DataDog
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 106 additions & 0 deletions b/‎.github/workflows/release.yml‎
Lines changed: 106 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 50 additions & 13 deletions b/‎README.md‎
Lines changed: 50 additions & 13 deletions
diff --git a/‎action-template/README.md‎
Lines changed: 79 additions & 0 deletions b/‎action-template/README.md‎
Lines changed: 79 additions & 0 deletions
diff --git a/‎action-template/action.js‎
Lines changed: 84 additions & 0 deletions b/‎action-template/action.js‎
Lines changed: 84 additions & 0 deletions
@@ -0,0 +1,106 @@
+# Runs on pushes to main, manages the `action` branch and `action/` tags family.
+name: Build and release action
+
+permissions:
+  contents: write
+
+on:
+  push:
+    branches:
+      - 'main'
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        fetch-depth: 0 # needed to make sure we get all tags
+    - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+      with:
+        go-version: '1.24'
+
+    - run: go test -v .
+
+    - name: build
+      run: |
+        GOOS=linux GOARCH=amd64 go build -buildvcs=false -o ./dist/commit-headless-linux-amd64 .
+        GOOS=linux GOARCH=arm64 go build -buildvcs=false -o ./dist/commit-headless-linux-arm64 .
+
+        # TODO: Not sure how to determine the current os/arch to select one of the above binaries
+        # so we're just going to build another one
+        go build -buildvcs=false -o ./dist/commit-headless .
+        ./dist/commit-headless version | awk '{print $3}' > ./dist/VERSION.txt
+        echo "Current version: $(cat ./dist/VERSION.txt)"
+
+    - name: create action branch commit
+      id: create-commit
+      run: |
+
+        # Copy the new assets to a temporary location that we can recover later
+        cp -R dist /tmp/release-assets
+
+        git switch action
+
+        # Remove everything except the git directory
+        find . -not -path "./.git" -not -path '.' -maxdepth 1 -exec rm -rf {} +
+
+        # Bring back the release assets
+        mv /tmp/release-assets dist
+
+        # "Restore" the contents of action-template from the previous ref
+        git restore --source "${{ github.sha }}" action-template/
+
+        # Copy the contents of action-template to the top of the repository
+        cp action-template/* . && rm -rf action-template
+
+        # Replace the VERSION in README.md
+        sed -i "s/%%VERSION%%/$(cat dist/VERSION.txt)/g" README.md
+
+        git add --all
+
+        echo "Changes to commit.."
+        git status
+
+        # Create a commit
+        # TODO: A merge should have the PR number in the commit headline, if we use the original
+        # commit message it should back-link
+        git config user.name "github-actions[bot]"
+        git config user.email "41898282+github-actions[bot]@users.noreply.github.com>"
+        git commit \
+          --message="Update action from ${{ github.sha }}" \
+          --allow-empty # sometimes we have nothing to change, so this ensures we can still commit
+
+        REF=$(git rev-parse HEAD)
+        echo "sha=${REF}" >> $GITHUB_OUTPUT
+        echo "Created commit ${REF}"
+
+    - name: push commits
+      id: push-commits
+      uses: ./ # use the action defined in the action branch
+      with:
+        branch: action
+        command: push
+        commits: ${{ steps.create-commit.outputs.sha }}
+
+    - name: check release tag
+      id: check-tag
+      run: |
+        TAG="action/v$(cat ./dist/VERSION.txt)"
+        if git show-ref --tags --verify --quiet "refs/tags/${TAG}"; then
+          echo "Release tag ${TAG} already exists. Not releasing."
+          exit 1
+        fi
+        echo "tag=${TAG}" >> $GITHUB_OUTPUT
+
+    - name: make release
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+      with:
+        script: |
+          github.rest.git.createRef({
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            ref: 'refs/tags/${{ steps.check-tag.outputs.tag }}',
+            sha: '${{ steps.push-commits.outputs.pushed_ref }}'
+          });
@@ -1,6 +1,9 @@
 # commit-headless
 
-A binary tool and GitHub action for creating signed commits from headless workflows
+A binary tool and GitHub Action for creating signed commits from headless workflows
+
+For the Action, please see [the action branch][action-branch] and the associated `action/`
+release tags.
 
 `commit-headless` is focused on turning local commits (or dirty files) into signed commits on the
 remote. It does this via the GitHub GraphQL API, more specifically the [createCommitOnBranch][mutation]
@@ -10,31 +13,64 @@ When this API is used with a GitHub App token, the resulting commit will be sign
 GitHub on behalf of the application.
 
 [mutation]: https://docs.github.com/en/graphql/reference/mutations#createcommitonbranch
+[action-branch]: https://github.com/DataDog/commit-headless/tree/action
 
 ## Usage
 
-Currently, there is one command: `commit-headless push`. It takes a target owner/repository and
-remote branch name, as well as a list of commit hashes as arguments *or* a list of commit hashes *in
-reverse chronological order (newest first)* on standard input.
+There are two ways to create signed headless commits with this tool: `push` and `commit`.
+
+Both of these commands take a target owner/repository (eg, `--target/-T DataDog/commit-headless`)
+and remote branch name (eg, `--branch bot-branch`) as required flags and expect to find a GitHub
+token in one of the following environment variables:
+
+- HEADLESS_TOKEN
+- GITHUB_TOKEN
+- GH_TOKEN
+
+In normal usage, `commit-headless` will print *only* the reference to the last commit created on the
+remote, allowing this to easily be captured in a script.
+
+More on the specifics for each command below. See also: `commit-headless <command> --help`
+
+### commit-headless push
+
+In addition to the required target and branch flags, the `push` command expects a list of commit
+hashes as arguments *or* a list of commit hashes *in reverse chronological order (newest first)*
+on standard input.
 
 It will iterate over the supplied commits, extract the set of changed files and commit message, then
 craft new *remote* commits corresponding to each local commit.
 
 The remote commit will have the original commit message, with "Co-authored-by" trailer for the
-original commit message. This is because commits created using the GraphQL API do not support
-setting the author or committer (they are inferred from the token owner), so adding a
-"Co-authored-by" trailer allows the commits to carry attribution to the original (bot) committer.
-
-In normal usage, `commit-headless` will print *only* the reference to the last commit created on the
-remote, allowing this to easily be captured in a script. For example output, see the later section.
+original commit author.
 
 You can use `commit-headless push` via:
 
-    GH_TOKEN=xyz commit-headless push --target datadog/commit-headless --branch bot-branch-remote HASH1 HASH2 HASH3 ...
+    commit-headless push [flags...] HASH1 HASH2 HASH3 ...
 
 Or, using git log (note `--oneline`):
 
-    git log --oneline main.. | GH_TOKEN=xyz commit-headless push --target datadog/commit-headless --branch bot-branch-remote
+    git log --oneline main.. | commit-headless push [flags...]
+
+### commit-headless commit
+
+This command is more geared for creating single commits at a time. It takes a list of files to
+commit changes to, and those files will either be updated/added or deleted in a single commit.
+
+Note that you cannot delete a file without also adding `--force` for safety reasons.
+
+Examples:
+
+    # Commit changes to these two files
+    commit-headless commit [flags...] -- README.md .gitlab-ci.yml
+
+    # Remove a file, add another one, and commit
+    rm file/i/do/not/want
+    echo "hello" > hi-there.txt
+    commit-headless commit [flags...] --force -- hi-there.txt file/i/do/not/want
+
+    # Commit a change with a custom message
+    commit-headless commit [flags...] -m"ran a pipeline" -- output.txt
 
 ## Try it!
 
@@ -88,13 +124,14 @@ Prerelease occurs automatically on a push to main, or can be manually triggered
 `release:build` job on any branch.
 
 Additionally, on main, the `release:publish` job will run. This job takes the prerelease image and
-tags it for release.
+tags it for release, as well as produces a CI image with various other tools.
 
 You can view all releases (and prereleases) with crane:
 
 ```
 $ crane ls registry.ddbuild.io/commit-headless-prerelease
 $ crane ls registry.ddbuild.io/commit-headless
+$ crane ls registry.ddbuild.io/commit-headless-ci-image
 ```
 
 Note that the final publish job will fail unless there was also a change to `version.go` to avoid
 
@@ -0,0 +1,79 @@
+# commit-headless action
+
+NOTE: This branch contains only the action implementation of `commit-headless`. To view the source
+code, see the [main](https://github.com/DataDog/commit-headless/tree/main) branch.
+
+This action uses `commit-headless` to support creating signed and verified remote commits from a
+GitHub action workflow.
+
+For more details on how `commit-headless` works, check the main branch link above.
+
+## Usage (commit-headless push)
+
+If your workflow creates multiple commits and you want to push all of them, you can use
+`commit-headless push`:
+
+```
+- name: Create commits
+  id: create-commits
+  run: |
+    git config --global user.name "A U Thor"
+    git config --global user.email "author@example.com"
+
+    echo "new file from my bot" >> bot.txt
+    git add bot.txt && git commit -m"bot commit 1"
+
+    echo "another commit" >> bot.txt
+    git add bot.txt && git commit -m"bot commit 2"
+
+    # List both commit hashes in reverse order, space separated
+    echo "commits=\"$(git log "${{ github.sha }}".. --format='%H%x00' | tr '\n' ' ')\"" >> $GITHUB_OUTPUT
+
+- name: Push commits
+  uses: DataDog/commit-headless@action/v%%VERSION%%
+  with:
+    token: ${{ github.token }} # default
+    target: ${{ github.repository }} # default
+    branch: ${{ github.ref_name }}
+    command: push
+    commits: "${{ steps.create-commits.outputs.commits }}"
+```
+
+## Usage (commit-headless commit)
+
+Some workflows may just have a specific set of files that they change and just want to create a
+single commit out of them. For that, you can use `commit-headless commit`:
+
+```
+- name: Change files
+  id: change-files
+  run: |
+    echo "updating contents of bot.txt" >> bot.txt
+
+    date --rfc-3339=s >> timestamp
+
+    files="bot.txt timestamp"
+
+    # remove an old file if it exists
+    # commit-headless commit will fail if you attempt to delete a file that doesn't exist on the
+    # remote (enforced via the GitHub API)
+    if [[ -f timestamp.old ]]; then
+        rm timestamp.old
+        files += " timestamp.old"
+    fi
+
+    # Record the set of files we want to commit
+    echo "files=\"${files}\"" >> $GITHUB_OUTPUT
+
+- name: Create commit
+  uses: DataDog/commit-headless@action/v%%VERSION%%
+  with:
+    token: ${{ github.token }} # default
+    target: ${{ github.repository }} # default
+    branch: ${{ github.ref_name }}
+    author: "A U Thor <author@example.com>" # defaults to the github-actions bot account
+    message: "a commit message"
+    command: commit
+    files: "${{ steps.create-commits.outputs.files }}"
+    force: true # default false, needs to be true to allow deletion
+```
@@ -0,0 +1,84 @@
+const childProcess = require('child_process')
+const crypto = require('crypto')
+const fs = require('fs')
+const os = require('os')
+const process = require('process')
+
+function chooseBinary() {
+  const platform = os.platform()
+  const arch = os.arch()
+
+  if (platform === 'linux' && arch === 'x64') {
+    return `dist/commit-headless-linux-amd64`
+  }
+  if (platform === 'linux' && arch === 'arm64') {
+    return `dist/commit-headless-linux-arm64`
+  }
+
+  console.error(`Unsupported platform (${platform}) and architecture (${arch})`)
+  process.exit(1)
+}
+
+function main() {
+  const binary = chooseBinary()
+
+  const cmd = `${__dirname}/${binary}`
+
+  const env = { ...process.env };
+  env.HEADLESS_TOKEN = process.env.INPUT_TOKEN;
+
+  const command = process.env.INPUT_COMMAND;
+
+  if (!["commit", "push"].includes(command)) {
+    console.error(`Unknown command ${command}. Must be one of "commit" or "push".`);
+    process.exit(1);
+  }
+
+  let args = [
+    command,
+    "--target", process.env.INPUT_TARGET,
+    "--branch", process.env.INPUT_BRANCH
+  ];
+
+  if (command === "push") {
+    args.push(...process.env.INPUT_COMMITS.split(/\s+/));
+  } else {
+    const author = process.env["INPUT_AUTHOR"] || "";
+    const message = process.env["INPUT_MESSAGE"] || "";
+    if(author !== "") { args.push("--author", author) }
+    if(message !== "") { args.push("--message", message) }
+
+    const force = process.env["INPUT_FORCE"] || "false"
+    if(!["true", "false"].includes(force.toLowerCase())) {
+      console.error(`Invalid value for force (${force}). Must be one of true or false.`);
+      process.exit(1);
+    }
+
+    if(force.toLowerCase() === "true") { args.push("--force") }
+
+    args.push(...process.env.INPUT_FILES.split(/\s+/));
+  }
+
+  const child = childProcess.spawnSync(cmd, args, {
+    env: env,
+    stdio: ['ignore', 'pipe', 'inherit'],
+  })
+
+  const exitCode = child.status
+  if (typeof exitCode === 'number') {
+    if(exitCode === 0) {
+      const out = child.stdout.toString().trim();
+      console.log(`Pushed reference ${out}`);
+
+      const delim = `delim_${crypto.randomUUID()}`;
+      fs.appendFileSync(process.env.GITHUB_OUTPUT, `pushed_ref<<${delim}${os.EOL}${out}${os.EOL}${delim}`, { encoding: "utf8" });
+    }
+
+    process.exit(exitCode)
+  }
+  process.exit(1)
+}
+
+if (require.main === module) {
+  main()
+}