Bot: Comment on the Pull Request #198
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Bot: Comment on the Pull Request" | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| workflow_id: | |
| required: true | |
| concurrency: | |
| group: pr-${{ github.event.workflow_run.pull_requests[0].number }} | |
| cancel-in-progress: true | |
| jobs: | |
| # Pull requests are valid if: | |
| # - they match the sha of the workflow run head commit | |
| # - they are open | |
| # - no .github files were committed, except for .github/workbench-docker-version.txt | |
| test-pr: | |
| name: "Test if pull request is valid" | |
| runs-on: ubuntu-latest | |
| if: > | |
| github.event_name == 'workflow_dispatch' || | |
| ( | |
| github.event_name == 'workflow_run' && | |
| ( | |
| github.event.workflow_run.event == 'pull_request' || | |
| github.event.workflow_run.event == 'workflow_dispatch' | |
| ) && | |
| github.event.workflow_run.conclusion == 'success' | |
| ) | |
| outputs: | |
| is_valid: ${{ steps.check-pr.outputs.VALID }} | |
| payload: ${{ steps.check-pr.outputs.payload }} | |
| number: ${{ steps.get-pr.outputs.NUM }} | |
| msg: ${{ steps.check-pr.outputs.MSG }} | |
| steps: | |
| - name: "Download PR artifact" | |
| id: dl | |
| uses: carpentries/actions/download-workflow-artifact@main | |
| with: | |
| run: ${{ github.event.workflow_run.id || inputs.workflow_id }} | |
| name: 'pr' | |
| - name: "Get PR Number" | |
| if: ${{ steps.dl.outputs.success == 'true' }} | |
| id: get-pr | |
| run: | | |
| unzip pr.zip | |
| echo "NUM=$(<./NR)" >> $GITHUB_OUTPUT | |
| - name: "Fail if PR number was not present" | |
| id: bad-pr | |
| if: ${{ steps.dl.outputs.success != 'true' }} | |
| run: | | |
| echo '::error::A pull request number was not recorded. The pull request that triggered this workflow is likely malicious.' | |
| exit 1 | |
| - name: "Checkout Lesson" | |
| uses: actions/checkout@v4 | |
| - name: "Verify committed files" | |
| id: changed-files | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| ## Get list of changed files in the PR ## | |
| ONLY_VERSION=$(gh pr view ${{ steps.get-pr.outputs.NUM }} --json files --jq ' | |
| .files | | |
| length == 1 and | |
| .[0].path == ".github/workbench-docker-version.txt" | |
| ') | |
| if [[ "$ONLY_VERSION" == "true" ]]; then | |
| echo "only_version_file=true" >> $GITHUB_OUTPUT | |
| else | |
| echo "only_version_file=false" >> $GITHUB_OUTPUT | |
| fi | |
| shell: bash | |
| - name: "Skip checks for Workbench version file updates" | |
| if: steps.changed-files.outputs.only_version_file == 'true' | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| echo "Only workbench-docker-version.txt changed, skipping preflight checks and running cache update" | |
| gh workflow run update-cache.yaml --ref main | |
| exit 0 | |
| shell: bash | |
| - name: "Get Invalid Hashes File" | |
| id: hash | |
| run: | | |
| echo "json<<EOF | |
| $(curl -sL https://files.carpentries.org/invalid-hashes.json) | |
| EOF" >> $GITHUB_OUTPUT | |
| - name: "Check PR" | |
| id: check-pr | |
| if: ${{ steps.dl.outputs.success == 'true' }} | |
| uses: carpentries/actions/check-valid-pr@main | |
| with: | |
| pr: ${{ steps.get-pr.outputs.NUM }} | |
| sha: ${{ github.event.workflow_run.head_sha }} | |
| headroom: 3 # if it's within the last three commits, we can keep going, because it's likely rapid-fire | |
| invalid: ${{ fromJSON(steps.hash.outputs.json)[github.repository] }} | |
| fail_on_error: true | |
| - name: "Comment result of validation" | |
| id: comment-diff | |
| if: always() | |
| uses: carpentries/actions/comment-diff@main | |
| with: | |
| pr: ${{ steps.get-pr.outputs.NUM }} | |
| body: ${{ steps.check-pr.outputs.MSG }} | |
| # Create an orphan branch on this repository with two commits | |
| # - the current HEAD of the md-outputs branch | |
| # - the output from running the current HEAD of the pull request through | |
| # the md generator | |
| create-branch: | |
| name: "Create Git Branch" | |
| needs: test-pr | |
| runs-on: ubuntu-latest | |
| if: needs.test-pr.outputs.is_valid == 'true' | |
| env: | |
| NR: ${{ needs.test-pr.outputs.number }} | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: "Checkout md outputs" | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: md-outputs | |
| path: built | |
| fetch-depth: 1 | |
| - name: "Download built markdown" | |
| id: dl | |
| uses: carpentries/actions/download-workflow-artifact@main | |
| with: | |
| run: ${{ github.event.workflow_run.id || inputs.workflow_id }} | |
| name: 'built' | |
| - if: steps.dl.outputs.success == 'true' | |
| run: unzip built.zip | |
| - name: "Create orphan and push" | |
| if: steps.dl.outputs.success == 'true' | |
| run: | | |
| cd built/ | |
| git config --local user.email "actions@github.com" | |
| git config --local user.name "GitHub Actions" | |
| CURR_HEAD=$(git rev-parse HEAD) | |
| git checkout --orphan md-outputs-PR-${NR} | |
| git add -A | |
| git commit -m "source commit: ${CURR_HEAD}" | |
| ls -A | grep -v '^.git$' | xargs -I _ rm -r '_' | |
| cd .. | |
| unzip -o -d built built.zip | |
| cd built | |
| git add -A | |
| git commit --allow-empty -m "differences for PR #${NR}" | |
| git push -u --force --set-upstream origin md-outputs-PR-${NR} | |
| # Comment on the Pull Request with a link to the branch and the diff | |
| comment-pr: | |
| name: "Comment on Pull Request" | |
| needs: [test-pr, create-branch] | |
| runs-on: ubuntu-latest | |
| if: needs.test-pr.outputs.is_valid == 'true' | |
| env: | |
| NR: ${{ needs.test-pr.outputs.number }} | |
| permissions: | |
| pull-requests: write | |
| steps: | |
| - name: "Download comment artifact" | |
| id: dl | |
| uses: carpentries/actions/download-workflow-artifact@main | |
| with: | |
| run: ${{ github.event.workflow_run.id || inputs.workflow_id }} | |
| name: 'diff' | |
| - if: steps.dl.outputs.success == 'true' | |
| run: unzip ${{ github.workspace }}/diff.zip | |
| - name: "Comment on PR" | |
| id: comment-diff | |
| if: steps.dl.outputs.success == 'true' | |
| uses: carpentries/actions/comment-diff@main | |
| with: | |
| pr: ${{ env.NR }} | |
| path: ${{ github.workspace }}/diff.md | |
| # Comment if the PR is open and matches the SHA, but the workflow files have | |
| # changed | |
| comment-changed-workflow: | |
| name: "Comment if workflow files have changed" | |
| needs: test-pr | |
| runs-on: ubuntu-latest | |
| if: | | |
| always() && | |
| needs.test-pr.outputs.is_valid == 'false' | |
| env: | |
| NR: ${{ needs.test-pr.outputs.number }} | |
| body: ${{ needs.test-pr.outputs.msg }} | |
| permissions: | |
| pull-requests: write | |
| steps: | |
| - name: "Check for spoofing" | |
| id: dl | |
| uses: carpentries/actions/download-workflow-artifact@main | |
| with: | |
| run: ${{ github.event.workflow_run.id || inputs.workflow_id }} | |
| name: 'built' | |
| - name: "Alert if spoofed" | |
| id: spoof | |
| if: steps.dl.outputs.success == 'true' | |
| run: | | |
| echo 'body<<EOF' >> $GITHUB_ENV | |
| echo '' >> $GITHUB_ENV | |
| echo '## :x: DANGER :x:' >> $GITHUB_ENV | |
| echo 'This pull request has modified workflows that created output. Close this now.' >> $GITHUB_ENV | |
| echo '' >> $GITHUB_ENV | |
| echo 'EOF' >> $GITHUB_ENV | |
| - name: "Comment on PR" | |
| id: comment-diff | |
| uses: carpentries/actions/comment-diff@main | |
| with: | |
| pr: ${{ env.NR }} | |
| body: ${{ env.body }} |