feat: replaces 'check_only' with 'dry_run' option

CONTRIBUTING.md

@@ -165,7 +165,7 @@ cat envfile
 
 GITHUB_OUTPUT=
 INPUT_SKIP_ITEMS=
-INPUT_CHECK_ONLY=true
+INPUT_DRY_RUN=true
 INPUT_SKIP_ASSEMBLE=false
 INPUT_SKIP_REGENERATE=false
 INPUT_REPOSITORY=.

actions/autosync/README.md

@@ -25,7 +25,7 @@ name: Example Workflow
 | --- | --- | --- | --- |
 | markdown_path | Path relative to the repository path where the Trestle markdown files are located. See action README.md for more information. | None | True |
 | oscal_model | OSCAL Model type to assemble. Values can be catalog, profile, compdef, or ssp. | None | True |
-| check_only | Runs tasks and exits with an error if there is a diff. Defaults to false | false | False |
+| dry_run | Runs tasks without pushing changes to the repository. | false | False |
 | github_token | GitHub token used to make authenticated API requests | None | False |
 | version | Version of the OSCAL model to set during assembly into JSON. | None | False |
 | skip_assemble | Skip assembly task. Defaults to false | false | False |
@@ -106,18 +106,28 @@ The purpose of this action is to sync JSON and Markdown data with `compliance-tr
         github_token: ${{ secret.GITHUB_TOKEN }}
 ```
 
-- When `check_only` is set, the trestle `assemble` and `regenerate` tasks are run and the repository is checked for changes. If changes exists, the action with exit with an error. This can be useful if you only want to check that the content is in sync without making any changes to the remote repository.
+- When `dry_run` is set, the trestle `assemble` and `regenerate` tasks are run and changes are not pushed to the remote repository, with display the files that would be changed.
+
+This can be helpful if you want to enforce that the content is in sync before it is merged into the repository with out making changes to the remote repository (e.g. helpful for changes from forks). If assembly and regeneratation are triggered by pushes to main, it can validate that the changes will be successful before merging to main to avoid unexpected errors.
 
 ```yaml
     steps:
       - uses: actions/checkout@v3
       - name: Run trestlebot
-        id: trestlebot
+        id: check
         uses: RedHatProductSecurity/trestle-bot/actions/autosync@main
         with:
           markdown_path: "markdown/profiles"
           oscal_model: "profile"
-          check_only: true
+          dry_run: true
+      # Optional - Set the action to failed if changes are detected.
+      - name: Fail for changes
+        if: ${{ steps.check.outputs.changes == 'true' }}
+        uses: actions/github-script@v7
+        with:
+          script: |
+              core.setFailed('Changes detected. Manual intervention required.')
+
 ```
 
 > Note: Trestle `assemble` or `regenerate` tasks may be skipped if desired using `skip_assemble: true` or `skip_regenerate: true`, respectively. 

actions/autosync/action.yml

@@ -9,8 +9,8 @@ inputs:
   oscal_model:
     description: OSCAL Model type to assemble. Values can be catalog, profile, compdef, or ssp.
     required: true
-  check_only: 
-    description: "Runs tasks and exits with an error if there is a diff. Defaults to false"
+  dry_run: 
+    description: "Runs tasks without pushing changes to the repository."
     required: false
     default: "false"
   github_token:

actions/autosync/auto-sync-entrypoint.sh

@@ -34,8 +34,8 @@ if [[ ${INPUT_SKIP_REGENERATE} == true ]]; then
     command+=" --skip-regenerate"
 fi
 
-if [[ ${INPUT_CHECK_ONLY} == true ]]; then
-    command+=" --check-only"
+if [[ ${INPUT_DRY_RUN} == true ]]; then
+    command+=" --dry-run"
 fi
 
 if [[ ${INPUT_VERBOSE} == true ]]; then
@@ -52,4 +52,4 @@ if [[ -n ${INPUT_TARGET_BRANCH} ]]; then
   command+=" --with-token - <<<\"${GITHUB_TOKEN}\""
 fi
 
-execute_command "${command}"
+eval "${command}"

actions/common.sh

@@ -15,24 +15,3 @@ function set_git_safe_directory() {
     fi
 }
 
-# Execute the command and set the output variables for GitHub Actions
-function execute_command() {
-    local command=$1
-    exec 3>&1
-    output=$(eval "$command" > >(tee /dev/fd/3) 2>&1)
-
-    commit=$(echo "$output" | grep "Commit Hash:" | sed 's/.*: //')
-
-    if [ -n "$commit" ]; then
-        echo "changes=true" >> "$GITHUB_OUTPUT"
-        echo "commit=$commit" >> "$GITHUB_OUTPUT"
-    else
-        echo "changes=false" >> "$GITHUB_OUTPUT"
-    fi
-
-    pr_number=$(echo "$output" | grep "Pull Request Number:" | sed 's/.*: //')
-
-    if [ -n "$pr_number" ]; then 
-    echo "pr_number=$pr_number" >> "$GITHUB_OUTPUT"
-    fi
-}

actions/create-cd/README.md

@@ -32,6 +32,7 @@ name: Example Workflow
 | component_type | Type of the component to create. Values can be interconnection, software, hardware, service, policy, physical, process-procedure, plan, guidance, standard, or validation | service | False |
 | component_description | Description of the component to create | None | True |
 | filter_by_profile | Name of the profile in the workspace to filter controls by | None | False |
+| dry_run | Runs tasks without pushing changes to the repository. | false | False |
 | github_token | GitHub token used to make authenticated API requests | None | False |
 | commit_message | Commit message | Sync automatic updates | False |
 | pull_request_title | Custom pull request title | Automatic updates from trestlebot | False |

actions/create-cd/action.yml

@@ -25,6 +25,10 @@ inputs:
   filter_by_profile:
     description: Name of the profile in the workspace to filter controls by
     required: false
+  dry_run: 
+    description: "Runs tasks without pushing changes to the repository."
+    required: false
+    default: "false"
   github_token:
     description: "GitHub token used to make authenticated API requests"
     required: false

actions/create-cd/create-cd-entrypoint.sh

@@ -32,6 +32,10 @@ if [[ ${INPUT_VERBOSE} == true ]]; then
     command+=" --verbose"
 fi
 
+if [[ ${INPUT_DRY_RUN} == true ]]; then
+    command+=" --dry-run"
+fi
+
 # Only set the token value when is a target branch so pull requests can be created
 if [[ -n ${INPUT_TARGET_BRANCH} ]]; then
   if [[ -z ${GITHUB_TOKEN} ]]; then
@@ -42,4 +46,4 @@ if [[ -n ${INPUT_TARGET_BRANCH} ]]; then
   command+=" --with-token - <<<\"${GITHUB_TOKEN}\""
 fi
 
-execute_command "${command}"
+eval "${command}"

actions/rules-transform/README.md

@@ -33,6 +33,7 @@ With custom rules directory:
 | Name | Description | Default | Required |
 | --- | --- | --- | --- |
 | rules_view_path | Path relative to the repository path where the Trestle rules view files are located. Defaults to `rules/`. | rules/ | False |
+| dry_run | Runs tasks without pushing changes to the repository. | false | False |
 | github_token | GitHub token used to make authenticated API requests | None | False |
 | skip_items | Comma-separated glob patterns list of content by Trestle name to skip during task execution. For example `compdef_x,compdef_y*,`. | None | False |
 | commit_message | Commit message | Sync automatic updates | False |

actions/rules-transform/action.yml

@@ -7,6 +7,10 @@ inputs:
     description: Path relative to the repository path where the Trestle rules view files are located. Defaults to `rules/`.
     required: false
     default: "rules/"
+  dry_run: 
+    description: "Runs tasks without pushing changes to the repository."
+    required: false
+    default: "false"
   github_token:
     description: "GitHub token used to make authenticated API requests"
     required: false

actions/rules-transform/rules-transform-entrypoint.sh

@@ -27,6 +27,11 @@ if [[ ${INPUT_VERBOSE} == true ]]; then
     command+=" --verbose"
 fi
 
+if [[ ${INPUT_DRY_RUN} == true ]]; then
+    command+=" --dry-run"
+fi
+
+
 # Only set the token value when is a target branch so pull requests can be created
 if [[ -n ${INPUT_TARGET_BRANCH} ]]; then
   if [[ -z ${GITHUB_TOKEN} ]]; then
@@ -37,4 +42,4 @@ if [[ -n ${INPUT_TARGET_BRANCH} ]]; then
   command+=" --with-token - <<<\"${GITHUB_TOKEN}\""
 fi
 
-execute_command "${command}"
+eval "${command}"

actions/sync-upstreams/README.md

@@ -23,6 +23,7 @@ name: Example Workflow
 | Name | Description | Default | Required |
 | --- | --- | --- | --- |
 | sources | A newline separated list of upstream sources to sync with a repo@branch format. For example, `https://github.com/myorg/myprofiles@main` | None | True |
+| dry_run | Runs tasks without pushing changes to the repository. | false | False |
 | github_token | GitHub token used to make authenticated API requests | None | False |
 | include_model_names | Comma-separated glob pattern list of model names (i.e. trestle directory name) to include in the sync. For example, `*framework-v2`. Defaults to include all model names. | None | False |
 | exclude_model_names | Comma-separated glob pattern of model names (i.e. trestle directory name) to exclude from the sync. For example, `*framework-v1`. Defaults to skip no model names. | None | False |

actions/sync-upstreams/action.yml

@@ -6,6 +6,10 @@ inputs:
   sources: 
     description: "A newline separated list of upstream sources to sync with a repo@branch format. For example, `https://github.com/myorg/myprofiles@main`"
     required: true
+  dry_run: 
+    description: "Runs tasks without pushing changes to the repository."
+    required: false
+    default: "false"
   github_token:
     description: "GitHub token used to make authenticated API requests"
     required: false

actions/sync-upstreams/sync-upstreams-entrypoint.sh

@@ -31,6 +31,10 @@ if [[ ${INPUT_VERBOSE} == true ]]; then
     command+=" --verbose"
 fi
 
+if [[ ${INPUT_DRY_RUN} == true ]]; then
+    command+=" --dry-run"
+fi
+
 if [[ ${INPUT_SKIP_VALIDATION} == true ]]; then
     command+=" --skip-validation"
 fi
@@ -45,4 +49,4 @@ if [[ -n ${INPUT_TARGET_BRANCH} ]]; then
   command+=" --with-token - <<<\"${GITHUB_TOKEN}\""
 fi
 
-execute_command "${command}"
+eval "${command}"