feat!: add token to remote URL so remote operations have auth (grafana#111)

ls-remote commands were failing if persist-credentials: false was set on actions/checkout. This change is flagged as breaking because it will use the token passed in for any remote git commands.

Author: abannachGrafana

.github/workflows/test.yml

@@ -766,3 +766,112 @@ jobs:
           git push --force --delete origin "${TO_DELETE}"
         env:
           TO_DELETE: ${{ steps.setup-test-branch.outputs.branch-name }}
+  test-persist-credentials-false-branch-on-remote:
+    runs-on: ubuntu-latest
+    needs: [check-not-fork]
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - name: Setup test branch
+        id: setup-test-branch
+        run: |
+          BRANCH_NAME="test-creds-false-branch-on-remote-$(date +%s)"
+
+          git config --global user.name 'github-actions[bot]'
+          git config --global user.email 'github-actions[bot]@users.noreply.github.com'
+
+          git checkout -b $BRANCH_NAME
+          git push --set-upstream https://x-access-token:${{ github.token }}@github.com/${{ github.repository }}.git $BRANCH_NAME
+
+          # output status here to manually verify file changes
+          git status --porcelain=v2 --branch --untracked-files=no
+
+          echo $BRANCH_NAME > "test-file.txt"
+          echo "branch-name=$BRANCH_NAME" >> $GITHUB_OUTPUT
+      - uses: ./
+        id: test-action
+        continue-on-error: true
+        with:
+          token: ${{ github.token }}
+          stage-all-files: true
+          commit-message: ${{ steps.setup-test-branch.outputs.branch-name }}
+      - name: Delete test branch
+        if: ${{ always() }}
+        run: |
+          git push --force --delete https://x-access-token:${{ github.token }}@github.com/${{ github.repository }}.git "${TO_DELETE}"
+        env:
+          TO_DELETE: ${{ steps.setup-test-branch.outputs.branch-name }}
+      - name: Check output
+        run: |
+          changedFilesIfAvailable=$(echo ${RESPONSE} | jq -r '.data.createCommitOnBranch.commit.changedFilesIfAvailable')
+
+          if [[ -z "$changedFilesIfAvailable" || "$changedFilesIfAvailable" == "null" ]]; then
+            echo "Error: changedFilesIfAvailable is empty or null. Verify the output from test-action."
+            exit 1
+          fi
+
+          if [[ "$changedFilesIfAvailable" -ne 1 ]]; then
+            echo "Error: changedFilesIfAvailable is expected to be 1 but got $changedFilesIfAvailable."
+            exit 1
+          fi
+
+          echo "Validation passed: changedFilesIfAvailable is $changedFilesIfAvailable."
+        env:
+          RESPONSE: ${{ steps.test-action.outputs.commit-response }}
+
+  test-persist-credentials-false-branch-not-on-remote: # make sure the action works on a clean machine without building
+    runs-on: ubuntu-latest
+    needs: [check-not-fork]
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - name: Setup test branch
+        id: setup-test-branch
+        run: |
+          BRANCH_NAME="test-creds-false-branch-not-on-remote-$(date +%s)"
+          
+          git config --global user.name 'github-actions[bot]'
+          git config --global user.email 'github-actions[bot]@users.noreply.github.com'
+          
+          git checkout -b $BRANCH_NAME
+          
+          git status --porcelain=v2 --branch --untracked-files=no
+          
+          echo $BRANCH_NAME > "test-file.txt"
+          echo "branch-name=$BRANCH_NAME" >> $GITHUB_OUTPUT
+      - uses: ./
+        id: test-action
+        with:
+          token: ${{ github.token }}
+          stage-all-files: true
+          create-branch-on-remote: true
+          commit-message: ${{ steps.setup-test-branch.outputs.branch-name }}
+      - name: Delete test branch
+        if: ${{ always() }}
+        run: |
+          git push --force --delete https://x-access-token:${{ github.token }}@github.com/${{ github.repository }}.git "${TO_DELETE}"
+        env:
+          TO_DELETE: ${{ steps.setup-test-branch.outputs.branch-name }}
+      - name: Check output
+        run: |
+          changedFilesIfAvailable=$(echo ${RESPONSE} | jq -r '.data.createCommitOnBranch.commit.changedFilesIfAvailable')
+
+          if [[ -z "$changedFilesIfAvailable" || "$changedFilesIfAvailable" == "null" ]]; then
+            echo "Error: changedFilesIfAvailable is empty or null. Verify the output from test-action."
+            exit 1
+          fi
+
+          if [[ "$changedFilesIfAvailable" -ne 1 ]]; then
+            echo "Error: changedFilesIfAvailable is expected to be 1 but got $changedFilesIfAvailable."
+            exit 1
+          fi
+
+          echo "Validation passed: changedFilesIfAvailable is $changedFilesIfAvailable."
+        env:
+          RESPONSE: ${{ steps.test-action.outputs.commit-response }}

action.yml

@@ -47,8 +47,6 @@ runs:
           echo "ERROR: Invalid GitHub remote URL"
           exit 1
         fi
-      env:
-        GH_TOKEN: ${{ inputs.token }}
 
     - name: Stage all files
       if: inputs.stage-all-files == 'true'
@@ -59,12 +57,14 @@ runs:
       if: inputs.create-branch-on-remote == 'true'
       shell: bash
       run: |
-        onRemote=$(git ls-remote --heads origin ${BRANCH})
+        onRemote=$(git ls-remote --heads https://x-access-token:${GH_TOKEN}@github.com/${REPO}.git ${BRANCH})
         if [[ -z "$onRemote" ]]; then
-          git push --set-upstream origin ${BRANCH}
+          git push --set-upstream https://x-access-token:${GH_TOKEN}@github.com/${REPO}.git ${BRANCH}
         fi
       env:
         BRANCH: ${{ steps.commit-context.outputs.branch }}
+        REPO: ${{ steps.commit-context.outputs.repo }}
+        GH_TOKEN: ${{ inputs.token }}
 
     - name: Get file additions and deletions
       id: additions-and-deletions
@@ -159,12 +159,12 @@ runs:
       shell: bash
       id: commit-changes
       run: |
-        branch_oid=$(git ls-remote origin refs/heads/${BRANCH} | awk '{ print $1 }')
+        branch_oid=$(git ls-remote https://x-access-token:${GH_TOKEN}@github.com/${REPO}.git refs/heads/${BRANCH} | awk '{ print $1 }')
         
         if [ -n "$branch_oid" ]; then
           head_oid=$branch_oid # Use remote OID of the current branch
         else
-          head_oid=$(git ls-remote origin HEAD | awk '{ print $1 }') # Fallback to HEAD
+          head_oid=$(git ls-remote https://x-access-token:${GH_TOKEN}@github.com/${REPO}.git HEAD | awk '{ print $1 }') # Fallback to HEAD
         fi
   
         graphql_query='mutation(
@@ -205,4 +205,4 @@ runs:
         BRANCH: ${{ steps.commit-context.outputs.branch }}
         REPO: ${{ steps.commit-context.outputs.repo }}
         COMMIT_MESSAGE: ${{ inputs.commit-message }}
-        TEMP_CONTENTS_DIR: ${{ steps.additions-and-deletions.outputs.contents_dir }}
+        TEMP_CONTENTS_DIR: ${{ steps.additions-and-deletions.outputs.contents_dir }}