feat(#598): enable possibility to have source repository in other organisation

alexvanderberkel · Alex Esseling · web-flow · commit 32474992795a · 2025-01-31T20:37:23.000+01:00
- fix: 🐛 issue with AUTHN and AUTHZ
- feat: ✨ preparations to be able to have target repository in another org/repository

---------

Signed-off-by: Andy Augustin &lt;dev@andreas-augustin.org&gt;
Signed-off-by: Alex &lt;alexander.esseling@gmail.com&gt;
Co-authored-by: Alex Esseling &lt;alexander.esseling@uniper.energy&gt;
diff --git a/.github/workflows/test_all.yml b/.github/workflows/test_all.yml
@@ -15,6 +15,18 @@ jobs:
     permissions:
       contents: write
       pull-requests: write
+  call_github_app_test_target_org:
+    uses: ./.github/workflows/test_github_app _target_org.yml
+    secrets: inherit
+    permissions:
+      contents: write
+      pull-requests: write
+  call_github_app_test:
+    uses: ./.github/workflows/test_github_app.yml
+    secrets: inherit
+    permissions:
+      contents: write
+      pull-requests: write
   call_test_ssh_gitlab:
     uses: ./.github/workflows/test_ssh_gitlab.yml
     secrets: inherit
diff --git a/.github/workflows/test_github_app.yml b/.github/workflows/test_github_app.yml
@@ -0,0 +1,48 @@
+name: test-github_app
+
+on:
+  push:
+  #   branches:
+  #     - "!main"
+  # pull_request:
+  workflow_call:
+  workflow_dispatch:
+
+jobs:
+  test-implementation-job:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      # To use this repository's private action, you must check out the repository
+      - name: token-generation
+        uses: actions/create-github-app-token@v1
+        id: source-app-token
+        with:
+          app-id: ${{ secrets.TEST_GITHUB_APP_ID }}
+          private-key: ${{ secrets.TEST_APP_PEM_FILE }}
+          owner: alexvanderberkel
+          repositories: private-test-repo
+
+      - name: Checkout
+        # https://github.com/actions/checkout#usage
+        uses: actions/checkout@v4
+        with:
+          token: ${{ steps.source-app-token.outputs.token }}
+          persist-credentials: false # Don't set this to true as otherwise the token will be stored in the local git config and the run will fail
+
+      - name: Test action step
+        uses: ./ # Uses an action in the root directory
+        env:
+          MY_VAR: "bar"
+        with:
+          source_repo_path: alexvanderberkel/private-test-repo
+          source_gh_token: ${{ steps.source-app-token.outputs.token }}
+          # target_gh_token: ${{ github.token }}
+          upstream_branch: main
+          is_dry_run: false
+          is_allow_hooks: true
+
+
+
diff --git a/.github/workflows/test_ssh.yml b/.github/workflows/test_ssh.yml
@@ -22,7 +22,6 @@ jobs:
         if: github.repository_owner == 'AndreasAugustin'
         uses: ./ # Uses an action in the root directory
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
           source_repo_path: ${{ secrets.SOURCE_REPO_PATH_TEST }} # <owner/repo>, should be within secrets
           source_repo_ssh_private_key: ${{ secrets.SOURCE_REPO_SSH_PRIVATE_KEY }} # contains the private ssh key of the private repository
           is_dry_run: true
diff --git a/.github/workflows/test_ssh_gitlab.yml b/.github/workflows/test_ssh_gitlab.yml
@@ -23,7 +23,6 @@ jobs:
         uses: ./ # Uses an action in the root directory
         with:
           hostname: ${{ secrets.SOURCE_REPO_GITLAB_HOSTNAME }}
-          github_token: ${{ secrets.GITHUB_TOKEN }}
           source_repo_path: ${{ secrets.SOURCE_REPO_GITLAB_PATH }} # <owner/repo>, should be within secrets
           source_repo_ssh_private_key: ${{ secrets.SOURCE_REPO_GITLAB_SSH_PRIVATE_KEY }} # contains the private ssh key of the private repository
           is_dry_run: true
diff --git a/README.md b/README.md
@@ -144,7 +144,7 @@ jobs:
       - name: actions-template-sync
         uses: AndreasAugustin/actions-template-sync@v2
         with:
-          github_token: ${{ steps.generate_token.outputs.token }}
+          source_gh_token: ${{ steps.generate_token.outputs.token }}
           source_repo_path: <owner/repo>
           upstream_branch: <target_branch> # defaults to main
           pr_labels: <label1>,<label2>[,...] # defaults to template_sync
@@ -181,7 +181,7 @@ jobs:
       - name: actions-template-sync
         uses: AndreasAugustin/actions-template-sync@v2
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          source_gh_token: ${{ secrets.GITHUB_TOKEN }}
           source_repo_path: ${{ secrets.SOURCE_REPO_PATH }} # <owner/repo>, should be within secrets
           upstream_branch: ${{ secrets.TARGET_BRANCH }} #<target_branch> # defaults to main
           pr_labels: <label1>,<label2>[,...] # defaults to template_sync
@@ -235,15 +235,17 @@ jobs:
       - name: Test action step PAT
         uses: AndreasAugustin/actions-template-sync@v2
         with:
-          github_token: ${{ secrets.CUSTOM_GITHUB_PAT }}
+          source_gh_token: ${{ secrets.CUSTOM_GITHUB_PAT }}
           source_repo_path: ${{ secrets.SOURCE_REPO_PATH }} # <owner/repo>, should be within secrets
 ```
 
 ### Action Inputs
 
 | Variable                    | Description                                                                                                   | Required | Default                                                           |
 |-----------------------------|---------------------------------------------------------------------------------------------------------------|----------|-----------------------------------------------------------------------|
-| github_token                | Token for the repo. Can be passed in using `${{ secrets.GITHUB_TOKEN }}`                                     | `true`   |   `${{ github.token }}`                                                                    |
+| github_token                | :warning: [Deprecated] please use `source_gh_token` instead to have a declarative name. Token for the repo. Can be passed in using `${{ secrets.GITHUB_TOKEN }}`                                     | `true`   |   `${{ github.token }}`                                                                    |
+| source_gh_token | `[optional]` used for the source github repo token. Can be passed in using `${{ secrets.GITHUB_TOKEN }}` | `false` | `${{ github.token }}` |
+| target_gh_token | `[optional]` used for the source github repo token. Can be passed in using `${{ secrets.GITHUB_TOKEN }}` | `false` | `${{ github.token }}` |
 | source_repo_path            | Repository path of the template                                                                               | `true`   |                                                                       |
 | upstream_branch             | The target branch                                                                                             | `false`  | The remote's default (usually `main`)                                                |
 | source_repo_ssh_private_key | `[optional]` private ssh key for the source repository. [see](#private-template-repository)                   | `false`  |                                                                       |
@@ -267,7 +269,7 @@ jobs:
 | git_user_email              | `[optional]` set the committer git user.email                                                                 | `false`  | `github-action@actions-template-sync.noreply.${SOURCE_REPO_HOSTNAME}` |
 | git_remote_pull_params      | `[optional]` set remote pull parameters                                                                       | `false`  | `--allow-unrelated-histories --squash --strategy=recursive -X theirs` |
 | gpg_private_key | `[optional]` set if you want to sign commits | `false` | |
-| gpg_passphrase | `[optional]` set if your optionial gpg private key has a passphrase | `false` | |
+| gpg_passphrase | `[optional]` set if your optional gpg private key has a passphrase | `false` | |
 | steps | `[optional] add the steps you want to execute within the action` | `false` | all steps will be executed |
 | template_sync_ignore_file_path | `[optional] set the path to the ignore file.` | false |`.templatesyncignore` |
 | is_with_tags | `[optional]` set to `true` if tags should be synced | `false` | `false` |
@@ -394,7 +396,7 @@ jobs:
       - name: actions-template-sync
         uses: AndreasAugustin/actions-template-sync@v2
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          source_gh_token: ${{ secrets.GITHUB_TOKEN }}
           source_repo_path: <owner/repo>
           git_user_name: # add the gpg username
           git_user_email: # add the gpg email
@@ -642,7 +644,7 @@ The idea is to use the [docker action][action-docker]
            - name: actions-template-sync
              uses: AndreasAugustin/actions-template-sync@v2
              with:
-               github_token: ${{ secrets.GITHUB_TOKEN }}
+               source_gh_token: ${{ secrets.GITHUB_TOKEN }}
                source_repo_path: <owner/repo>
                upstream_branch: <target_branch> # defaults to main
                pr_labels: <label1>,<label2>[,...] # optional, no default
diff --git a/action.yml b/action.yml
@@ -5,10 +5,18 @@ branding:
   icon: cloud
   color: green
 inputs:
-  github_token:
-    description: 'Token for the repo. Can be passed in using $\{{ secrets.GITHUB_TOKEN }}'
-    required: true
+  source_gh_token:
+    description: 'GitHub Token for the repo to be synced from. Can be passed in using $\{{ secrets.GITHUB_TOKEN }}'
+    required: false
     default: ${{ github.token }}
+  target_gh_token:
+    description: 'GitHub Token for the repo to be synced to. Can be passed in using $\{{ secrets.GITHUB_TOKEN }}'
+    required: false
+    default: ${{ github.token }}
+  github_token:
+    deprecationMessage: 'please use source_gh_token instead to have a declarative name'
+    description: 'GitHub Token for the repo to be synced from. Can be passed in using $\{{ secrets.GITHUB_TOKEN }}'
+    required: false
   source_repo_path:
     description: "Repository path of the template"
     required: true
@@ -95,7 +103,11 @@ runs:
       shell: bash
       id: sync
       env:
+        SOURCE_GH_TOKEN: ${{ inputs.source_gh_token}}
+        TARGET_GH_TOKEN: ${{ inputs.target_gh_token }}
+        # GITHUB_TOKEN is deprecated and will be removed soon
         GITHUB_TOKEN: ${{ inputs.github_token }}
+        #
         SOURCE_REPO_PATH: ${{ inputs.source_repo_path }}
         UPSTREAM_BRANCH: ${{ inputs.upstream_branch }}
         SSH_PRIVATE_KEY_SRC: ${{ inputs.source_repo_ssh_private_key }}
diff --git a/src/entrypoint.sh b/src/entrypoint.sh
@@ -12,8 +12,13 @@ source "${SCRIPT_DIR}/sync_common.sh"
 # Precheks
 ##########################################
 
-if [[ -z "${GITHUB_TOKEN}" ]]; then
-    err "Missing input 'github_token: \${{ secrets.GITHUB_TOKEN }}'.";
+if [[ -z "${TARGET_GH_TOKEN}" ]]; then
+    err "Missing input 'target_gh_token': \${{ secrets.GITHUB_TOKEN }}'.";
+    exit 1;
+fi
+
+if [[ -z "${SOURCE_GH_TOKEN}" ]]; then
+    err "Missing input 'source_gh_token': \${{ secrets.GITHUB_TOKEN }}'.";
     exit 1;
 fi
 
@@ -27,6 +32,10 @@ if [[ -z "${HOME}" ]]; then
   exit 1
 fi
 
+if [[ -z "${GITHUB_SERVER_URL}" ]]; then
+  err "Missing env variable 'GITHUB_SERVER_URL' of the target github server. E.g. https://github.com"
+fi
+
 if ! [ -x "$(command -v gh)" ]; then
   err "github-cli gh is not installed. 'https://github.com/cli/cli'";
   exit 1;
@@ -37,7 +46,7 @@ fi
 ############################################
 
 DEFAULT_REPO_HOSTNAME="github.com"
-SOURCE_REPO_HOSTNAME="${HOSTNAME:-${DEFAULT_REPO_HOSTNAME}}"
+export SOURCE_REPO_HOSTNAME="${HOSTNAME:-${DEFAULT_REPO_HOSTNAME}}"
 GIT_USER_NAME="${GIT_USER_NAME:-${GITHUB_ACTOR}}"
 GIT_USER_EMAIL="${GIT_USER_EMAIL:-github-action@actions-template-sync.noreply.${SOURCE_REPO_HOSTNAME}}"
 
@@ -161,6 +170,42 @@ function git_init() {
     ssh-keyscan -t rsa "${source_repo_hostname}" >> "${HOME}"/.ssh/known_hosts
   else
     info "the source repository is located within GitHub."
+  fi
+  echo "::endgroup::"
+}
+
+#######################################
+# doing the login to the source repository using gh cli
+# Arguments:
+#   source_repo_hostname
+#######################################
+function gh_login_src_github() {
+  echo "::group::login src github"
+  local source_repo_hostname=$1
+  # GITHUB_TOKEN is deprecated and can be removed in the future
+  if [[ -n "${SOURCE_GH_TOKEN}" ]] || [[ -n "${GITHUB_TOKEN}" ]] &>/dev/null; then
+    ################################
+    if [[ -n "${GITHUB_TOKEN}" ]] &>/dev/null; then
+      warn "github_token parameter is deprecated please use source_gh_token."
+      info "setting SOURCE_GH_TOKEN"
+      export SOURCE_GH_TOKEN="${GITHUB_TOKEN}"
+      unset GITHUB_TOKEN
+    fi
+    ###############################
+    if [[ -z "${SOURCE_GH_TOKEN}" ]] &>/dev/null; then
+      err "Missing input 'source_gh_token: \${{ secrets.GITHUB_TOKEN }}'.";
+      exit 1;
+    fi
+    info "source server url: ${source_repo_hostname}"
+    info "logging out"
+    gh auth logout --hostname "${source_repo_hostname}" || debug "not logged in"
+    info "login to the source git repository"
+    gh auth login --git-protocol "https" --hostname "${source_repo_hostname}" --with-token <<< "${SOURCE_GH_TOKEN}"
+    gh auth status
+    gh auth setup-git --hostname "${source_repo_hostname}"
+    gh auth status --hostname "${source_repo_hostname}"
+  else
+    info "default token to be used"
     gh auth setup-git --hostname "${source_repo_hostname}"
     gh auth status --hostname "${source_repo_hostname}"
   fi
@@ -171,17 +216,17 @@ function git_init() {
 # Logic
 ###################################################
 
+git_init "${GIT_USER_EMAIL}" "${GIT_USER_NAME}" "${SOURCE_REPO_HOSTNAME}"
+
 # Forward to /dev/null to swallow the output of the private key
 if [[ -n "${SSH_PRIVATE_KEY_SRC}" ]] &>/dev/null; then
   ssh_setup "${SSH_PRIVATE_KEY_SRC}" "${SOURCE_REPO_HOSTNAME}"
-elif [[ "${SOURCE_REPO_HOSTNAME}" != "${DEFAULT_REPO_HOSTNAME}" ]]; then
-  gh auth login --git-protocol "https" --hostname "${SOURCE_REPO_HOSTNAME}" --with-token <<< "${GITHUB_TOKEN}"
+else
+  gh_login_src_github "${SOURCE_REPO_HOSTNAME}"
 fi
 
 export SOURCE_REPO="${SOURCE_REPO_PREFIX}${SOURCE_REPO_PATH}"
 
-git_init "${GIT_USER_EMAIL}" "${GIT_USER_NAME}" "${SOURCE_REPO_HOSTNAME}"
-
 if [[ -n "${GPG_PRIVATE_KEY}" ]] &>/dev/null; then
   gpg_setup "${GPG_PRIVATE_KEY}" "${GIT_USER_EMAIL}"
 fi
diff --git a/src/sync_template.sh b/src/sync_template.sh
@@ -33,6 +33,11 @@ if [[ -z "${TEMPLATE_SYNC_IGNORE_FILE_PATH}" ]]; then
   exit 1;
 fi
 
+if [[ -z "${GITHUB_SERVER_URL}" ]]; then
+  err "Missing env variable 'GITHUB_SERVER_URL' of the target github server. E.g. https://github.com"
+fi
+
+info "prechecks passed"
 ########################################################
 # Variables
 ########################################################
@@ -83,13 +88,39 @@ debug "PR_BODY ${PR_BODY}"
 # Check if the Ignore File exists inside .github folder or if it doesn't exist at all
 if [[ -f ".github/${TEMPLATE_SYNC_IGNORE_FILE_PATH}" || ! -f "${TEMPLATE_SYNC_IGNORE_FILE_PATH}" ]]; then
   debug "using ignore file as in .github folder"
-    TEMPLATE_SYNC_IGNORE_FILE_PATH=".github/${TEMPLATE_SYNC_IGNORE_FILE_PATH}"
+  TEMPLATE_SYNC_IGNORE_FILE_PATH=".github/${TEMPLATE_SYNC_IGNORE_FILE_PATH}"
 fi
 
+info "variables done"
+
 #####################################################
 # Functions
 #####################################################
 
+#######################################
+# doing the login to the source repository using gh cli
+# Arguments:
+#   github_server url
+#######################################
+function gh_login_target_github() {
+  echo "::group::login target github"
+  local github_server_url=$1
+
+  if [[ -n "${TARGET_GH_TOKEN}" ]]; then
+    target_repo_hostname=$(echo "${github_server_url}" | cut -d '/' -f 3)
+    info "target server url: ${target_repo_hostname}"
+    info "logging out of the target if logged in"
+    gh auth logout --hostname "${target_repo_hostname}" || debug "not logged in"     
+    unset GH_TOKEN  
+    info "login to the target git repository"
+    gh auth login --git-protocol "https" --hostname "${target_repo_hostname}" --with-token <<< "${TARGET_GH_TOKEN}"
+    gh auth setup-git --hostname "${target_repo_hostname}"
+    gh auth status --hostname "${target_repo_hostname}"
+  fi
+
+  echo "::endgroup::"
+}
+
 #######################################
 # set the gh action outputs if run with github action.
 # Arguments:
@@ -243,11 +274,16 @@ function pull_source_changes() {
 
   eval "git pull ${source_repo} --tags ${git_remote_pull_params}" || pull_has_issues=true
 
+  info "finished pulling from the source."
+  info "logging out from source ${SOURCE_REPO_HOSTNAME}."
+
   if [ "$pull_has_issues" == true ] ; then
     warn "There had been some git pull issues."
     warn "Maybe a merge issue."
     warn "We go on but it is likely that you need to fix merge issues within the created PR."
   fi
+
+  gh_login_target_github "${GITHUB_SERVER_URL}"
 }
 
 #######################################
@@ -294,6 +330,8 @@ function eventual_create_labels () {
 ##############################
 function push () {
   info "push changes"
+  
+
   local branch=$1
   local is_force=$2
   local is_with_tags=$3
@@ -308,9 +346,10 @@ function push () {
   if [ "$is_with_tags" == true ] ; then
     warn "include tags."
     args+=(--tags)
-  fi
-
+  fi  
+  
   git push "${args[@]}"
+  
 }
 
 ####################################
