From b5c33cfd32b566d947100fbb070bcd86754dd992 Mon Sep 17 00:00:00 2001
From: Elias Lundell <elilun03@gmail.com>
Date: Thu, 28 Nov 2024 17:02:42 +0100
Subject: [PATCH 1/4] Document options for github action and decide behaviour
 for commit-lockfile: false

---
 README.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/README.md b/README.md
index 24147d8e..4152e494 100644
--- a/README.md
+++ b/README.md
@@ -186,6 +186,19 @@ A lockfile is incorrect if any dependency has changed since the lockfile was gen
 
 ⚠️**Warning**: Commiting the changed lockfile does not work for pull requests from forks. See https://github.com/EndBug/add-and-commit#working-with-prs. You can add a personal access token to your repository to resolve this issue.
 It still works for pull requests from the same repository. Renovate also works with this action because these PRs are created from the same repository.
+
+### Arguments
+
+- `github-token` (required): The GitHub token used to commit the lockfile to the repository.
+- `commit-lockfile` (optional, default=true): Whether to commit the lockfile to the repository. If this is true, the action can be used to update the lockfile in e.g. pull requests (se warning about pull-requests from forks). The action **will not** fail if the lockfile is outdated/invalid but push the correct version. If this is false, the action be used to verify the lockfile is correct. The action **will** fail on an outdated/invalid lockfile.
+- `commit-message` (optional, default='chore: update lockfile'): The commit message for the lockfile if `commit-lockfile` is true.
+- `commit-author` (optional, default='github\_actions'): The author for the lockfile commit if `commit-lockfile` is true. GitHub provides three values for this field.
+  - github\_actor -> `UserName <UserName@users.noreply.github.com>`
+  - user\_info -> `Your Display Name <your-actual@email.com>`
+  - github\_actions -> `github-actions <email associated with the github logo>`
+- `include-maven-plugins` (optional, default='false'): Whether to include Maven plugins in the lockfile.
+- `workflow-filename` (optional, default='Lockfile.yml'): The name of the workflow file, to automatically trigger lockfile generation when the workflow is updated.
+
 ## Related work
 
 Here we list some related work that we found while researching this topic.

From 7aebf74cbf50d04d5c188b01a12b3c605b9a3048 Mon Sep 17 00:00:00 2001
From: Elias Lundell <elilun03@gmail.com>
Date: Wed, 11 Dec 2024 12:58:19 +0100
Subject: [PATCH 2/4] Update behaviour when commit-lockfile is false to only
 verify

---
 README.md                                                   | 2 +-
 .../github/chains_project/maven_lockfile/GithubAction.java  | 6 +++++-
 template/action.yml                                         | 6 ++++--
 3 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 4152e494..84677cbd 100644
--- a/README.md
+++ b/README.md
@@ -190,7 +190,7 @@ It still works for pull requests from the same repository. Renovate also works w
 ### Arguments
 
 - `github-token` (required): The GitHub token used to commit the lockfile to the repository.
-- `commit-lockfile` (optional, default=true): Whether to commit the lockfile to the repository. If this is true, the action can be used to update the lockfile in e.g. pull requests (se warning about pull-requests from forks). The action **will not** fail if the lockfile is outdated/invalid but push the correct version. If this is false, the action be used to verify the lockfile is correct. The action **will** fail on an outdated/invalid lockfile.
+- `commit-lockfile` (optional, default=true): Whether to commit an updated lockfile to the repository. The action can be used to update lockfiles automatically in e.g. pull requests (se warning about pull-requests from forks). If this is true and the pom.xml or workflow-file has updated it will create and commit the new lockfile - the action **will not** fail if the lockfile is outdated or invalid and only push the correct version. If this is false or the pom.xml and workflow-file remain unchanged, the action be used to verify the lockfile is correct - the action **will** fail in case of an outdated or invalid lockfile.
 - `commit-message` (optional, default='chore: update lockfile'): The commit message for the lockfile if `commit-lockfile` is true.
 - `commit-author` (optional, default='github\_actions'): The author for the lockfile commit if `commit-lockfile` is true. GitHub provides three values for this field.
   - github\_actor -> `UserName <UserName@users.noreply.github.com>`
diff --git a/github_action/src/main/java/io/github/chains_project/maven_lockfile/GithubAction.java b/github_action/src/main/java/io/github/chains_project/maven_lockfile/GithubAction.java
index ccd37419..560089ee 100644
--- a/github_action/src/main/java/io/github/chains_project/maven_lockfile/GithubAction.java
+++ b/github_action/src/main/java/io/github/chains_project/maven_lockfile/GithubAction.java
@@ -25,7 +25,11 @@ public class GithubAction {
     void run(Inputs inputs, Commands commands, Context context) {
 
         boolean includeMavenPlugins = inputs.getBoolean("include-maven-plugins").orElse(false);
-        if (Boolean.parseBoolean(System.getenv("POM_CHANGED"))) {
+
+        boolean pomChanged = Boolean.parseBoolean(System.getenv("POM_CHANGED"));
+        boolean commitUpdatedLockfile = Boolean.parseBoolean(System.getenv("COMMIT_UPDATED_LOCKFILE"));
+
+        if (pomChanged && commitUpdatedLockfile) {
             commands.group("maven-lockfile");
             commands.notice("Pom file changed, running lockfile generation");
             commands.endGroup();
diff --git a/template/action.yml b/template/action.yml
index f0f352cd..70649a0c 100644
--- a/template/action.yml
+++ b/template/action.yml
@@ -8,7 +8,7 @@ inputs:
     description: 'GitHub token'
     required: true
   commit-lockfile: 
-    description: 'Commit the lockfile to the repository'
+    description: 'Commit the lockfile to the repository in case the pom.xml or workflow file has updated. If this is false or the pom.xml and workflow.yml files are unchanged the action will verify the current lockfile.json.'
     required: false
     default: 'true'
   commit-message:
@@ -58,7 +58,6 @@ runs:
       with:
         files: |
               **/pom.xml
-              **/lockfile.json
               **/${{ inputs.workflow-filename}}
     - name: print all changed files
       run: echo all changed files are ${{ steps.changed-files.outputs.all_changed_files }}
@@ -69,6 +68,9 @@ runs:
     - name: print POM-CHANGED
       run: echo "pom changed ${{ env.POM_CHANGED }}"
       shell: bash
+    - name: Set COMMIT_UPDATED_LOCKFILE environment variable
+      run: echo "COMMIT_UPDATED_LOCKFILE=${{ inputs.commit-lockfile }}" >> $GITHUB_ENV
+      shell: bash
 
     - id: action
       run: ~/.jbang/bin/jbang --repos 'mavencentral' io.github.chains-project:maven-lockfile-github-action:${project.version}

From 93f715e041577cf96e33bf4388dcfaf9077ab8c4 Mon Sep 17 00:00:00 2001
From: LogFlames <LogFlames@users.noreply.github.com>
Date: Wed, 11 Dec 2024 11:59:58 +0000
Subject: [PATCH 3/4] =?UTF-8?q?=F0=9F=93=9D=20Update=20Documentation=20wit?=
 =?UTF-8?q?h=20current=20version?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 action.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/action.yml b/action.yml
index 32b554e1..8e8a3be9 100644
--- a/action.yml
+++ b/action.yml
@@ -8,7 +8,7 @@ inputs:
     description: 'GitHub token'
     required: true
   commit-lockfile: 
-    description: 'Commit the lockfile to the repository'
+    description: 'Commit the lockfile to the repository in case the pom.xml or workflow file has updated. If this is false or the pom.xml and workflow.yml files are unchanged the action will verify the current lockfile.json.'
     required: false
     default: 'true'
   commit-message:
@@ -58,7 +58,6 @@ runs:
       with:
         files: |
               **/pom.xml
-              **/lockfile.json
               **/${{ inputs.workflow-filename}}
     - name: print all changed files
       run: echo all changed files are ${{ steps.changed-files.outputs.all_changed_files }}
@@ -69,6 +68,9 @@ runs:
     - name: print POM-CHANGED
       run: echo "pom changed ${{ env.POM_CHANGED }}"
       shell: bash
+    - name: Set COMMIT_UPDATED_LOCKFILE environment variable
+      run: echo "COMMIT_UPDATED_LOCKFILE=${{ inputs.commit-lockfile }}" >> $GITHUB_ENV
+      shell: bash
 
     - id: action
       run: ~/.jbang/bin/jbang --repos 'mavencentral' io.github.chains-project:maven-lockfile-github-action:5.2.4-SNAPSHOT

From d4032a26321b4b8661a99f03715ef3d411f5560b Mon Sep 17 00:00:00 2001
From: Elias Lundell <elilun03@gmail.com>
Date: Wed, 11 Dec 2024 13:37:36 +0100
Subject: [PATCH 4/4] Verify lockfiles from forks

---
 .github/workflows/LockfilePR.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/LockfilePR.yml b/.github/workflows/LockfilePR.yml
index ad6a10d2..32ad7eda 100644
--- a/.github/workflows/LockfilePR.yml
+++ b/.github/workflows/LockfilePR.yml
@@ -36,3 +36,4 @@ jobs:
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           include-maven-plugins: true
+          commit-lockfile: false # verify lockfile is up-to-date (not possible to update lockfile in forks)