chore: add node v24 to supported engines #757
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Checks to see which reviews are required based on internal vs external contribution | |
| name: External PR Ruleset | |
| on: | |
| pull_request_target: | |
| merge_group: # merge group is always needed for a required workflows to prevent them from getting stuck, but we then skip it below | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| jobs: | |
| revoke-approvals: | |
| name: Check Revoke Approvals | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository | |
| steps: | |
| - name: Dismiss Pull Request Reviews | |
| if: ${{ ! github.event.pull_request_target.draft }} | |
| run: | | |
| set -euo pipefail | |
| # get existing reviews | |
| reviews=$(curl -s -H "Authorization: token ${GH_TOKEN}" \ | |
| "https://api.github.com/repos/${GH_ORG}/${REPO}/pulls/${PULL_NUMBER}/reviews") | |
| # If no reviews were given, then exit script | |
| if [ -z "$reviews" ] || [ "$reviews" == "[]" ]; then | |
| echo "No reviews to dismiss" | |
| exit 0 | |
| fi | |
| # dismiss PR reviews | |
| for review_id in $(echo "${reviews}" | jq -r '.[] | select(.state == "APPROVED") | .id'); do | |
| response=$(curl -s -o /dev/null -w "%{http_code}" -X PUT -H "Authorization: token ${GH_TOKEN}" \ | |
| -H "Accept: application/vnd.github.v3+json" \ | |
| -d '{"message": "Review dismissed by automation script."}' \ | |
| "https://api.github.com/repos/${GH_ORG}/${REPO}/pulls/${PULL_NUMBER}/reviews/${review_id}/dismissals") | |
| if [ "$response" -eq 200 ]; then | |
| echo "Dismissed review ${review_id}" | |
| else | |
| echo "Failed to dismiss review ${review_id}, HTTP status code: $response" | |
| exit 1 | |
| fi | |
| done | |
| shell: bash | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} # actor is github actions with above permissions | |
| GH_ORG: ${{ github.repository_owner }} | |
| REPO: ${{ github.event.repository.name }} | |
| PULL_NUMBER: ${{ github.event.pull_request.number }} | |
| check-external-file-changes: | |
| name: Check Unallowed File Changes | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository | |
| steps: | |
| - name: Checkout EXTERNAL_CONTRIB_BLACKLIST from ${{ github.repository }} | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| path: repo | |
| # actions/checkout will checkout the target repo and default branch by default | |
| # when triggered by pull_request_target. However for security reasons we want to | |
| # be explicit here. | |
| repository: ${{ github.repository }} | |
| ref: ${{ github.event.repository.default_branch }} | |
| sparse-checkout: .github/repo_policies/EXTERNAL_CONTRIB_BLACKLIST | |
| - name: Checkout check_external_changes.py from dfinity/public-workflows | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| repository: dfinity/public-workflows | |
| path: public-workflows | |
| sparse-checkout: reusable_workflows/repo_policies/check_external_changes.py | |
| - name: Get changed files | |
| uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5 | |
| with: | |
| use_rest_api: true | |
| json: true | |
| write_output_files: true | |
| - name: Check External Changes | |
| if: ${{ hashFiles('repo/.github/repo_policies/EXTERNAL_CONTRIB_BLACKLIST') != '' }} | |
| id: check_external_changes | |
| run: public-workflows/reusable_workflows/repo_policies/check_external_changes.py | |
| env: | |
| # populated by the action | |
| # https://github.com/tj-actions/changed-files/blob/d03a93c0dbfac6d6dd6a0d8a5e7daff992b07449/README.md?plain=1#L569-L572 | |
| CHANGED_FILES_JSON_PATH: ".github/outputs/all_changed_and_modified_files.json" | |
| EXTERNAL_CONTRIB_BLACKLIST_PATH: "repo/.github/repo_policies/EXTERNAL_CONTRIB_BLACKLIST" | |
| - name: Close PR | |
| uses: actions/github-script@v7 | |
| if: ${{ !cancelled() && steps.check_external_changes.conclusion == 'failure' }} | |
| with: | |
| script: | | |
| github.rest.pulls.update({ | |
| pull_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| state: 'closed' | |
| }) | |
| let message = "Closed Pull Request since changes were made to [unallowed files](${{ github.server_url }}/${{ github.repository }}/blob/${{ github.event.repository.default_branch }}/.github/repo_policies/EXTERNAL_CONTRIB_BLACKLIST).\n\n" | |
| message += 'Please see details here: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}\n\n' | |
| github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: message | |
| }) |