From 45d1d69c0de008bdaaee4220164b9af9bc24662d Mon Sep 17 00:00:00 2001
From: Eduardo Robles Elvira <edu@sequentech.io>
Date: Fri, 15 Jul 2022 07:07:38 +0200
Subject: [PATCH] Adding documentation and support for custom pr-body

---
 README.md  |  68 ++++++++++++++++++++++++++++++
 action.yml | 119 +++++++++++++++++++++++++++++++++++++----------------
 2 files changed, 151 insertions(+), 36 deletions(-)

diff --git a/README.md b/README.md
index 931ac1c..5e5d98a 100644
--- a/README.md
+++ b/README.md
@@ -166,6 +166,74 @@ jobs:
           token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
 ```
 
+## With GPG commit signing
+
+It's possible for the bot to produce GPG signed commits. Associating a GPG public key to a github user account is not required but it is necessary if you want the signed commits to appear as verified in Github. This can be a compliance requirement in some cases.
+
+You can follow [Github's guide on creating and/or adding a new GPG key to an user account](https://docs.github.com/en/authentication/managing-commit-signature-verification/adding-a-new-gpg-key-to-your-github-account). Using a specific github user account for the bot can be a good security measure to dissociate this bot's actions and commits from your personal github account.
+
+For the bot to produce signed commits, you will have to provide the GPG private keys to this action's input parameters. You can safely do that with [Github secrets as explained here](https://github.com/crazy-max/ghaction-import-gpg#prerequisites).
+
+When using commit signing, the commit author name and email for the commits produced by this bot would correspond to the ones associated to the GPG Public Key. 
+
+You can find an example of how to using this action with commit signing below:
+
+```yaml
+name: update-flake-lock
+on:
+  workflow_dispatch: # allows manual triggering
+  schedule:
+    - cron: '0 0 * * 1,4' # Run twice a week
+
+jobs:
+  lockfile:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+      - name: Install Nix
+        uses: cachix/install-nix-action@v16
+      - name: Update flake.lock
+        uses: DeterminateSystems/update-flake-lock@vX
+        with:
+          sign-commits: true
+          gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
+          gpg-passphrase: ${{ secrets.GPG_PASSPHRASE }}
+```
+
+## Custom PR Body
+
+By default the generated PR body is set to be the following template:
+
+```yaml
+Automated changes by the [update-flake-lock](https://github.com/DeterminateSystems/update-flake-lock) GitHub Action.
+
+\```
+{{ env.GIT_COMMIT_MESSAGE }}
+\```
+
+### Running GitHub Actions on this PR
+
+GitHub Actions will not run workflows on pull requests which are opened by a GitHub Action.
+
+To run GitHub Actions workflows on this PR, run:
+
+\```sh
+git branch -D update_flake_lock_action
+git fetch origin
+git checkout update_flake_lock_action
+git commit --amend --no-edit
+git push origin update_flake_lock_action --force
+\```
+```
+
+However you can customize it, with variable interpolation performed with [Handlebars](https://handlebarsjs.com/). This allows you to customize the template with the following variables:
+- env.GIT_AUTHOR_NAME
+- env.GIT_AUTHOR_EMAIL
+- env.GIT_COMMITTER_NAME
+- env.GIT_COMMITTER_EMAIL
+- env.GIT_COMMIT_MESSAGE
+
 ## Contributing
 
 Feel free to send a PR or open an issue if you find something functions unexpectedly! Please make sure to test your changes and update any related documentation before submitting your PR.
diff --git a/action.yml b/action.yml
index 2f8a2ea..925beb1 100644
--- a/action.yml
+++ b/action.yml
@@ -21,6 +21,30 @@ inputs:
     description: 'The title of the PR to be created'
     required: false
     default: "flake.lock: Update"
+  pr-body:
+    description: 'The body of the PR to be created'
+    required: false
+    default: |
+      Automated changes by the [update-flake-lock](https://github.com/DeterminateSystems/update-flake-lock) GitHub Action.
+
+      ```
+      {{ env.GIT_COMMIT_MESSAGE }}
+      ```
+
+      ### Running GitHub Actions on this PR
+
+      GitHub Actions will not run workflows on pull requests which are opened by a GitHub Action.
+
+      To run GitHub Actions workflows on this PR, run:
+
+      ```sh
+      git branch -D update_flake_lock_action
+      git fetch origin
+      git checkout update_flake_lock_action
+      git commit --amend --no-edit
+      git push origin update_flake_lock_action --force
+      ```
+
   pr-labels:
     description: 'A comma or newline separated list of labels to set on the Pull Request to be created'
     required: false
@@ -54,62 +78,85 @@ runs:
         git_config_global: true
         git_user_signingkey: true
         git_commit_gpgsign: true
-    - name: Run update-flake-lock.sh (signed commit)
-      run: $GITHUB_ACTION_PATH/update-flake-lock.sh
+    - name: Set environment variables (signed commits)
       if: ${{ inputs.sign-commits }}
       shell: bash
       env:
+        SIGN_COMMITS: ${{ inputs.sign-commits }}
         GIT_AUTHOR_NAME: ${{ steps.import-gpg.outputs.name }}
         GIT_AUTHOR_EMAIL: ${{ steps.import-gpg.outputs.email }}
         GIT_COMMITTER_NAME: ${{ steps.import-gpg.outputs.name }}
         GIT_COMMITTER_EMAIL: ${{ steps.import-gpg.outputs.email }}
         TARGETS: ${{ inputs.inputs }}
-        COMMIT_MSG: ${{ inputs.commit-msg }}
-    - name: Run update-flake-lock.sh (no commit signing)
-      run: $GITHUB_ACTION_PATH/update-flake-lock.sh
+      run: |
+        echo "GIT_AUTHOR_NAME=$GIT_AUTHOR_NAME" >> $GITHUB_ENV
+        echo "GIT_AUTHOR_EMAIL=$GIT_AUTHOR_EMAIL" >> $GITHUB_ENV
+        echo "GIT_COMMITTER_NAME=$GIT_COMMITTER_NAME" >> $GITHUB_ENV
+        echo "GIT_COMMITTER_EMAIL=$GIT_COMMITTER_EMAIL" >> $GITHUB_ENV
+        echo "TARGETS=$TARGETS" >> $GITHUB_ENV
+        GIT_COMMIT_MESSAGE="$(git log --format=%b -n 1)"
+        GIT_COMMIT_MESSAGE="${GIT_COMMIT_MESSAGE//'%'/'%25'}"
+        GIT_COMMIT_MESSAGE="${GIT_COMMIT_MESSAGE//$'\n'/'%0A'}"
+        GIT_COMMIT_MESSAGE="${GIT_COMMIT_MESSAGE//$'\r'/'%0D'}"
+        echo "GIT_COMMIT_MESSAGE=$GIT_COMMIT_MESSAGE" >> $GITHUB_ENV
+    - name: Set environment variables
       if: ${{ !inputs.sign-commits }}
       shell: bash
       env:
-        GIT_AUTHOR_NAME: github-actions[bot]
-        GIT_AUTHOR_EMAIL: <github-actions[bot]@users.noreply.github.com>
-        GIT_COMMITTER_NAME: github-actions[bot]
-        GIT_COMMITTER_EMAIL: <github-actions[bot]@users.noreply.github.com>
+        SIGN_COMMITS: ${{ inputs.sign-commits }}
+        GIT_AUTHOR_NAME: ${{ steps.import-gpg.outputs.name }}
+        GIT_AUTHOR_EMAIL: ${{ steps.import-gpg.outputs.email }}
+        GIT_COMMITTER_NAME: ${{ steps.import-gpg.outputs.name }}
+        GIT_COMMITTER_EMAIL: ${{ steps.import-gpg.outputs.email }}
+      run: |
+        echo "GIT_AUTHOR_NAME=github-actions[bot]" >> $GITHUB_ENV
+        echo "GIT_AUTHOR_EMAIL=<github-actions[bot]@users.noreply.github.com>" >> $GITHUB_ENV
+        echo "GIT_COMMITTER_NAME=github-actions[bot]" >> $GITHUB_ENV
+        echo "GIT_COMMITTER_EMAIL=<github-actions[bot]@users.noreply.github.com>" >> $GITHUB_ENV
+    - name: Run update-flake-lock.sh
+      run: $GITHUB_ACTION_PATH/update-flake-lock.sh
+      shell: bash
+      env:
+        GIT_AUTHOR_NAME: ${{ env.GIT_AUTHOR_NAME }}
+        GIT_AUTHOR_EMAIL: ${{ env.GIT_AUTHOR_EMAIL }}
+        GIT_COMMITTER_NAME: ${{ env.GIT_COMMITTER_NAME }}
+        GIT_COMMITTER_EMAIL: ${{ env.GIT_COMMITTER_EMAIL }}
         TARGETS: ${{ inputs.inputs }}
         COMMIT_MSG: ${{ inputs.commit-msg }}
-    - run: |
-        content="$(git log --format=%b -n 1)"
-        content="${content//'%'/'%25'}"
-        content="${content//$'\n'/'%0A'}"
-        content="${content//$'\r'/'%0D'}"
-        echo "::set-output name=msg::$content"
+    - name: Save PR Body as file
+      uses: DamianReeves/write-file-action@v1.1
+      with:
+        path: pr_body.template
+        contents: ${{ inputs.pr-body }}
+      env: {}
+    - name: Set additional env variables (GIT_COMMIT_MESSAGE)
       shell: bash
-      id: commit_message
+      run: |
+        GIT_COMMIT_MESSAGE="$(git log --format=%b -n 1)"
+        GIT_COMMIT_MESSAGE="${GIT_COMMIT_MESSAGE//'%'/'%25'}"
+        GIT_COMMIT_MESSAGE="${GIT_COMMIT_MESSAGE//$'\n'/'%0A'}"
+        GIT_COMMIT_MESSAGE="${GIT_COMMIT_MESSAGE//$'\r'/'%0D'}"
+        echo "GIT_COMMIT_MESSAGE=$GIT_COMMIT_MESSAGE" >> $GITHUB_ENV
+        echo "GIT_COMMIT_MESSAGE is: ${GIT_COMMIT_MESSAGE}"
+    - name: Interpolate PR Body
+      uses: pedrolamas/handlebars-action@v2.0.0
+      with:
+        files: 'pr_body.template'
+        output-filename: 'pr_body.txt'
+    - name: Read pr_body.txt
+      id: pr_body
+      uses: andstor/file-reader-action@v1
+      with:
+        path: "pr_body.txt"
     - name: Create PR
       id: create-pr
       uses: peter-evans/create-pull-request@v3
       with:
         branch: ${{ inputs.branch }}
         delete-branch: true
+        committer: ${{ env.GIT_COMMITTER_NAME }} <${{ env.GIT_COMMITTER_EMAIL }}>
+        author: ${{ env.GIT_AUTHOR_NAME }} <${{ env.GIT_AUTHOR_EMAIL }}>
         title: ${{ inputs.pr-title }}
         token: ${{ inputs.token }}
         labels: ${{ inputs.pr-labels }}
-        body: |
-          Automated changes by the [update-flake-lock](https://github.com/DeterminateSystems/update-flake-lock) GitHub Action.
-
-          ```
-          ${{ steps.commit_message.outputs.msg }}
-          ```
-
-          ### Running GitHub Actions on this PR
-
-          GitHub Actions will not run workflows on pull requests which are opened by a GitHub Action.
-
-          To run GitHub Actions workflows on this PR, run:
-
-          ```sh
-          git branch -D update_flake_lock_action
-          git fetch origin
-          git checkout update_flake_lock_action
-          git commit --amend --no-edit
-          git push origin update_flake_lock_action --force
-          ```
+        body: ${{ steps.pr_body.outputs.contents }}