[BRE-1534] Adding ability to tag w/ commit and override owner/repo (#628)

pixman20 · web-flow · commit 8c49058e9903 · 2026-03-03T15:57:19.000-05:00
diff --git a/.github/workflows/test-api-commit.yml b/.github/workflows/test-api-commit.yml
@@ -23,6 +23,7 @@ jobs:
           - explicit-files
           - auto-detect-files
           - no-changes
+          - tag
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -35,8 +36,10 @@ jobs:
           GH_TOKEN: ${{ github.token }}
           REPOSITORY: ${{ github.repository }}
         run: |
-          TEST_BRANCH="api-commit-${{ matrix.mode }}-$(date +%s)"
+          TIMESTAMP=$(date +%s)
+          TEST_BRANCH="api-commit-${{ matrix.mode }}-$TIMESTAMP"
           echo "test_branch=$TEST_BRANCH" >> "$GITHUB_OUTPUT"
+          echo "test_tag=api-commit-tag-test-$TIMESTAMP" >> "$GITHUB_OUTPUT"
 
           SHA=$(gh api "repos/$REPOSITORY/git/ref/heads/main" --jq '.object.sha')
           gh api "repos/$REPOSITORY/git/refs" \
@@ -86,6 +89,22 @@ jobs:
           branch: ${{ steps.setup.outputs.test_branch }}
           token: ${{ github.token }}
 
+      - name: Create test file (tag)
+        if: matrix.mode == 'tag'
+        run: |
+          echo "content $(date +%s)" > api-commit-tag-test-file.txt
+
+      - name: Run API Commit action (tag)
+        id: api-commit-tag
+        if: matrix.mode == 'tag'
+        uses: ./api-commit
+        with:
+          files: api-commit-tag-test-file.txt
+          message: "chore: test API commit with tag"
+          branch: ${{ steps.setup.outputs.test_branch }}
+          tag_name: ${{ steps.setup.outputs.test_tag }}
+          token: ${{ github.token }}
+
       - name: Get commit SHA
         id: commit
         env:
@@ -94,16 +113,26 @@ jobs:
           AUTO_DETECT_FILES_SHA: ${{ steps.api-commit-auto.outputs.commit_sha }}
           EXPECTED_AUTO_DETECT_FILES: "api-commit-auto-test-file.txt"
           NO_CHANGES_OUTCOME: ${{ steps.api-commit-no-changes.outcome }}
+          TAG_SHA: ${{ steps.api-commit-tag.outputs.commit_sha }}
+          EXPECTED_TAG_FILES: "api-commit-tag-test-file.txt"
+          TEST_TAG: ${{ steps.setup.outputs.test_tag }}
         run: |
           if [[ -n "$EXPLICIT_FILES_SHA" ]]; then
             echo "sha=$EXPLICIT_FILES_SHA" >> "$GITHUB_OUTPUT"
             echo "expected_files=$EXPECTED_EXPLICIT_FILES" >> "$GITHUB_OUTPUT"
+            echo "tag_name=" >> "$GITHUB_OUTPUT"
           elif [[ -n "$AUTO_DETECT_FILES_SHA" ]]; then
             echo "sha=$AUTO_DETECT_FILES_SHA" >> "$GITHUB_OUTPUT"
             echo "expected_files=$EXPECTED_AUTO_DETECT_FILES" >> "$GITHUB_OUTPUT"
+            echo "tag_name=" >> "$GITHUB_OUTPUT"
           elif [[ "$NO_CHANGES_OUTCOME" == "success" ]]; then
             echo "sha=" >> "$GITHUB_OUTPUT"
             echo "expected_files=" >> "$GITHUB_OUTPUT"
+            echo "tag_name=" >> "$GITHUB_OUTPUT"
+          elif [[ -n "$TAG_SHA" ]]; then
+            echo "sha=$TAG_SHA" >> "$GITHUB_OUTPUT"
+            echo "expected_files=$EXPECTED_TAG_FILES" >> "$GITHUB_OUTPUT"
+            echo "tag_name=$TEST_TAG" >> "$GITHUB_OUTPUT"
           else
             echo "::error::No commit SHA found"
             exit 1
@@ -169,13 +198,35 @@ jobs:
             exit 1
           fi
 
-      - name: Cleanup test branch
+      - name: Validate tag was created
+        if: steps.commit.outputs.tag_name != ''
+        env:
+          GH_TOKEN: ${{ github.token }}
+          COMMIT_SHA: ${{ steps.commit.outputs.sha }}
+          TAG_NAME: ${{ steps.commit.outputs.tag_name }}
+          REPOSITORY: ${{ github.repository }}
+        run: |
+          TAG_SHA=$(gh api "repos/$REPOSITORY/git/ref/tags/$TAG_NAME" --jq '.object.sha')
+          echo "Tag $TAG_NAME points to: $TAG_SHA"
+
+          if [[ "$TAG_SHA" != "$COMMIT_SHA" ]]; then
+            echo "::error::Tag SHA mismatch: expected $COMMIT_SHA but tag points to $TAG_SHA"
+            exit 1
+          fi
+
+          echo "Tag verified successfully"
+
+      - name: Cleanup test branch and tag
         if: always()
         env:
           GH_TOKEN: ${{ github.token }}
           BRANCH: ${{ steps.setup.outputs.test_branch }}
+          TAG_NAME: ${{ steps.commit.outputs.tag_name }}
           REPOSITORY: ${{ github.repository }}
         run: |
           if [[ -n "$BRANCH" ]]; then
             gh api "repos/$REPOSITORY/git/refs/heads/$BRANCH" --method DELETE
           fi
+          if [[ -n "$TAG_NAME" ]]; then
+            gh api "repos/$REPOSITORY/git/refs/tags/$TAG_NAME" --method DELETE
+          fi
diff --git a/api-commit/README.md b/api-commit/README.md
@@ -13,10 +13,13 @@ Create a verified commit via the GitHub API without requiring `git` credentials
 
 | Input     | Description                                                                    | Required | Default                  |
 | --------- | ------------------------------------------------------------------------------ | -------- | ------------------------ |
-| `files`   | Newline-delimited list of files to commit. If omitted, all files modified relative to HEAD are committed. | No | -  |
-| `message` | Commit message                                                                 | Yes      | -                        |
-| `branch`  | Branch to commit to                                                            | No       | `${{ github.ref }}`      |
-| `token`   | GitHub token for API access. Use a GitHub App token for verified commits.     | Yes      | -                        |
+| `files`    | Newline-delimited list of files to commit. If omitted, all files modified relative to HEAD are committed. | No | - |
+| `message`  | Commit message                                                                 | Yes      | -                        |
+| `branch`   | Branch to commit to                                                            | No       | `${{ github.ref }}`      |
+| `token`    | GitHub token for API access. Use a GitHub App token for verified commits.     | Yes      | -                        |
+| `tag_name` | Tag to create pointing at the commit. If omitted, no tag is created. If no commit is made, the tag is skipped. | No | - |
+| `owner`    | Repository owner (org or user). Defaults to the current workflow repository owner. | No  | `${{ github.repository_owner }}` |
+| `repo`     | Repository name. Defaults to the current workflow repository.                 | No       | `${{ github.event.repository.name }}` |
 
 ## Outputs
 
diff --git a/api-commit/action.yml b/api-commit/action.yml
@@ -20,6 +20,18 @@ inputs:
   token:
     description: 'GitHub token for API access. Use a GitHub App token for verified commits.'
     required: true
+  tag_name:
+    description: 'Tag to create pointing at the commit. If omitted, no tag is created. If no commit is made, the tag is skipped.'
+    required: false
+    default: ''
+  owner:
+    description: 'Repository owner (org or user). Defaults to the current workflow repository owner.'
+    required: false
+    default: ''
+  repo:
+    description: 'Repository name. Defaults to the current workflow repository.'
+    required: false
+    default: ''
 
 outputs:
   commit_sha:
@@ -36,11 +48,16 @@ runs:
         INPUT_FILES: ${{ inputs.files }}
         INPUT_MESSAGE: ${{ inputs.message }}
         INPUT_BRANCH: ${{ inputs.branch }}
+        INPUT_TAG_NAME: ${{ inputs.tag_name }}
+        INPUT_OWNER: ${{ inputs.owner }}
+        INPUT_REPO: ${{ inputs.repo }}
       with:
         github-token: ${{ inputs.token }}
         script: |
           const fs = require('fs');
           const path = require('path');
+          const owner = process.env.INPUT_OWNER.trim() || context.repo.owner;
+          const repo = process.env.INPUT_REPO.trim() || context.repo.repo;
           const message = process.env.INPUT_MESSAGE;
 
           // Validate message
@@ -77,6 +94,33 @@ runs:
               .filter(f => f.length > 0)
               .map(f => path.normalize(f).split(path.sep).join('/'));
           } else {
+            // Verify the local git remote matches the target repository to ensure
+            // auto-detected files correspond to the correct repository.
+            const remoteUrl = (await exec.getExecOutput('git', ['remote', 'get-url', 'origin'])).stdout.trim();
+            let remoteOwner, remoteRepo;
+            try {
+              // HTTPS: https://github.com/owner/repo.git
+              const url = new URL(remoteUrl);
+              const parts = url.pathname.replace(/^\//, '').replace(/\.git$/, '').split('/');
+              remoteOwner = parts[0];
+              remoteRepo = parts[1];
+            } catch {
+              // SSH: git@github.com:owner/repo.git
+              const match = remoteUrl.match(/[^:]+:([^/]+)\/(.+?)(?:\.git)?$/);
+              if (match) {
+                remoteOwner = match[1];
+                remoteRepo = match[2];
+              }
+            }
+            if (!remoteOwner || !remoteRepo) {
+              core.setFailed(`Could not parse git remote URL to validate repository: ${remoteUrl}`);
+              return;
+            }
+            if (remoteOwner.toLowerCase() !== owner.toLowerCase() || remoteRepo.toLowerCase() !== repo.toLowerCase()) {
+              core.setFailed(`Auto-detect requires the local git remote to match the target repository. Remote is ${remoteOwner}/${remoteRepo} but targeting ${owner}/${repo}. Use explicit \`files\` input when targeting a different repository.`);
+              return;
+            }
+
             // Combine working tree and staged changes so that staged-only changes are included
             const [workingTree, staged] = await Promise.all([
               exec.getExecOutput('git', ['diff', '--diff-filter=d', '--name-only', 'HEAD']),
@@ -140,8 +184,8 @@ runs:
               mode = (stat.mode & 0o111) ? '100755' : '100644';
             }
             const { data: blob } = await github.rest.git.createBlob({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
+              owner,
+              repo,
               content: content.toString('base64'),
               encoding: 'base64'
             });
@@ -150,21 +194,21 @@ runs:
 
           // Get current branch HEAD as late as possible to reduce the race window
           const { data: ref } = await github.rest.git.getRef({
-            owner: context.repo.owner,
-            repo: context.repo.repo,
+            owner,
+            repo,
             ref: `heads/${branch}`
           });
 
           const { data: commit } = await github.rest.git.getCommit({
-            owner: context.repo.owner,
-            repo: context.repo.repo,
+            owner,
+            repo,
             commit_sha: ref.object.sha
           });
 
           // Create tree, commit, and update the branch ref
           const { data: newTree } = await github.rest.git.createTree({
-            owner: context.repo.owner,
-            repo: context.repo.repo,
+            owner,
+            repo,
             base_tree: commit.tree.sha,
             tree
           });
@@ -177,17 +221,17 @@ runs:
           }
 
           const { data: newCommit } = await github.rest.git.createCommit({
-            owner: context.repo.owner,
-            repo: context.repo.repo,
+            owner,
+            repo,
             message,
             tree: newTree.sha,
             parents: [ref.object.sha]
           });
 
           try {
             await github.rest.git.updateRef({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
+              owner,
+              repo,
               ref: `heads/${branch}`,
               sha: newCommit.sha
             });
@@ -199,4 +243,15 @@ runs:
             throw err;
           }
 
+          const tagName = process.env.INPUT_TAG_NAME.trim();
+          if (tagName.length) {
+            await github.rest.git.createRef({
+              owner,
+              repo,
+              ref: `refs/tags/${tagName}`,
+              sha: newCommit.sha
+            });
+            core.info(`Created tag ${tagName} at ${newCommit.sha}`);
+          }
+
           core.setOutput('commit_sha', newCommit.sha);
