fixing integration test?

Author: tschm

README.md

@@ -16,6 +16,10 @@ on:
 jobs:
   sync:
     runs-on: ubuntu-latest
+    # Optional: Add permissions for the default GITHUB_TOKEN
+    # permissions:
+    #   contents: write
+    #   workflows: write  # Required to modify workflow files
     steps:
       - name: Checkout
         uses: actions/checkout@v5
@@ -34,21 +38,18 @@ jobs:
           exclude: |
             README.md
             LICENSE
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # Option 1: Use default GITHUB_TOKEN (won't work for workflow files unless permissions are set above)
+          token: ${{ secrets.GITHUB_TOKEN }}
+          
+          # Option 2: Use a PAT with workflow permissions (recommended for syncing workflow files)
+          # token: ${{ secrets.PAT_WITH_WORKFLOW_SCOPE }}
 ```
 
 ## Inputs
 
 | Input | Description | Required | Default |
 |-------|-------------|----------|---------|
-| `template-repository` | Repository to sync from | Yes | - |
-| `template-branch` | Branch to sync from in the template repo | No | `main` |
-| `branch` | Branch to sync changes to in the target repo | No | `sync/update-configs` |
-| `commit-message` | Commit message for sync | No | `chore: sync template` |
-| `include` | List of files and folders to include (multi-line) | No | See action.yml |
-| `exclude` | List of files and folders to exclude (multi-line) | No | See action.yml |
-| `token` | Token to use for authentication | No | `${{ github.token }}` |
+
 
 ## How It Works
 
@@ -58,8 +59,33 @@ This action performs the following steps:
 2. Removes excluded files/folders from the template
 3. Copies the template files into the target repository
 4. Commits and pushes the changes to the specified branch in the target repository
+5. Optionally creates a pull request for the changes
+
+The action uses sparse checkout to minimize the amount of data that needs to be downloaded, making it efficient even with large template repositories. 
+
+The pull request creation step uses GitHub's REST API to check if a PR already exists for the branch and creates one if needed. This ensures that multiple workflow runs don't create duplicate PRs.
+
+### GitHub Token Permissions
+
+When using this action to sync workflow files (files in `.github/workflows/`), you need to be aware of GitHub's token permission restrictions:
+
+1. **Default `GITHUB_TOKEN`**: Does not have permission to update workflow files in a repository. If you try to sync workflow files using the default token, you'll get an error like:
+   ```
+   ! [remote rejected] HEAD -> sync/update (refusing to allow a GitHub App to create or update workflow without `workflows` permission)
+   ```
+
+2. **Personal Access Token (PAT)**: To sync workflow files, you must use a PAT with the `workflow` scope. Configure this in your workflow:
+   ```yaml
+   with:
+     token: ${{ secrets.PAT_WITH_WORKFLOW_SCOPE }}
+   ```
+
+3. **Repository Settings**: Alternatively, you can modify the default token permissions in your repository settings:
+   - Go to Settings > Actions > General
+   - Under "Workflow permissions", select "Read and write permissions"
+   - Check "Allow GitHub Actions to create and approve pull requests"
 
-The action uses sparse checkout to minimize the amount of data that needs to be downloaded, making it efficient even with large template repositories.
+The action will automatically detect when workflow files are being modified and provide appropriate warnings.
 
 ### Include and Exclude Parameters
 
@@ -100,9 +126,8 @@ Example:
   uses: jebel-quant/sync_template@main
   with:
     template-repository: 'organization/template-repo'
-  env:
-    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    TEST_MODE: "true"
+    token: ${{ secrets.GITHUB_TOKEN }}
+    test-mode: "true"
 ```
 
 ### Running Tests Locally

action.yml

@@ -74,25 +74,21 @@ runs:
           exit 0
         fi
 
-        # Check if workflow files are being modified
+        # Warn if workflow files are modified
         if git diff --cached --name-only | grep -q "^\.github/workflows/"; then
-          echo "⚠️ Warning: Workflow files (.github/workflows/) are being modified."
-          echo "   The default GITHUB_TOKEN does not have permission to update workflow files."
-          echo "   You need to use a Personal Access Token (PAT) with 'workflow' scope."
-          echo "   See: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token"
+          echo "⚠️ Workflow files detected. Use PAT with 'workflow' scope."
         fi
 
         git config user.name "github-actions[bot]"
         git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
         git commit -m "${{ inputs.commit-message }}"
 
+        # Configure remote with token
         git remote set-url origin "https://x-access-token:${{ inputs.token }}@github.com/${{ github.repository }}.git"
-        git remote -v
-        git branch -vv
 
         echo "✅ Remote after reset (masked):"
         git remote -v | sed -E 's@(https://)[^@]+@\\1****@g'
-    
+
         echo "🔁 Testing ls-remote with this token..."
         git ls-remote --heads origin || echo "❌ ls-remote failed"
 
@@ -104,19 +100,19 @@ runs:
             echo "✅ Sync complete"
           else
             echo "⚠️ Push failed. Check permissions."
-            echo "   If you're updating workflow files, you need a PAT with 'workflow' scope."
             exit 1
           fi
         fi
 
-    - name: Create Pull Request (if branch exists)
+    - name: Create Pull Request (if not in test mode)
+      if: ${{ inputs.test-mode != 'true' }}
       uses: peter-evans/create-pull-request@v7
       with:
         token: ${{ inputs.token }}
         branch: ${{ inputs.branch }}
-        base: main
+        commit-message: ${{ inputs.commit-message }}
         title: "chore: sync template from ${{ inputs.template-repository }}@${{ inputs.template-branch }}"
-        commit-message: "chore: sync template from ${{ inputs.template-repository }}@${{ inputs.template-branch }}"
         body: |
-          This PR updates configuration files from `${{ inputs.template-repository }}@${{ inputs.template-branch }}`.
+          This PR updates configuration files from
+          [${{ inputs.template-repository }}@${{ inputs.template-branch }}](https://github.com/${{ inputs.template-repository }}/tree/${{ inputs.template-branch }}).
         delete-branch: true