Skip to content

Add robust unzip-to-repo GitHub Actions workflow#11

Open
ib-bsb-br wants to merge 4 commits into
mainfrom
codex/fix-errors-in-unzip-to-repo.yml-workflow
Open

Add robust unzip-to-repo GitHub Actions workflow#11
ib-bsb-br wants to merge 4 commits into
mainfrom
codex/fix-errors-in-unzip-to-repo.yml-workflow

Conversation

@ib-bsb-br

@ib-bsb-br ib-bsb-br commented Dec 22, 2025

Copy link
Copy Markdown
Owner

Summary

  • add a workflow to download a ZIP archive, extract it, and create/push to a new repository via API
  • validate required inputs and PAT availability, set git defaults, and sanitize the clone URL before pushing
  • improve commit metadata, logging, and failure cleanup messaging

Testing

  • not run (workflow change only)

Codex Task

Summary by Sourcery

Add a GitHub Actions workflow that bootstraps a new repository from a remote ZIP archive via the GitHub API, handling validation, extraction, git initialization, and push.

New Features:

  • Introduce a manual GitHub Actions workflow to create a new repository from a downloaded ZIP archive.
  • Support configuring repository name, description, and visibility through workflow inputs.

Enhancements:

  • Add robust validation, logging, and error handling around ZIP download, extraction, and repository creation, including oversized file checks and auth/uniqueness diagnostics.
  • Sanitize git metadata and clone URLs before initialization and pushing, and improve commit metadata for traceability.
  • Provide workflow run summaries on success and guidance for manual cleanup if repository creation succeeded but later steps failed.

Summary by cubic

Adds a GitHub Actions workflow to download a ZIP, extract it, create a new repository, and push the contents to main. This makes bootstrapping a repo from an archive a single, guided run.

  • New Features

    • Validates inputs and sets safe git defaults.
    • Downloads and extracts the ZIP with clear errors and status output.
    • Prevents pushing oversized files (>99MB) and strips any embedded .git before init.
    • Creates the repository via API with helpful 401/422 handling; supports repo description and private/public via inputs.
    • Initializes git, sanitizes the clone URL, and pushes to main.
    • Writes a run summary and provides cleanup guidance on failure.
  • Migration

    • Add a REPO_CREATE_TOKEN secret with repo scope.
    • Ensure the ZIP URL is reachable and the repo_name is unique.

Written for commit 78ffc3e. Summary will update automatically on new commits.

@gemini-code-assist

Copy link
Copy Markdown

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

@sourcery-ai

sourcery-ai Bot commented Dec 22, 2025

Copy link
Copy Markdown

Reviewer's Guide

Adds a reusable, manually-triggered GitHub Actions workflow that downloads a ZIP archive from a URL, extracts and validates its contents, then creates a new repository via the GitHub API, initializes git locally, pushes the extracted files to main, and reports/cleans up with robust validation, logging, and failure handling.

Sequence diagram for unzip-to-repo GitHub Actions workflow run

sequenceDiagram
    actor Operator
    participant GitHub_Actions as GitHub_Actions_Workflow
    participant Zip_Host as ZIP_Host_Server
    participant GitHub_API as GitHub_REST_API
    participant Local_Git as Git_CLI_in_Workflow

    Operator->>GitHub_Actions: Trigger workflow_dispatch
    GitHub_Actions->>GitHub_Actions: Validate inputs
    GitHub_Actions->>GitHub_Actions: Check REPO_CREATE_TOKEN secret

    GitHub_Actions->>Zip_Host: curl zip_url (download archive.zip)
    Zip_Host-->>GitHub_Actions: ZIP file contents
    GitHub_Actions->>GitHub_Actions: Verify archive.zip non-empty

    GitHub_Actions->>GitHub_Actions: unzip archive.zip to extracted_content/
    GitHub_Actions->>GitHub_Actions: Count files and check >0
    GitHub_Actions->>GitHub_Actions: Scan for files >99MB

    GitHub_Actions->>GitHub_API: Create repository via createForAuthenticatedUser
    GitHub_API-->>GitHub_Actions: New repo metadata (clone_url)

    GitHub_Actions->>Local_Git: Configure user, email, branch, safe.directory
    Local_Git->>Local_Git: Remove existing .git if present
    Local_Git->>Local_Git: git init -b main
    Local_Git->>Local_Git: Create .gitattributes
    Local_Git->>Local_Git: git add .
    Local_Git->>Local_Git: git commit with metadata (zip_url, timestamp, workflow)

    GitHub_Actions->>Local_Git: Sanitize clone_url and inject token
    Local_Git->>GitHub_API: git push origin main
    GitHub_API-->>Local_Git: Push result

    alt Success
        GitHub_Actions->>GitHub_Actions: Generate run summary (repo details, source)
    else Failure
        GitHub_Actions->>GitHub_API: Check if repo exists for cleanup guidance
        GitHub_API-->>GitHub_Actions: Repo exists or 404
        GitHub_Actions->>Operator: Logs with failure and manual cleanup instructions
    end
Loading

File-Level Changes

Change Details Files
Introduce workflow_dispatch workflow to create a new repository from a remote ZIP archive and push extracted contents.
  • Define Unzip and Create Repository (Git Method) workflow triggered via workflow_dispatch with inputs for repo_name, zip_url, repo_description, and private_repo.
  • Run a single ubuntu-latest job that orchestrates downloading, extracting, repo creation, git initialization, pushing, and reporting steps.
.github/workflows/unzip-to-repo.yml
Add input, environment, and content validation to make the automation safer and more diagnosable.
  • Validate presence of REPO_CREATE_TOKEN secret and enforce a strict repo_name pattern before proceeding.
  • Download the ZIP with curl using timeouts and failure flags, ensuring the file is non-empty.
  • Extract the ZIP into a dedicated directory, fail if extraction or file discovery fails, and print a shallow directory tree for visibility.
  • Scan for files over 99MB pre-push and hard-fail with a list of offending paths to avoid GitHub LFS/size limits issues.
.github/workflows/unzip-to-repo.yml
Create the target repository via GitHub API with explicit error handling and clone URL output.
  • Use actions/github-script to authenticate with REPO_CREATE_TOKEN, create a repo under the authenticated user with standard settings, and return repo.clone_url.
  • Handle 422 (name conflict) and 401 (auth problems) with clear failure messages; fall back to generic error messages otherwise.
.github/workflows/unzip-to-repo.yml
Initialize a clean git repo from the extracted content and push to the newly created remote with sanitized URL and enriched commit metadata.
  • Configure global git defaults (user, email, default branch, safe.directory) and strip any existing .git directory from the extracted content.
  • Initialize a new main branch, add a .gitattributes for text normalization, and create an initial commit including source ZIP URL, extraction timestamp, and workflow origin info in the commit message body.
  • Sanitize the clone URL returned from the API and embed the PAT as an x-access-token credential in the remote URL before pushing main verbosely.
.github/workflows/unzip-to-repo.yml
Improve observability with a run summary and conditional cleanup guidance on failure.
  • On success, write a Markdown summary to GITHUB_STEP_SUMMARY including repo URL (HTML form), visibility, and ZIP source details.
  • On failure, use github-script to detect whether the target repo was created and, if so, log guidance for manually deleting it via the settings page; otherwise log that no cleanup is needed.
.github/workflows/unzip-to-repo.yml

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@ib-bsb-br ib-bsb-br self-assigned this Dec 22, 2025
@ib-bsb-br ib-bsb-br marked this pull request as ready for review December 22, 2025 11:09
@chatgpt-codex-connector

Copy link
Copy Markdown

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've left some high level feedback:

  • In the Initialize git and push content step, prefer setting git config locally (e.g., git config user.name ... without --global) to avoid modifying the global config in the runner environment, which can have unintended side effects in composite or reused workflows.
  • The REPO_URL used in the summary step (${REPO_URL%.git}) may still contain surrounding quotes from the github-script result; consider reusing the same sanitization you apply before git remote add or returning html_url instead of clone_url from the API call to guarantee a clean, clickable link.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- In the `Initialize git and push content` step, prefer setting git config locally (e.g., `git config user.name ...` without `--global`) to avoid modifying the global config in the runner environment, which can have unintended side effects in composite or reused workflows.
- The `REPO_URL` used in the summary step (`${REPO_URL%.git}`) may still contain surrounding quotes from the `github-script` result; consider reusing the same sanitization you apply before `git remote add` or returning `html_url` instead of `clone_url` from the API call to guarantee a clean, clickable link.

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 1 file

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name=".github/workflows/unzip-to-repo.yml">

<violation number="1" location=".github/workflows/unzip-to-repo.yml:183">
P1: Security: `git remote -v` will expose the access token in workflow logs. The remote URL contains the embedded `GITHUB_TOKEN`, and printing it will leak the secret. Remove this line or mask the output.</violation>
</file>

Reply to cubic to teach it or ask questions. Re-run a review with @cubic-dev-ai review this PR

Comment thread .github/workflows/unzip-to-repo.yml Outdated
REPO_URL_SANITIZED=$(echo "$REPO_URL" | sed 's/^"\(.*\)"$/\1/')
REPO_URL_WITH_TOKEN=$(echo "$REPO_URL_SANITIZED" | sed "s|https://|https://x-access-token:${GITHUB_TOKEN}@|")
git remote add origin "$REPO_URL_WITH_TOKEN"
git remote -v

@cubic-dev-ai cubic-dev-ai Bot Dec 22, 2025

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1: Security: git remote -v will expose the access token in workflow logs. The remote URL contains the embedded GITHUB_TOKEN, and printing it will leak the secret. Remove this line or mask the output.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/unzip-to-repo.yml, line 183:

<comment>Security: `git remote -v` will expose the access token in workflow logs. The remote URL contains the embedded `GITHUB_TOKEN`, and printing it will leak the secret. Remove this line or mask the output.</comment>

<file context>
@@ -0,0 +1,226 @@
+          REPO_URL_SANITIZED=$(echo &quot;$REPO_URL&quot; | sed &#39;s/^&quot;\(.*\)&quot;$/\1/&#39;)
+          REPO_URL_WITH_TOKEN=$(echo &quot;$REPO_URL_SANITIZED&quot; | sed &quot;s|https://|https://x-access-token:${GITHUB_TOKEN}@|&quot;)
+          git remote add origin &quot;$REPO_URL_WITH_TOKEN&quot;
+          git remote -v
+
+          echo &quot;⬆️ Pushing to remote...&quot;
</file context>

✅ Addressed in 7d95e4a

@ib-bsb-br

Copy link
Copy Markdown
Owner Author

@gemini-code-assist Please address the comments from this code review: ## Overall Comments - In the Initialize git and push content step, prefer setting git config locally (e.g., git config user.name ... without --global) to avoid modifying the global config in the runner environment, which can have unintended side effects in composite or reused workflows. - The REPO_URL used in the summary step (${REPO_URL%.git}) may still contain surrounding quotes from the github-script result; consider reusing the same sanitization you apply before git remote add or returning html_url instead of clone_url from the API call to guarantee a clean, clickable link.

/gemini-code-assist Please address the comments from this code review: ## Overall Comments - In the Initialize git and push content step, prefer setting git config locally (e.g., git config user.name ... without --global) to avoid modifying the global config in the runner environment, which can have unintended side effects in composite or reused workflows. - The REPO_URL used in the summary step (${REPO_URL%.git}) may still contain surrounding quotes from the github-script result; consider reusing the same sanitization you apply before git remote add or returning html_url instead of clone_url from the API call to guarantee a clean, clickable link.

@gemini Please address the comments from this code review: ## Overall Comments - In the Initialize git and push content step, prefer setting git config locally (e.g., git config user.name ... without --global) to avoid modifying the global config in the runner environment, which can have unintended side effects in composite or reused workflows. - The REPO_URL used in the summary step (${REPO_URL%.git}) may still contain surrounding quotes from the github-script result; consider reusing the same sanitization you apply before git remote add or returning html_url instead of clone_url from the API call to guarantee a clean, clickable link.

/gemini Please address the comments from this code review: ## Overall Comments - In the Initialize git and push content step, prefer setting git config locally (e.g., git config user.name ... without --global) to avoid modifying the global config in the runner environment, which can have unintended side effects in composite or reused workflows. - The REPO_URL used in the summary step (${REPO_URL%.git}) may still contain surrounding quotes from the github-script result; consider reusing the same sanitization you apply before git remote add or returning html_url instead of clone_url from the API call to guarantee a clean, clickable link.

@gemini-code-assist

Copy link
Copy Markdown

Note

Gemini is unable to generate a issue-comment-reply for this pull request due to the file types involved not being currently supported.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant