Skip to content

Add Action to enroll repositories in automatic updates. #58

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
acoffman wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add Action to enroll repositories in automatic updates. #58

acoffman wants to merge 1 commit into from

Conversation

@acoffman
Copy link

@acoffman acoffman commented Dec 15, 2025

This PR adds a GitHub action that a user of the OTTR_Template template can call manually in order to create a PR adding their new course to the sync list.

Talking to @kweav about this, there were a couple of considerations:

  • We can't run this automatically until they have set up their GH_PAT secret as you need to be authorized in order to create a PR or issue
  • Even if we could run this automatically users may not want to enroll in updates or may not like that the repo "phones home" on creation

This action will fork the template repo (as whatever user the access token authorizes), check if the repo is already enrolled, and if not, add a line to the file, commit it, and open a PR.

The forking approach feels a little clumsy since the newly created course repo is effectively a fork of the template repo already, but if they use the "create from template" button to start their course, GitHub does not treat it as a fork but an entirely unrelated repo.

@github-actions
Copy link
Contributor

github-actions bot commented Dec 15, 2025
edited
Loading

OTTR Check Results

Summary

  • Spelling check: ✅ PASSED (0 errors found, threshold: 0)
  • URL check: ✅ PASSED (0 errors found, threshold: 0)

🎉 All checks passed!

Last Updated: 2025-12-15-15:48:26

github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 15, 2025
View reviewed changes
.github/workflows/enroll-for-updates.yml
Comment on lines +18 to +112
name: Enroll repository for OTTR updates
runs-on: ubuntu-latest
# Don't run on the template repo itself
if: github.repository != 'ottrproject/OTTR_Template'

steps:
- name: Check for GH_PAT secret
env:
GH_PAT: ${{ secrets.GH_PAT }}
run: |
if [ -z "$GH_PAT" ]; then
echo "::error::GH_PAT secret is not configured."
echo ""
echo "To use this workflow, you need to:"
echo "1. Create a Personal Access Token (PAT) with 'public_repo' scope"
echo " https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token"
echo "2. Add the PAT as a repository secret named 'GH_PAT'"
echo " https://docs.github.com/en/actions/security-guides/encrypted-secrets"
exit 1
fi
echo "GH_PAT is configured"

- name: Fork and clone template repository
env:
GH_TOKEN: ${{ secrets.GH_PAT }}
run: |
# Fork the template repo (or use existing fork) and clone it
gh repo fork ottrproject/OTTR_Template --clone=true --default-branch-only
cd OTTR_Template
# Ensure fork is synced with upstream to get latest sync.yml
gh repo sync --force

- name: Check if already enrolled
id: check
working-directory: OTTR_Template
run: |
if grep -q "${{ github.repository }}" .github/sync.yml; then
echo "already_enrolled=true" >> $GITHUB_OUTPUT
echo "::notice::Repository ${{ github.repository }} is already enrolled for OTTR updates."
else
echo "already_enrolled=false" >> $GITHUB_OUTPUT
fi

- name: Add repository to sync.yml
if: steps.check.outputs.already_enrolled == 'false'
working-directory: OTTR_Template
run: |
# Insert the repo name before the "ADD NEW REPO HERE" comment
sed -i 's|###ADD NEW REPO HERE| ${{ github.repository }}\n###ADD NEW REPO HERE|' .github/sync.yml

echo "Added ${{ github.repository }} to sync.yml"
echo ""
echo "Changed content:"
grep -A2 -B2 "${{ github.repository }}" .github/sync.yml

- name: Commit and push changes
if: steps.check.outputs.already_enrolled == 'false'
id: push
working-directory: OTTR_Template
env:
GH_TOKEN: ${{ secrets.GH_PAT }}
run: |
# Configure git
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"

# Create unique branch name from repo name
BRANCH_NAME="enroll-$(echo '${{ github.repository }}' | tr '/' '-')"
echo "branch_name=$BRANCH_NAME" >> $GITHUB_OUTPUT

git checkout -b "$BRANCH_NAME"
git add .github/sync.yml
git commit -m "Add ${{ github.repository }} to OTTR updates"
git push origin "$BRANCH_NAME"

- name: Create Pull Request
if: steps.check.outputs.already_enrolled == 'false'
working-directory: OTTR_Template
env:
GH_TOKEN: ${{ secrets.GH_PAT }}
run: |
PR_URL=$(gh pr create \
--repo ottrproject/OTTR_Template \
--base main \
--head "${{ steps.push.outputs.branch_name }}" \
--title "Enroll ${{ github.repository }} for OTTR updates" \
--body "This PR adds \`${{ github.repository }}\` to the sync list for OTTR updates.

Automatically generated by the enrollment workflow from [${{ github.repository }}](https://github.com/${{ github.repository }}).")

echo ""
echo "============================================"
echo "Pull Request created successfully!"
echo "PR URL: $PR_URL"
echo "============================================"

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 10 days ago

To fix this issue, explicitly declare a permissions block in the workflow. The block should grant the least privileges possible. GitHub recommends (and CodeQL suggests) starting with permissions: {} (none), which disables all default permissions for the GITHUB_TOKEN. Since this workflow only uses a GH_PAT secret for actual operations, no permissions are required for the GITHUB_TOKEN. The permissions key can be added at the workflow (top/root) or job level; adding it at the root makes it default for all jobs, and is simplest. The code should be added right after the name: field and before the on: block, giving it global effect.

Suggested changeset 1
.github/workflows/enroll-for-updates.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/enroll-for-updates.yml b/.github/workflows/enroll-for-updates.yml
--- a/.github/workflows/enroll-for-updates.yml
+++ b/.github/workflows/enroll-for-updates.yml
@@ -9,6 +9,7 @@
 #   Run this workflow manually from the Actions tab
 
 name: Enroll for OTTR Updates
+permissions: {}
 
 on:
   workflow_dispatch:
EOF
@@ -9,6 +9,7 @@
# Run this workflow manually from the Actions tab

name: Enroll for OTTR Updates
permissions: {}

on:
workflow_dispatch:
Copilot is powered by AI and may make mistakes. Always verify output.
@github-actions
Copy link
Contributor

github-actions bot commented Dec 15, 2025

Re-rendered previews from the latest commit:

* note not all html features will be properly displayed in the "quick preview" but it will give you a rough idea.

Updated at 2025-12-15 with changes from the latest commit ee2ee0e

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@acoffman