Merge pull request #181 from actions/joshmgross/update-dependencies

Run npm audit and update dev dependencies

.github/workflows/check-dist.yml

@@ -0,0 +1,52 @@
+# `dist/index.js` is a special file in Actions.
+# When you reference an action with `uses:` in a workflow,
+# `index.js` is the code that will run.
+# For our project, we generate this file through a build process
+# from other source files.
+# We need to make sure the checked-in `index.js` actually matches what we expect it to be.
+name: Check dist/
+
+on:
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - '**.md'
+  pull_request:
+    paths-ignore:
+      - '**.md'
+  workflow_dispatch:
+
+jobs:
+  check-dist:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Set Node.js 12.x
+        uses: actions/setup-node@v1
+        with:
+          node-version: 12.x
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Rebuild the dist/ directory
+        run: npm run build
+
+      - name: Compare the expected and actual dist/ directories
+        run: |
+          if [ "$(git diff --ignore-space-at-eol dist/ | wc -l)" -gt "0" ]; then
+            echo "Detected uncommitted changes after build.  See status below:"
+            git diff
+            exit 1
+          fi
+        id: diff
+
+      # If index.js was different than expected, upload the expected version as an artifact
+      - uses: actions/upload-artifact@v2
+        if: ${{ failure() && steps.diff.conclusion == 'failure' }}
+        with:
+          name: dist
+          path: dist/

.github/workflows/ci.yml

@@ -1,21 +1,20 @@
 name: CI
 
 on:
-  push: {branches: main}
-  pull_request: {branches: main}
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
 
 jobs:
   ci:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
-      - uses: actions/setup-node@v1
-        with: {node-version: 13.x}
-      - uses: actions/cache@v1
+      - uses: actions/setup-node@v2
         with:
-          path: ~/.npm
-          key: ${{runner.os}}-npm-${{hashFiles('**/package-lock.json')}}
-          restore-keys: ${{runner.os}}-npm-
+          node-version: 12
+          cache: npm
       - run: npm ci
       - run: npm run style:check
       - run: npm test

.github/workflows/integration.yml

@@ -1,14 +1,18 @@
 name: Integration
 
 on:
-  push: {branches: main}
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
 
 jobs:
-  integration:
+  test-return:
     runs-on: ubuntu-latest
     steps:
+      - uses: actions/checkout@v2
       - id: output-set
-        uses: actions/github-script@main
+        uses: ./
         with:
           script: return core.getInput('input-value')
           result-encoding: string
@@ -17,3 +21,39 @@ jobs:
           if [[ "${{steps.output-set.outputs.result}}" != "output" ]]; then
             exit 1
           fi
+
+  test-relative-require:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - id: output-set
+        uses: ./
+        with:
+          script: return require('./package.json').name
+          result-encoding: string
+          input-value: output
+      - run: |
+          if [[ "${{steps.output-set.outputs.result}}" != "github-script" ]]; then
+            exit 1
+          fi
+
+  test-npm-require:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/cache@v2
+        with:
+          path: ~/.npm
+          key: ${{runner.os}}-npm-${{hashFiles('**/package-lock.json')}}
+          restore-keys: ${{runner.os}}-npm-
+      - run: npm ci
+      - id: output-set
+        uses: ./
+        with:
+          script: return require('@actions/core/package.json').name
+          result-encoding: string
+          input-value: output
+      - run: |
+          if [[ "${{steps.output-set.outputs.result}}" != "@actions/core" ]]; then
+            exit 1
+          fi

.github/workflows/licensed.yml

@@ -1,10 +1,12 @@
 name: Licensed
 
 on:
-  push: {branches: main}
-  pull_request: {branches: main}
-  repository_dispatch:
-  workflow_dispatch:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
 
 jobs:
   test:
@@ -12,16 +14,11 @@ jobs:
     name: Check licenses
     steps:
       - uses: actions/checkout@v2
-      - uses: actions/cache@v1
-        with:
-          path: ~/.npm
-          key: ${{runner.os}}-npm-${{hashFiles('**/package-lock.json')}}
-          restore-keys: ${{runner.os}}-npm-
       - run: npm ci
       - name: Install licensed
-        run: |-
+        run: |
           cd $RUNNER_TEMP
-          curl -Lfs -o licensed.tar.gz https://github.com/github/licensed/releases/download/2.9.2/licensed-2.9.2-linux-x64.tar.gz
+          curl -Lfs -o licensed.tar.gz https://github.com/github/licensed/releases/download/2.12.2/licensed-2.12.2-linux-x64.tar.gz
           sudo tar -xzf licensed.tar.gz
           sudo mv licensed /usr/local/bin/licensed
       - run: licensed status

.github/workflows/pull-request-test.yml

@@ -2,7 +2,7 @@ name: Pull Request Test
 
 on:
   pull_request:
-    branches: main
+    branches: [main]
     types: [opened, synchronize]
 
 jobs:

.licenses/npm/@actions/core.dep.yml

@@ -1,6 +1,6 @@
 ---
 name: "@actions/core"
-version: 1.2.6
+version: 1.2.7
 type: npm
 summary: Actions core lib
 homepage: https://github.com/actions/toolkit/tree/main/packages/core

.licenses/npm/@actions/exec.dep.yml

@@ -0,0 +1,20 @@
+---
+name: "@actions/exec"
+version: 1.1.0
+type: npm
+summary: Actions exec lib
+homepage: https://github.com/actions/toolkit/tree/main/packages/exec
+license: mit
+licenses:
+- sources: LICENSE.md
+  text: |-
+    The MIT License (MIT)
+
+    Copyright 2019 GitHub
+
+    Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+    The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+notices: []

README.md

@@ -12,12 +12,19 @@ input should be the body of an asynchronous function call. The following
 arguments will be provided:
 
 - `github` A pre-authenticated
-  [octokit/core.js](https://github.com/octokit/core.js#readme) client with REST endpoints and pagination plugins
+  [octokit/rest.js](https://octokit.github.io/rest.js) client with pagination plugins
 - `context` An object containing the [context of the workflow
   run](https://github.com/actions/toolkit/blob/main/packages/github/src/context.ts)
 - `core` A reference to the [@actions/core](https://github.com/actions/toolkit/tree/main/packages/core) package
 - `glob` A reference to the [@actions/glob](https://github.com/actions/toolkit/tree/main/packages/glob) package
 - `io` A reference to the [@actions/io](https://github.com/actions/toolkit/tree/main/packages/io) package
+- `exec` A reference to the [@actions/exec](https://github.com/actions/toolkit/tree/main/packages/exec) package
+- `require` A proxy wrapper around the normal Node.js `require` to enable
+  requiring relative paths (relative to the current working directory) and
+  requiring npm packages installed in the current working directory. If for
+  some reason you need the non-wrapped `require`, there is an escape hatch
+  available: `__original_require__` is the original value of `require` without
+  our wrapping applied.
 
 Since the `script` is just a function body, these values will already be
 defined, so you don't have to (see examples below).
@@ -38,7 +45,7 @@ The return value of the script will be in the step's outputs under the
 "result" key.
 
 ```yaml
-- uses: actions/github-script@v3
+- uses: actions/github-script@v4
   id: set-result
   with:
     script: return "Hello!"
@@ -57,10 +64,9 @@ output of a github-script step. For some workflows, string encoding is preferred
 `result-encoding` input:
 
 ```yaml
-- uses: actions/github-script@v3
+- uses: actions/github-script@v4
   id: my-script
   with:
-    github-token: ${{secrets.GITHUB_TOKEN}}
     result-encoding: string
     script: return "I will be string (not JSON) encoded!"
 ```
@@ -76,7 +82,7 @@ By default, github-script will use the token provided to your workflow.
 
 ```yaml
 - name: View context attributes
-  uses: actions/github-script@v3
+  uses: actions/github-script@v4
   with:
     script: console.log(context)
 ```
@@ -92,9 +98,8 @@ jobs:
   comment:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/github-script@v3
+      - uses: actions/github-script@v4
         with:
-          github-token: ${{secrets.GITHUB_TOKEN}}
           script: |
             github.issues.createComment({
               issue_number: context.issue.number,
@@ -115,9 +120,8 @@ jobs:
   apply-label:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/github-script@v3
+      - uses: actions/github-script@v4
         with:
-          github-token: ${{secrets.GITHUB_TOKEN}}
           script: |
             github.issues.addLabels({
               issue_number: context.issue.number,
@@ -136,9 +140,8 @@ jobs:
   welcome:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/github-script@v3
+      - uses: actions/github-script@v4
         with:
-          github-token: ${{secrets.GITHUB_TOKEN}}
           script: |
             // Get a list of all issues created by the PR opener
             // See: https://octokit.github.io/rest.js/#pagination
@@ -180,9 +183,8 @@ jobs:
   diff:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/github-script@v3
+      - uses: actions/github-script@v4
         with:
-          github-token: ${{secrets.GITHUB_TOKEN}}
           script: |
             const diff_url = context.payload.pull_request.diff_url
             const result = await github.request(diff_url)
@@ -205,9 +207,8 @@ jobs:
   list-issues:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/github-script@v3
+      - uses: actions/github-script@v4
         with:
-          github-token: ${{secrets.GITHUB_TOKEN}}
           script: |
             const query = `query($owner:String!, $name:String!, $label:String!) {
               repository(owner:$owner, name:$name){
@@ -240,15 +241,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
-      - uses: actions/github-script@v3
+      - uses: actions/github-script@v4
         with:
           script: |
-            const script = require(`${process.env.GITHUB_WORKSPACE}/path/to/script.js`)
+            const script = require('./path/to/script.js')
             console.log(script({github, context}))
 ```
 
-_Note that the script path given to `require()` must be an **absolute path** in this case, hence using [`GITHUB_WORKSPACE`](https://docs.github.com/en/actions/configuring-and-managing-workflows/using-environment-variables#default-environment-variables)._
-
 And then export a function from your module:
 
 ```javascript
@@ -257,9 +256,6 @@ module.exports = ({github, context}) => {
 }
 ```
 
-You can also use async functions in this manner, as long as you `await` it in
-the inline script.
-
 Note that because you can't `require` things like the GitHub context or
 Actions Toolkit libraries, you'll want to pass them as arguments to your
 external function.
@@ -268,6 +264,44 @@ Additionally, you'll want to use the [checkout
 action](https://github.com/actions/checkout) to make sure your script file is
 available.
 
+### Run a separate file with an async function
+
+You can also use async functions in this manner, as long as you `await` it in
+the inline script.
+
+In your workflow:
+
+```yaml
+on: push
+
+jobs:
+  echo-input:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/github-script@v4
+        env:
+          SHA: '${{env.parentSHA}}'
+        with:
+          script: |
+            const script = require('./path/to/script.js')
+            await script({github, context, core})
+```
+
+And then export an async function from your module:
+
+```javascript
+module.exports = async ({github, context, core}) => {
+  const {SHA} = process.env
+  const commit = await github.repos.getCommit({
+    owner: context.repo.owner,
+    repo: context.repo.repo,
+    ref: `${SHA}`
+  })
+  core.exportVariable('author', commit.data.commit.author.email)
+}
+```
+
 ### Use npm packages
 
 Like importing your own files above, you can also use installed modules:
@@ -286,10 +320,10 @@ jobs:
       - run: npm ci
       # or one-off:
       - run: npm install execa
-      - uses: actions/github-script@v3
+      - uses: actions/github-script@v4
         with:
           script: |
-            const execa = require(`${process.env.GITHUB_WORKSPACE}/node_modules/execa`)
+            const execa = require('execa')
 
             const { stdout } = await execa('echo', ['hello', 'world'])
 
@@ -307,7 +341,7 @@ jobs:
   echo-input:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/github-script@v3
+      - uses: actions/github-script@v4
         env:
           FIRST_NAME: Mona
           LAST_NAME: Octocat
@@ -317,3 +351,32 @@ jobs:
 
             console.log(`Hello ${FIRST_NAME} ${LAST_NAME}`)
 ```
+
+### Using a separate GitHub token
+
+The `GITHUB_TOKEN` used by default is scoped to the current repository, see [Authentication in a workflow](https://docs.github.com/actions/reference/authentication-in-a-workflow).
+
+If you need access to a different repository or an API that the `GITHUB_TOKEN` doesn't have permissions to, you can provide your own [PAT](https://help.github.com/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line) as a secret using the `github-token` input.
+
+[Learn more about creating and using encrypted secrets](https://docs.github.com/actions/reference/encrypted-secrets)
+
+```yaml
+on:
+  issues:
+    types: [opened]
+
+jobs:
+  apply-label:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/github-script@v4
+        with:
+          github-token: ${{ secrets.MY_PAT }}
+          script: |
+            github.issues.addLabels({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              labels: ['Triage']
+            })
+```

package.json

@@ -1,7 +1,7 @@
 {
   "name": "github-script",
   "description": "A GitHub action for executing a simple script",
-  "version": "3.1.1",
+  "version": "4.0.2",
   "author": "GitHub",
   "license": "MIT",
   "main": "dist/index.js",
@@ -35,7 +35,8 @@
     }
   },
   "dependencies": {
-    "@actions/core": "^1.2.6",
+    "@actions/core": "^1.2.7",
+    "@actions/exec": "^1.1.0",
     "@actions/github": "^4.0.0",
     "@actions/glob": "^0.1.1",
     "@actions/io": "^1.0.2",
@@ -44,17 +45,17 @@
     "@octokit/plugin-rest-endpoint-methods": "4.2.1"
   },
   "devDependencies": {
-    "@types/jest": "^26.0.10",
-    "@typescript-eslint/eslint-plugin": "^3.9.1",
-    "@typescript-eslint/parser": "^3.9.1",
+    "@types/jest": "^26.0.24",
+    "@typescript-eslint/eslint-plugin": "^3.10.1",
+    "@typescript-eslint/parser": "^3.10.1",
     "@vercel/ncc": "^0.23.0",
-    "eslint": "^7.7.0",
-    "eslint-config-prettier": "^6.11.0",
+    "eslint": "^7.32.0",
+    "eslint-config-prettier": "^6.15.0",
     "husky": "^4.2.5",
-    "jest": "^26.4.1",
+    "jest": "^26.6.3",
     "npm-run-all": "^4.1.5",
     "prettier": "^2.0.5",
-    "ts-jest": "^26.2.0",
-    "typescript": "^4.0.2"
+    "ts-jest": "^26.5.6",
+    "typescript": "^4.3.5"
   }
 }

src/async-function.ts

@@ -1,4 +1,5 @@
 import * as core from '@actions/core'
+import * as exec from '@actions/exec'
 import {Context} from '@actions/github/lib/context'
 import {GitHub} from '@actions/github/lib/utils'
 import * as glob from '@actions/glob'
@@ -10,9 +11,11 @@ type AsyncFunctionArguments = {
   context: Context
   core: typeof core
   github: InstanceType<typeof GitHub>
+  exec: typeof exec
   glob: typeof glob
   io: typeof io
   require: NodeRequire
+  __original_require__: NodeRequire
 }
 
 export function callAsyncFunction<T>(

src/main.ts

@@ -1,8 +1,10 @@
 import * as core from '@actions/core'
+import * as exec from '@actions/exec'
 import {context, getOctokit} from '@actions/github'
 import * as glob from '@actions/glob'
 import * as io from '@actions/io'
 import {callAsyncFunction} from './async-function'
+import {wrapRequire} from './wrap-require'
 
 process.on('unhandledRejection', handleError)
 main().catch(handleError)
@@ -29,7 +31,16 @@ async function main(): Promise<void> {
 
   // Using property/value shorthand on `require` (e.g. `{require}`) causes compilation errors.
   const result = await callAsyncFunction(
-    {require: require, github, context, core, glob, io},
+    {
+      require: wrapRequire,
+      __original_require__: __non_webpack_require__,
+      github,
+      context,
+      core,
+      exec,
+      glob,
+      io
+    },
     script
   )
 

src/wrap-require.ts

@@ -0,0 +1,25 @@
+import * as path from 'path'
+
+export const wrapRequire = new Proxy(__non_webpack_require__, {
+  apply: (target, thisArg, [moduleID]) => {
+    if (moduleID.startsWith('.')) {
+      moduleID = path.resolve(moduleID)
+      return target.apply(thisArg, [moduleID])
+    }
+
+    const modulePath = target.resolve.apply(thisArg, [
+      moduleID,
+      {
+        // Webpack does not have an escape hatch for getting the actual
+        // module, other than `eval`.
+        paths: [process.cwd()]
+      }
+    ])
+
+    return target.apply(thisArg, [modulePath])
+  },
+
+  get: (target, prop, receiver) => {
+    Reflect.get(target, prop, receiver)
+  }
+})

types/non-webpack-require.ts

@@ -0,0 +1 @@
+declare const __non_webpack_require__: NodeRequire