complytime · jpower432 · May 9, 2024 · Apr 30, 2024 · Apr 30, 2024 · May 1, 2024
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -192,5 +192,5 @@ cat my-token.txt | podman secret create repo-secret -
 4. Run the container
 
 ```bash
-podman run --entrypoint /entrypoint.sh --secret repo-secret,type=env,target=GITHUB_TOKEN --env-file=envfile -v my-trestle-space:/data -w /data localhost:5000/trestlebot:latest
+podman run --entrypoint /entrypoint.sh --secret repo-secret,type=env,target=TRESTLEBOT_REPO_ACCESS_TOKEN --env-file=envfile -v my-trestle-space:/data -w /data localhost:5000/trestlebot:latest
 ```
diff --git a/README.md b/README.md
@@ -37,9 +37,12 @@ Below is a table of the available commands and their current availability as a G
 
 For detailed documentation on how to use each action, see the README.md in each folder under [actions](./actions/).
 
-### Supported Continuous Integration Systems
+### Supported Git Providers
 
-- GitHub Actions
+> Note: Only applicable if using `trestle-bot` to create pull requests. Automatically detecting the git
+provider information is supported for GitHub Actions (GitHub) and GitLab CI (GitLab).
+
+- GitHub
 - GitLab
 
 ### Run as a Container

diff --git a/actions/autosync/README.md b/actions/autosync/README.md
@@ -26,7 +26,7 @@ name: Example Workflow
 | markdown_path | Path relative to the repository path where the Trestle markdown files are located. See action README.md for more information. | None | True |
 | oscal_model | OSCAL Model type to assemble. Values can be catalog, profile, compdef, or ssp. | None | True |
 | dry_run | Runs tasks without pushing changes to the repository. | false | False |
-| github_token | GitHub token used to make authenticated API requests | None | False |
+| github_token | "GitHub token used to make authenticated API requests. Note: You should use a defined secret like "secrets.GITHUB_TOKEN" in your workflow file, do not hardcode the token." | None | False |
 | version | Version of the OSCAL model to set during assembly into JSON. | None | False |
 | skip_assemble | Skip assembly task. Defaults to false | false | False |
 | skip_regenerate | Skip regenerate task. Defaults to false. | false | False |

diff --git a/actions/autosync/action.yml b/actions/autosync/action.yml
@@ -14,7 +14,9 @@ inputs:
     required: false
     default: "false"
   github_token:
-    description: "GitHub token used to make authenticated API requests"
+    description: |
+      "GitHub token used to make authenticated API requests.
+      Note: You should use a defined secret like "secrets.GITHUB_TOKEN" in your workflow file, do not hardcode the token."
     required: false
   version:
     description: "Version of the OSCAL model to set during assembly into JSON."
@@ -91,7 +93,7 @@ runs:
   image: "../../Dockerfile"
   entrypoint: "/auto-sync-entrypoint.sh"
   env:
-    GITHUB_TOKEN: ${{ inputs.github_token }}
+    TRESTLEBOT_REPO_ACCESS_TOKEN: ${{ inputs.github_token }}
 
 branding:
   icon: "check"

diff --git a/actions/autosync/auto-sync-entrypoint.sh b/actions/autosync/auto-sync-entrypoint.sh
@@ -42,14 +42,4 @@ if [[ ${INPUT_VERBOSE} == true ]]; then
     command+=" --verbose"
 fi
 
-# Only set the token value when is a target branch so pull requests can be created
-if [[ -n ${INPUT_TARGET_BRANCH} ]]; then
-  if [[ -z ${GITHUB_TOKEN} ]]; then
-    echo "Set the GITHUB_TOKEN env variable."
-    exit 1
-  fi
-
-  command+=" --with-token - <<<\"${GITHUB_TOKEN}\""
-fi
-
 eval "${command}"
diff --git a/actions/create-cd/README.md b/actions/create-cd/README.md
@@ -33,7 +33,7 @@ name: Example Workflow
 | component_description | Description of the component to create | None | True |
 | filter_by_profile | Name of the profile in the workspace to filter controls by | None | False |
 | dry_run | Runs tasks without pushing changes to the repository. | false | False |
-| github_token | GitHub token used to make authenticated API requests | None | False |
+| github_token | "GitHub token used to make authenticated API requests. Note: You should use a defined secret like "secrets.GITHUB_TOKEN" in your workflow file, do not hardcode the token." | None | False |
 | commit_message | Commit message | Sync automatic updates | False |
 | pull_request_title | Custom pull request title | Automatic updates from trestlebot | False |
 | branch | Name of the Git branch to which modifications should be pushed. Required if Action is used on the `pull_request` event. | ${{ github.ref_name }} | False |

diff --git a/actions/create-cd/action.yml b/actions/create-cd/action.yml
@@ -30,7 +30,9 @@ inputs:
     required: false
     default: "false"
   github_token:
-    description: "GitHub token used to make authenticated API requests"
+    description: |
+      "GitHub token used to make authenticated API requests.
+      Note: You should use a defined secret like "secrets.GITHUB_TOKEN" in your workflow file, do not hardcode the token."
     required: false
   commit_message:
     description: Commit message
@@ -89,7 +91,7 @@ runs:
   image: "../../Dockerfile"
   entrypoint: "/create-cd-entrypoint.sh"
   env:
-    GITHUB_TOKEN: ${{ inputs.github_token }}
+    TRESTLEBOT_REPO_ACCESS_TOKEN: ${{ inputs.github_token }}
 
 branding:
   icon: "check"

diff --git a/actions/create-cd/create-cd-entrypoint.sh b/actions/create-cd/create-cd-entrypoint.sh
@@ -36,14 +36,4 @@ if [[ ${INPUT_DRY_RUN} == true ]]; then
     command+=" --dry-run"
 fi
 
-# Only set the token value when is a target branch so pull requests can be created
-if [[ -n ${INPUT_TARGET_BRANCH} ]]; then
-  if [[ -z ${GITHUB_TOKEN} ]]; then
-    echo "Set the GITHUB_TOKEN env variable."
-    exit 1
-  fi
-
-  command+=" --with-token - <<<\"${GITHUB_TOKEN}\""
-fi
-
 eval "${command}"
diff --git a/actions/rules-transform/README.md b/actions/rules-transform/README.md
@@ -34,7 +34,7 @@ With custom rules directory:
 | --- | --- | --- | --- |
 | rules_view_path | Path relative to the repository path where the Trestle rules view files are located. Defaults to `rules/`. | rules/ | False |
 | dry_run | Runs tasks without pushing changes to the repository. | false | False |
-| github_token | GitHub token used to make authenticated API requests | None | False |
+| github_token | "GitHub token used to make authenticated API requests. Note: You should use a defined secret like "secrets.GITHUB_TOKEN" in your workflow file, do not hardcode the token." | None | False |
 | skip_items | Comma-separated glob patterns list of content by Trestle name to skip during task execution. For example `compdef_x,compdef_y*,`. | None | False |
 | commit_message | Commit message | Sync automatic updates | False |
 | pull_request_title | Custom pull request title | Automatic updates from trestlebot | False |

diff --git a/actions/rules-transform/action.yml b/actions/rules-transform/action.yml
@@ -12,7 +12,9 @@ inputs:
     required: false
     default: "false"
   github_token:
-    description: "GitHub token used to make authenticated API requests"
+    description: |
+      "GitHub token used to make authenticated API requests.
+      Note: You should use a defined secret like "secrets.GITHUB_TOKEN" in your workflow file, do not hardcode the token."
     required: false
   skip_items:
     description: "Comma-separated glob patterns list of content by Trestle name to skip during task execution. For example `compdef_x,compdef_y*,`."
@@ -74,7 +76,7 @@ runs:
   image: "../../Dockerfile"
   entrypoint: "/rules-transform-entrypoint.sh"
   env:
-    GITHUB_TOKEN: ${{ inputs.github_token }}
+    TRESTLEBOT_REPO_ACCESS_TOKEN: ${{ inputs.github_token }}
 
 branding:
   icon: "check"

diff --git a/actions/rules-transform/rules-transform-entrypoint.sh b/actions/rules-transform/rules-transform-entrypoint.sh
@@ -31,15 +31,4 @@ if [[ ${INPUT_DRY_RUN} == true ]]; then
     command+=" --dry-run"
 fi
 
-
-# Only set the token value when is a target branch so pull requests can be created
-if [[ -n ${INPUT_TARGET_BRANCH} ]]; then
-  if [[ -z ${GITHUB_TOKEN} ]]; then
-    echo "Set the GITHUB_TOKEN env variable."
-    exit 1
-  fi
-
-  command+=" --with-token - <<<\"${GITHUB_TOKEN}\""
-fi
-
 eval "${command}"
diff --git a/actions/sync-upstreams/README.md b/actions/sync-upstreams/README.md
@@ -24,7 +24,7 @@ name: Example Workflow
 | --- | --- | --- | --- |
 | sources | A newline separated list of upstream sources to sync with a repo@branch format. For example, `https://github.com/myorg/myprofiles@main` | None | True |
 | dry_run | Runs tasks without pushing changes to the repository. | false | False |
-| github_token | GitHub token used to make authenticated API requests | None | False |
+| github_token | "GitHub token used to make authenticated API requests. Note: You should use a defined secret like "secrets.GITHUB_TOKEN" in your workflow file, do not hardcode the token." | None | False |
 | include_model_names | Comma-separated glob pattern list of model names (i.e. trestle directory name) to include in the sync. For example, `*framework-v2`. Defaults to include all model names. | None | False |
 | exclude_model_names | Comma-separated glob pattern of model names (i.e. trestle directory name) to exclude from the sync. For example, `*framework-v1`. Defaults to skip no model names. | None | False |
 | skip_validation | Skip validation of the upstream OSCAL content. Defaults to false | false | False |

diff --git a/actions/sync-upstreams/action.yml b/actions/sync-upstreams/action.yml
@@ -11,7 +11,9 @@ inputs:
     required: false
     default: "false"
   github_token:
-    description: "GitHub token used to make authenticated API requests"
+    description: |
+      "GitHub token used to make authenticated API requests.
+      Note: You should use a defined secret like "secrets.GITHUB_TOKEN" in your workflow file, do not hardcode the token."
     required: false
   include_model_names:
     description: "Comma-separated glob pattern list of model names (i.e. trestle directory name) to include in the sync. For example, `*framework-v2`. Defaults to include all model names."
@@ -80,7 +82,7 @@ runs:
   image: "../../Dockerfile"
   entrypoint: "/sync-upstreams-entrypoint.sh"
   env:
-    GITHUB_TOKEN: ${{ inputs.github_token }}
+    TRESTLEBOT_REPO_ACCESS_TOKEN: ${{ inputs.github_token }}
 
 branding:
   icon: "check"

diff --git a/actions/sync-upstreams/sync-upstreams-entrypoint.sh b/actions/sync-upstreams/sync-upstreams-entrypoint.sh
@@ -39,14 +39,4 @@ if [[ ${INPUT_SKIP_VALIDATION} == true ]]; then
     command+=" --skip-validation"
 fi
 
-# Only set the token value when is a target branch so pull requests can be created
-if [[ -n ${INPUT_TARGET_BRANCH} ]]; then
-  if [[ -z ${GITHUB_TOKEN} ]]; then
-    echo "Set the GITHUB_TOKEN env variable."
-    exit 1
-  fi
-
-  command+=" --with-token - <<<\"${GITHUB_TOKEN}\""
-fi
-
 eval "${command}"
diff --git a/scripts/update_action_readmes.py b/scripts/update_action_readmes.py
@@ -48,18 +48,27 @@ def generate_inputs_markdown_table(inputs: Dict[str, Any]) -> str:
     """Generate the Action Inputs markdown table"""
     table = "| Name | Description | Default | Required |\n| --- | --- | --- | --- |\n"
     for name, input in inputs.items():
-        table += f"| {name} | {input.get('description', None)} | {input.get('default', None)} | {input.get('required', None)} |\n"  # noqa E501
+        if input_description := input.get('description', None):
+            input_description = format_descriptions(input_description)
+        table += f"| {name} | {input_description} | {input.get('default', None)} | {input.get('required', None)} |\n"  # noqa E501
     return table
 
 
 def generate_outputs_markdown_table(outputs: Dict[str, Any]) -> str:
     """Generate the Action Outputs markdown table"""
     table = "| Name | Description |\n| --- | --- |\n"
     for name, output in outputs.items():
-        table += f"| {name} | {output.get('description', None)} |\n"
+        if output_description := output.get('description', None):
+            output_description = format_descriptions(output_description)
+        table += f"| {name} | {output_description} |\n"
     return table
 
 
+def format_descriptions(description: str) -> str:
+    """Ensure descriptions are a single line."""
+    return " ".join(description.splitlines())
+
+
 def replace(all_content: str, start: str, end: str, new_content: str) -> str:
     """Replace the content between start (plus a new line) and end with new_content"""
     start_line = all_content.find(start)

diff --git a/tests/trestlebot/entrypoints/test_autosync.py b/tests/trestlebot/entrypoints/test_autosync.py
@@ -136,37 +136,3 @@ def test_invalid_working_dir(valid_args_dict: Dict[str, str], caplog: Any) -> No
         and "Root path . is not a valid trestle project root" in record.message
         for record in caplog.records
     )
-
-
-@patch(
-    "trestlebot.entrypoints.log.configure_logger",
-    Mock(side_effect=configure_test_logger),
-)
-def test_with_target_branch(
-    tmp_trestle_dir: str, valid_args_dict: Dict[str, str], caplog: Any
-) -> None:
-    """Test with target branch set an an unsupported Git provider"""
-    args_dict = valid_args_dict
-
-    args_dict["target-branch"] = "main"
-    args_dict["working-dir"] = tmp_trestle_dir
-
-    # Patch is_github_actions since these tests will be running in
-    # GitHub Actions
-    with patch(
-        "trestlebot.entrypoints.entrypoint_base.is_github_actions"
-    ) as mock_check, patch("sys.argv", ["trestlebot", *args_dict_to_list(args_dict)]):
-        mock_check.return_value = False
-
-        with pytest.raises(SystemExit, match="2"):
-            cli_main()
-
-    assert any(
-        record.levelno == logging.ERROR
-        and "Invalid args --target-branch: target-branch flag is set with an "
-        "unset git provider. To test locally, set the GITHUB_ACTIONS or GITLAB_CI environment variable."
-        in record.message
-        for record in caplog.records
-    )
-
-    mock_check.assert_called_once()