|
1 | | -name: Build and Check for Changes |
| 1 | +name: Build and Review PR |
| 2 | +run-name: Build and Review PR #${{ github.event.pull_request.number }} |
| 3 | + |
2 | 4 | on: |
3 | | - # This workflow uses the pull_request trigger which prevents write permissions and secrets |
4 | | - # access to the target repository from public forks. This should remain as a pull_request |
5 | | - # trigger because checkout, build, format and checking for changes do not need elevated |
6 | | - # permissions to the repository. The reduced permissions for public forks is adequate. |
7 | | - # Since this will commit readme/recompile changes back to the branch, special attention |
8 | | - # should be paid to changes made to this workflow when reviewing the PR and granting |
9 | | - # permission to first time contributors to run the workflow. |
| 5 | + # https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token |
| 6 | + # |
| 7 | + # This workflow uses the pull_request trigger which prevents write permissions on the |
| 8 | + # GH_TOKEN and secrets access from public forks. This should remain as a pull_request |
| 9 | + # trigger to minimize the access public forks have in the repository. The reduced |
| 10 | + # permissions are adequate but do mean that re-compiles and readme changes will have to be |
| 11 | + # made manually by the PR author. These auto-updates could be done by this workflow |
| 12 | + # for branches but in order to re-trigger a PR build (which is needed for status checks), |
| 13 | + # we would make the commits with a different user and their PAT. To minimize exposure |
| 14 | + # and complication we will request those changes be manually made by the PR author. |
10 | 15 | pull_request: |
11 | | - # Don't include any specific paths here so we always get a build that produces a status |
12 | | - # check that our Branch Protection Rules can use. Having a status check also allows us |
13 | | - # to require that branches be up to date before they are merged. |
| 16 | + types: [opened, synchronize, reopened] |
| 17 | + # paths: |
| 18 | + # Do not include specific paths here. We always want this build to run and produce a |
| 19 | + # status check which are branch protection rules can use. If this is skipped because of |
| 20 | + # path filtering, a status check will not be created and we won't be able to merge the PR |
| 21 | + # without disabling that requirement. If we have a status check that is always produced, |
| 22 | + # we can also use that to require all branches be up to date before they are merged. |
14 | 23 |
|
15 | 24 | jobs: |
16 | | - build: |
17 | | - runs-on: ubuntu-latest |
18 | | - |
19 | | - steps: |
20 | | - - name: Checkout |
21 | | - uses: actions/checkout@v3 |
22 | | - with: |
23 | | - ref: ${{ github.head_ref }} |
24 | | - fetch-depth: 0 |
| 25 | + build-and-review-pr: |
| 26 | + # This reusable workflow will check to see if an action's source code has changed based on |
| 27 | + # whether the PR includes files that match the files-with-code arg or are in one of the |
| 28 | + # dirs-with-code directories. If there are source code changes, this reusable workflow |
| 29 | + # will then run the action's build (if one was provided) and update the README.md with the |
| 30 | + # the latest version of the action. If those two steps result in any changes that need to |
| 31 | + # be committed, the workflow will fail because the PR needs some updates. Instructions for |
| 32 | + # updating the PR will be available in the build log, the workflow summary and as a PR |
| 33 | + # comment if the PR came from a branch (not a fork). |
| 34 | + # This workflow assumes: |
| 35 | + # - The main README.md is at the root of the repo |
| 36 | + # - The README contains a contribution guidelines and usage examples section |
| 37 | + uses: im-open/.github/.github/workflows/reusable-build-and-review-pr.yml@v1 |
| 38 | + with: |
| 39 | + action-name: ${{ github.repository }} |
| 40 | + default-branch: main |
| 41 | + readme-name: 'README.md' |
| 42 | + |
| 43 | + # The id of the contribution guidelines section of the README.md |
| 44 | + readme-contribution-id: '#contributing' |
25 | 45 |
|
26 | | - - name: Setup Node.js 16 |
27 | | - uses: actions/setup-node@v3 |
28 | | - with: |
29 | | - node-version: 16.x |
| 46 | + # The id of the usage examples section of the README.md |
| 47 | + readme-examples-id: '#usage-examples' |
30 | 48 |
|
31 | | - # If this step results in changes, they will be committed in the last step |
32 | | - - name: Recompile and Format action |
33 | | - run: npm run build |
34 | | - |
35 | | - - name: Check for code changes to the action |
36 | | - id: action-code |
37 | | - uses: im-open/did-custom-action-code-change@v1.0.1 |
38 | | - with: |
39 | | - files-with-code: 'action.yml,package.json,package-lock.json' |
40 | | - folders-with-code: 'src,dist' |
41 | | - token: ${{ secrets.GITHUB_TOKEN }} |
42 | | - |
43 | | - - name: Get the next version for the readme if there are code changes to the action |
44 | | - if: steps.action-code.outputs.HAS_CHANGES == 'true' |
45 | | - id: version |
46 | | - uses: im-open/git-version-lite@v2.1.2 |
| 49 | + # The files that contain source code for the action. Only files that affect the action's execution |
| 50 | + # should be included like action.yml or package.json. Do not include files like README.md or .gitignore. |
| 51 | + # Files do not need to be explicitly provided here if they fall under one of the dirs in dirs-with-code. |
| 52 | + # ** This value must match the same files-with-code argument specified in increment-version-on-merge.yml. |
| 53 | + files-with-code: 'action.yml,package.json,package-lock.json' |
47 | 54 |
|
48 | | - - name: Update readme with next version if there are code changes to the action |
49 | | - if: steps.action-code.outputs.HAS_CHANGES == 'true' |
50 | | - uses: im-open/update-action-version-in-file@v1.0.0 |
51 | | - with: |
52 | | - file-to-update: './README.md' |
53 | | - action-name: ${{ github.repository }} |
54 | | - updated-version: ${{ steps.version.outputs.NEXT_VERSION }} |
| 55 | + # The directories that contain source code for the action. Only dirs with files that affect the action's |
| 56 | + # execution should be included like src or dist. Do not include dirs like .github or node_modules. |
| 57 | + # ** This value must match the same dirs-with-code argument specified in increment-version-on-merge.yml. |
| 58 | + dirs-with-code: 'src,dist' |
55 | 59 |
|
56 | | - - name: Commit unstaged readme/recompile changes if there are code changes to the action |
57 | | - if: steps.action-code.outputs.HAS_CHANGES == 'true' |
58 | | - run: | |
59 | | - if [[ "$(git status --porcelain)" != "" ]]; then |
60 | | - echo "There are changes to commit" |
61 | | - git config user.name github-actions |
62 | | - git config user.email github-actions@github.com |
63 | | - git add . |
64 | | - git commit -m "Update readme with latest version and/or recompile the action." |
65 | | - git push origin HEAD:${{ github.head_ref }} |
66 | | - else |
67 | | - echo "There were no changes to commit" |
68 | | - fi |
| 60 | + # The npm script to run to build the action. This is typically 'npm run build' if the |
| 61 | + # action needs to be compiled. For composite-run-steps actions this is typically empty. |
| 62 | + build-command: 'npm run build' |
0 commit comments