
packages: read
issues: write

jobs:
cherry-pick:
if: (github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success') || github.event_name == 'workflow_dispatch' || contains(fromJson(toJson(github.event.pull_request.labels)).*.name, 'review-required')
uses: step-security/reusable-workflows/.github/workflows/auto_cherry_pick.yaml@v1
with:
original-owner: "actions4git"
repo-name: "add-commit-push"
base_branch: ${{ inputs.base_branch || 'main' }}
mode: ${{ github.event_name == 'pull_request' && 'verify' || inputs.mode || 'cherry-pick' }}
node_version: ${{ inputs.node_version || '24' }}
29 changes: 29 additions & 0 deletions .github/workflows/test-action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
name: Test action
on:
push:
branches:
- main
paths-ignore:
- README.md
- LICENSE
- .gitignore
- .github/**
- "!.github/workflows/test-action.yml"
pull_request:
paths-ignore:
- README.md
- LICENSE
- .gitignore
- .github/**
- "!.github/workflows/test-action.yml"
jobs:
branch:
concurrency: ${{ github.workflow }}-branch
runs-on: ubuntu-latest
steps:
Comment thread
anurag-stepsecurity marked this conversation as resolved.
Comment thread
anurag-stepsecurity marked this conversation as resolved.
- uses: actions/checkout@v7
- run: echo $RANDOM > random.txt
- uses: ./
Comment thread
anurag-stepsecurity marked this conversation as resolved.
with:
push-branch: test-branch
push-force: true
2 changes: 2 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
.idea
node_modules
22 changes: 22 additions & 0 deletions LICENSE
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
The MIT License (MIT)

Copyright (c) 2023 GitHub Actions for Git
Copyright (c) 2026 StepSecurity

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
156 changes: 155 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
@@ -1 +1,155 @@
# add-commit-push
[![StepSecurity Maintained Action](https://raw.githubusercontent.com/step-security/maintained-actions-assets/main/assets/maintained-action-banner.png)](https://docs.stepsecurity.io/actions/stepsecurity-maintained-actions)

# Add, commit, and push

✨ Automagically `git add`, `git commit`, and `git push`

<table align=center><td>

```yml
on:
pull_request:
jobs:
job:
permissions:
contents: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v7
- run: npx --yes prettier --write .
- uses: step-security/add-commit-push@v1
```

</table>

➕ Adds all files by default \
👨 Uses `github.actor` as the default author \
🤖 Uses <b>@github-actions\[bot\]</b> as the default committer \
🔼 Pushes changes to the current branch \
🤩 Works great for the common use cases!

A convenience wrapper with sensible defaults so that you don't have to do
`git add`, `git commit`, and `git push` manually all the time. 😉

## Usage

![Git](https://img.shields.io/static/v1?style=for-the-badge&message=Git&color=F05032&logo=Git&logoColor=FFFFFF&label=)
![GitHub Actions](https://img.shields.io/static/v1?style=for-the-badge&message=GitHub+Actions&color=2088FF&logo=GitHub+Actions&logoColor=FFFFFF&label=)

**🚀 Here's what you want:**

```yml
on:
push:
branches: "main"
pull_request:
jobs:
job:
permissions:
contents: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v7
- run: npx --yes prettier --write .
- uses: step-security/add-commit-push@v1
```

🔒 Make sure you have the `permissions` set to `contents: write`! We need to be
able to edit the repository contents to push things.

If you're looking to have more control than the options provided below, it's
best if you tap in to the `git` CLI directly. The only tricky bit is setting a
default Git user (it's unset by default). You can either set it manually or use
a premade action like [actions4git/setup-git] to configure the `user.name` and
`user.email` settings.

```yml
- uses: actions/checkout@v7
- uses: actions4git/setup-git@v1
# Then you can do whatever you want as the @github-actions[bot] user!
- run: git add random.txt
- run: git tag --force v1.0.0
- run: git rebase --interactive HEAD~3
- run: git merge --squash feature-branch
- run: git commit --message 'My custom commit message'
- run: git push origin other-branch:main --force
```

🏷️ Automatic tag updating coming soon! Contributions welcome! ❤️

### Inputs

- **`path`:** The path to the repository root folder to perform the Git
operations in. This defaults to the current working directory (`.`). Change
this to a subfolder if you are using a different folder other than the default
`github.workspace` for your Git repository.

- **`add-pathspec`:** Additional path specifiers to be passed to `git add`.
These can be files, folders, globs, or even some fancy Git pathspec things
such as `:!ignoreme.txt`. Check out the CSS-Tricks [Git Pathspecs and How to
Use Them] article for the highlights of Git pathspecs. If this input is not
specified, `git add --all` will be used instead. Specifying `.` has slightly
different behavior from `--all`.

- **`add-force`:** Whether or not to use the `--force` flag when performing the
`git add` operation. Use this if you really want to add something but it's in
your `.gitignore`. This can be useful if you ever need to commit build
artifacts to Git that are normally ignored by your `.gitignore`. Defaults to
`false`.

- **`commit-author`:** A `Name Here <emailhere@example.org>` AiO author name &
email string. This is a shortcut alternative to the independant
'commit-author-name' and `commit-author-email` options that are also
available. This defaults to <b>@github-actions\[bot\]</b>. You can set this to
the special value `github-actions` to use the <b>@github-actions\[bot\]</b>
user as the author, or the special `me` value to use the current
`github.actor` user as the author. Note that this is different from the
`commit-committer`. [The author of a commit is who wrote the thing and the
committer is who committed it to Git.] It's recommended to leave this as the
default.

- **`commit-author-name`:** The name of the author to associate with the commit.
Should be left unspecified if `commit-author` is specified.

- **`commit-author-email`:** The email address of the author to associate with
the commit. Should be left unspecified if `commit-author` is specified.

- **`commit-committer`:** A `Name Here <emailhere@example.org>` AiO author name
& email string. This input is a shortcut for the `commit-committer-name` and
`commit-committer-email` inputs that can also be individually specified. You
can set this to the special value `github-actions` to use the
<b>@github-actions\[bot\]</b> user as the committer, or the special `me` value
to use the current `github.actor` user as the committer. If this input is
unspecified, the committer defaults to the author.

- **`commit-committer-name`:** The name of the committer to associate with the
commit. Should be left unspecified if `commit-committer` is specified.

- **`commit-committer-email`:** The email address of the committer to associate
with the commit. Should be left unspecified if `commit-committer` is
specified.

- **`commit-message`:** The `--message` parameter to use for the commit. This
can be a multiline string if you want to specify a title and body. The default
is 'Automated changes'.

- **`push-force`:** Whether or not to use the `--force` parameter when doing the
`git push`. Defaults to `false`.

### Outputs

- **`committed`:** Whether or not anything was actually committed to the
repository locally. This will be `true` if there were any changes and `false`
if not.

- **`commit-sha`:** The SHA of the commit that was created. Will not be set if
nothing was committed.

- **`pushed`:** Whether or not anything was actually pushed to the remote
repository. This will be `true` if there were any changes that were pushed and
`false` if not.

<!-- prettier-ignore-start -->
[actions4git/setup-git]: https://github.com/actions4git/setup-git
[Git Pathspecs and How to Use Them]: https://css-tricks.com/git-pathspecs-and-how-to-use-them/
[The author of a commit is who wrote the thing and the committer is who committed it to Git.]: https://stackoverflow.com/questions/18750808/difference-between-author-and-committer-in-git
5 changes: 5 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# Security Policy

## Reporting a Vulnerability

Please report security vulnerabilities to security@stepsecurity.io
15 changes: 15 additions & 0 deletions _main.mjs
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
import { spawn } from "node:child_process";
import { once } from "node:events";
import { fileURLToPath } from "node:url";
import {validateSubscription} from "./subscription.mjs";

await validateSubscription();

const file = fileURLToPath(import.meta.resolve("./main.sh")); // 👈 CHANGE ME!
Comment thread
anurag-stepsecurity marked this conversation as resolved.
Comment thread
anurag-stepsecurity marked this conversation as resolved.
Comment thread
anurag-stepsecurity marked this conversation as resolved.
const subprocess = spawn("bash", [file], { stdio: "inherit" });
const [exitCode, signal] = await once(subprocess, "exit");
if (signal) {
process.kill(process.pid, signal);
} else {
process.exit(exitCode);
}
Loading
Loading