safe-push 0.7.4 → 0.7.5

package/.github/repo-file-sync.yaml

@@ -0,0 +1,6 @@
+repos:
+  shoppingjaws/template-bun:
+    files:
+      - .github/repo-file-sync.yaml
+      - .github/workflows/release.yaml
+      - renovate.json

package/.github/workflows/release.yaml

@@ -13,7 +13,7 @@ jobs:
       should-publish: ${{ steps.check.outputs.should-publish }}
       version: ${{ steps.check.outputs.version }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           fetch-depth: 2
 
@@ -48,10 +48,10 @@ jobs:
       contents: write
       id-token: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Setup mise
-        uses: jdx/mise-action@v2
+        uses: jdx/mise-action@c37c93293d6b742fc901e1406b8f764f6fb19dac # v2.4.4
 
       - name: Install tools via mise
         run: mise install
@@ -63,7 +63,7 @@ jobs:
         run: bun run build
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: '20'
           registry-url: 'https://registry.npmjs.org'
@@ -72,10 +72,10 @@ jobs:
       - run: bunx npm@latest publish ./${{ vars.NPM_REGISTRY_NAME }}-${{ needs.check-version.outputs.version }}.tgz --provenance
 
       - name: Create GitHub Release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2
         with:
           tag_name: v${{ needs.check-version.outputs.version }}
           name: Release v${{ needs.check-version.outputs.version }}
           draft: false
           prerelease: false
-          generate_release_notes: true
+          generate_release_notes: true

package/.github/workflows/repo-file-sync.yaml

@@ -0,0 +1,36 @@
+name: Sync Files
+
+on:
+  schedule:
+    - cron: '0 0 * * 0'  # Weekly on Sunday
+  workflow_dispatch:      # Manual trigger
+
+jobs:
+  sync:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Generate App Token
+        id: app-token
+        uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
+        with:
+          app-id: ${{ secrets.GHAPP_REPO_FILE_SYNC_APP_ID }}
+          private-key: ${{ secrets.GHAPP_REPO_FILE_SYNC_PRIVATE_KEY }}
+          owner: shoppingjaws
+
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+
+      - name: Sync Files
+        id: sync
+        # uses: shoppingjaws/repo-file-sync@e5604c62bd42f3815674beefb2c9cdb8026d8bd8 # 1.0.0
+        uses: shoppingjaws/repo-file-sync@main
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+
+      - name: Output results
+        if: always()
+        run: |
+          echo "Files synced: ${{ steps.sync.outputs.files-synced }}"
+          echo "PR URL: ${{ steps.sync.outputs.pr-url }}"

package/dist/index.js

@@ -20429,25 +20429,30 @@ async function getLocalEmail() {
     return execGit(["config", "user.email"]);
   });
 }
-async function getDiffFiles(remote = "origin", authorEmail) {
-  return withSpan("safe-push.git.getDiffFiles", async () => {
-    const branch = await getCurrentBranch();
-    const isNew = await isNewBranch(remote);
-    let baseBranch;
-    if (isNew) {
+async function getBaseBranch(remote = "origin") {
+  const branch = await getCurrentBranch();
+  const isNew = await isNewBranch(remote);
+  if (isNew) {
+    try {
+      await execGit(["rev-parse", "--verify", `${remote}/main`]);
+      return `${remote}/main`;
+    } catch {
       try {
-        await execGit(["rev-parse", "--verify", `${remote}/main`]);
-        baseBranch = `${remote}/main`;
+        await execGit(["rev-parse", "--verify", `${remote}/master`]);
+        return `${remote}/master`;
       } catch {
-        try {
-          await execGit(["rev-parse", "--verify", `${remote}/master`]);
-          baseBranch = `${remote}/master`;
-        } catch {
-          return [];
-        }
+        return null;
       }
-    } else {
-      baseBranch = `${remote}/${branch}`;
+    }
+  } else {
+    return `${remote}/${branch}`;
+  }
+}
+async function getDiffFiles(remote = "origin", authorEmail) {
+  return withSpan("safe-push.git.getDiffFiles", async () => {
+    const baseBranch = await getBaseBranch(remote);
+    if (!baseBranch) {
+      return [];
     }
     let output;
     if (authorEmail) {
@@ -20472,6 +20477,32 @@ async function getDiffFiles(remote = "origin", authorEmail) {
 `).filter(Boolean))];
   });
 }
+async function getDiffContentForFiles(files, remote = "origin") {
+  return withSpan("safe-push.git.getDiffContentForFiles", async () => {
+    if (files.length === 0) {
+      return {};
+    }
+    const baseBranch = await getBaseBranch(remote);
+    if (!baseBranch) {
+      return {};
+    }
+    const output = await execGit(["diff", `${baseBranch}...HEAD`, "--", ...files]);
+    if (!output) {
+      return {};
+    }
+    const result = {};
+    const sections = output.split(/^(?=diff --git )/m);
+    for (const section of sections) {
+      if (!section.trim())
+        continue;
+      const match = section.match(/^diff --git a\/(.+?) b\//);
+      if (match) {
+        result[match[1]] = section.trim();
+      }
+    }
+    return result;
+  });
+}
 async function execPush(args = [], remote = "origin") {
   return withSpan("safe-push.git.execPush", async (span) => {
     let pushArgs;
@@ -20605,11 +20636,13 @@ async function checkPush(config) {
     const forbiddenFiles = findForbiddenFiles(diffFiles, config.forbiddenPaths);
     const hasForbiddenChanges = forbiddenFiles.length > 0;
     const isOwnLastCommit = authorEmail.toLowerCase() === localEmail.toLowerCase();
+    const forbiddenDiff = hasForbiddenChanges ? await getDiffContentForFiles(forbiddenFiles) : undefined;
     const details = {
       isNewBranch: newBranch,
       isOwnLastCommit,
       hasForbiddenChanges,
       forbiddenFiles,
+      forbiddenDiff,
       currentBranch,
       authorEmail,
       localEmail
@@ -20693,6 +20726,21 @@ function printCheckResultHuman(result) {
     console.log("Forbidden files changed:");
     for (const file of details.forbiddenFiles) {
       console.log(`  - ${file}`);
+      const diff = details.forbiddenDiff?.[file];
+      if (diff) {
+        console.log("    \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
+        for (const line of diff.split(`
+`)) {
+          if (line.startsWith("+") && !line.startsWith("+++")) {
+            console.log(`    \x1B[32m${line}\x1B[0m`);
+          } else if (line.startsWith("-") && !line.startsWith("---")) {
+            console.log(`    \x1B[31m${line}\x1B[0m`);
+          } else {
+            console.log(`    ${line}`);
+          }
+        }
+        console.log("    \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
+      }
     }
   }
   console.log("");
@@ -31307,7 +31355,7 @@ function createMcpCommand() {
 // package.json
 var package_default = {
   name: "safe-push",
-  version: "0.7.4",
+  version: "0.7.5",
   description: "Git push safety checker - blocks pushes to forbidden areas",
   type: "module",
   repository: {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "safe-push",
-  "version": "0.7.4",
+  "version": "0.7.5",
   "description": "Git push safety checker - blocks pushes to forbidden areas",
   "type": "module",
   "repository": {

package/renovate.json

@@ -0,0 +1,22 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": ["config:recommended"],
+  "automerge": true,
+  "automergeType": "pr",
+  "platformAutomerge": false,
+  "mise": {
+    "enabled": true
+  },
+  "packageRules": [
+    {
+      "description": "minor・patchは自動マージ",
+      "matchUpdateTypes": ["minor", "patch", "digest", "pin"],
+      "automerge": true
+    },
+    {
+      "description": "majorはレビュー必須",
+      "matchUpdateTypes": ["major"],
+      "automerge": false
+    }
+  ]
+}

package/src/checker.ts

@@ -5,6 +5,7 @@ import {
   getLastCommitAuthorEmail,
   getLocalEmail,
   getDiffFiles,
+  getDiffContentForFiles,
   getRepoVisibility,
 } from "./git";
 import { withSpan } from "./telemetry";
@@ -108,11 +109,16 @@ export async function checkPush(config: Config): Promise<CheckResult> {
     const isOwnLastCommit =
       authorEmail.toLowerCase() === localEmail.toLowerCase();
 
+    const forbiddenDiff = hasForbiddenChanges
+      ? await getDiffContentForFiles(forbiddenFiles)
+      : undefined;
+
     const details = {
       isNewBranch: newBranch,
       isOwnLastCommit,
       hasForbiddenChanges,
       forbiddenFiles,
+      forbiddenDiff,
       currentBranch,
       authorEmail,
       localEmail,

package/src/commands/utils.ts

@@ -72,6 +72,20 @@ export function printCheckResultHuman(result: CheckResult): void {
     console.log("Forbidden files changed:");
     for (const file of details.forbiddenFiles) {
       console.log(`  - ${file}`);
+      const diff = details.forbiddenDiff?.[file];
+      if (diff) {
+        console.log("    ───────────────────────────────────");
+        for (const line of diff.split("\n")) {
+          if (line.startsWith("+") && !line.startsWith("+++")) {
+            console.log(`    \x1b[32m${line}\x1b[0m`);
+          } else if (line.startsWith("-") && !line.startsWith("---")) {
+            console.log(`    \x1b[31m${line}\x1b[0m`);
+          } else {
+            console.log(`    ${line}`);
+          }
+        }
+        console.log("    ───────────────────────────────────");
+      }
     }
   }
   console.log("");

package/src/git.ts

@@ -73,6 +73,32 @@ export async function getLocalEmail(): Promise<string> {
   });
 }
 
+/**
+ * リモートとの比較基準ブランチを取得
+ * 新規ブランチの場合はmainまたはmasterを返す
+ * mainもmasterもない場合はnullを返す
+ */
+async function getBaseBranch(remote = "origin"): Promise<string | null> {
+  const branch = await getCurrentBranch();
+  const isNew = await isNewBranch(remote);
+
+  if (isNew) {
+    try {
+      await execGit(["rev-parse", "--verify", `${remote}/main`]);
+      return `${remote}/main`;
+    } catch {
+      try {
+        await execGit(["rev-parse", "--verify", `${remote}/master`]);
+        return `${remote}/master`;
+      } catch {
+        return null;
+      }
+    }
+  } else {
+    return `${remote}/${branch}`;
+  }
+}
+
 /**
  * リモートとの差分ファイル一覧を取得
  * 新規ブランチの場合はmainまたはmasterとの差分を取得
@@ -82,26 +108,9 @@ export async function getDiffFiles(
   authorEmail?: string
 ): Promise<string[]> {
   return withSpan("safe-push.git.getDiffFiles", async () => {
-    const branch = await getCurrentBranch();
-    const isNew = await isNewBranch(remote);
-
-    let baseBranch: string;
-    if (isNew) {
-      // 新規ブランチの場合、mainまたはmasterを基準にする
-      try {
-        await execGit(["rev-parse", "--verify", `${remote}/main`]);
-        baseBranch = `${remote}/main`;
-      } catch {
-        try {
-          await execGit(["rev-parse", "--verify", `${remote}/master`]);
-          baseBranch = `${remote}/master`;
-        } catch {
-          // mainもmasterもない場合は空の配列を返す
-          return [];
-        }
-      }
-    } else {
-      baseBranch = `${remote}/${branch}`;
+    const baseBranch = await getBaseBranch(remote);
+    if (!baseBranch) {
+      return [];
     }
 
     let output: string;
@@ -130,6 +139,43 @@ export async function getDiffFiles(
   });
 }
 
+/**
+ * 指定ファイルごとのdiffコンテンツを取得
+ */
+export async function getDiffContentForFiles(
+  files: string[],
+  remote = "origin"
+): Promise<Record<string, string>> {
+  return withSpan("safe-push.git.getDiffContentForFiles", async () => {
+    if (files.length === 0) {
+      return {};
+    }
+
+    const baseBranch = await getBaseBranch(remote);
+    if (!baseBranch) {
+      return {};
+    }
+
+    const output = await execGit(["diff", `${baseBranch}...HEAD`, "--", ...files]);
+    if (!output) {
+      return {};
+    }
+
+    // diff 出力を "diff --git" でファイルごとに分割
+    const result: Record<string, string> = {};
+    const sections = output.split(/^(?=diff --git )/m);
+    for (const section of sections) {
+      if (!section.trim()) continue;
+      // "diff --git a/path b/path" からファイルパスを抽出
+      const match = section.match(/^diff --git a\/(.+?) b\//);
+      if (match) {
+        result[match[1]] = section.trim();
+      }
+    }
+    return result;
+  });
+}
+
 /**
  * git pushを実行
  */

package/src/types.ts

@@ -40,6 +40,7 @@ export interface CheckResult {
     isOwnLastCommit: boolean;
     hasForbiddenChanges: boolean;
     forbiddenFiles: string[];
+    forbiddenDiff?: Record<string, string>;
     currentBranch: string;
     authorEmail: string;
     localEmail: string;