Skip to content

Bot: Comment on the Pull Request #4

Bot: Comment on the Pull Request

Bot: Comment on the Pull Request #4

Workflow file for this run

name: "Bot: Comment on the Pull Request"
# read-write repo token
# access to secrets
on:
workflow_run:
workflows: ["Receive Pull Request"]
types:
- completed
concurrency:
group: pr-${{ github.event.workflow_run.pull_requests[0].number }}
cancel-in-progress: true
jobs:
# Pull requests are valid if:
# - they match the sha of the workflow run head commit
# - they are open
# - no .github files were committed
test-pr:
name: "Test if pull request is valid"
runs-on: ubuntu-latest
if: >
github.event.workflow_run.event == 'pull_request' &&
github.event.workflow_run.conclusion == 'success'
outputs:
is_valid: ${{ steps.check-pr.outputs.VALID }}
payload: ${{ steps.check-pr.outputs.payload }}
number: ${{ steps.get-pr.outputs.NUM }}
msg: ${{ steps.check-pr.outputs.MSG }}
steps:
- name: 'Download PR artifact'
id: dl
uses: carpentries/actions/download-workflow-artifact@main
with:
run: ${{ github.event.workflow_run.id }}
name: 'pr'
- name: "Get PR Number"
if: ${{ steps.dl.outputs.success == 'true' }}
id: get-pr
run: |
unzip pr.zip
echo "NUM=$(<./NR)" >> $GITHUB_OUTPUT
- name: "Fail if PR number was not present"
id: bad-pr
if: ${{ steps.dl.outputs.success != 'true' }}
run: |
echo '::error::A pull request number was not recorded. The pull request that triggered this workflow is likely malicious.'
exit 1
- name: "Get Invalid Hashes File"
id: hash
run: |
echo "json<<EOF
$(curl -sL https://files.carpentries.org/invalid-hashes.json)
EOF" >> $GITHUB_OUTPUT
- name: "Check PR"
id: check-pr
if: ${{ steps.dl.outputs.success == 'true' }}
uses: carpentries/actions/check-valid-pr@main
with:
pr: ${{ steps.get-pr.outputs.NUM }}
sha: ${{ github.event.workflow_run.head_sha }}
headroom: 3 # if it's within the last three commits, we can keep going, because it's likely rapid-fire
invalid: ${{ fromJSON(steps.hash.outputs.json)[github.repository] }}
fail_on_error: true
# Create an orphan branch on this repository with two commits
# - the current HEAD of the md-outputs branch
# - the output from running the current HEAD of the pull request through
# the md generator
create-branch:
name: "Create Git Branch"
needs: test-pr
runs-on: ubuntu-latest
if: ${{ needs.test-pr.outputs.is_valid == 'true' }}
env:
NR: ${{ needs.test-pr.outputs.number }}
permissions:
contents: write
steps:
- name: 'Checkout md outputs'
uses: actions/checkout@v4
with:
ref: md-outputs
path: built
fetch-depth: 1
- name: 'Download built markdown'
id: dl
uses: carpentries/actions/download-workflow-artifact@main
with:
run: ${{ github.event.workflow_run.id }}
name: 'built'
- if: ${{ steps.dl.outputs.success == 'true' }}
run: unzip built.zip
- name: "Create orphan and push"
if: ${{ steps.dl.outputs.success == 'true' }}
run: |
cd built/
git config --local user.email "actions@github.com"
git config --local user.name "GitHub Actions"
CURR_HEAD=$(git rev-parse HEAD)
git checkout --orphan md-outputs-PR-${NR}
git add -A
git commit -m "source commit: ${CURR_HEAD}"
ls -A | grep -v '^.git$' | xargs -I _ rm -r '_'
cd ..
unzip -o -d built built.zip
cd built
git add -A
git commit --allow-empty -m "differences for PR #${NR}"
git push -u --force --set-upstream origin md-outputs-PR-${NR}
# Comment on the Pull Request with a link to the branch and the diff
comment-pr:
name: "Comment on Pull Request"
needs: [test-pr, create-branch]
runs-on: ubuntu-latest
if: ${{ needs.test-pr.outputs.is_valid == 'true' }}
env:
NR: ${{ needs.test-pr.outputs.number }}
permissions:
pull-requests: write
steps:
- name: 'Download comment artifact'
id: dl
uses: carpentries/actions/download-workflow-artifact@main
with:
run: ${{ github.event.workflow_run.id }}
name: 'diff'
- if: ${{ steps.dl.outputs.success == 'true' }}
run: unzip ${{ github.workspace }}/diff.zip
- name: "Comment on PR"
id: comment-diff
if: ${{ steps.dl.outputs.success == 'true' }}
uses: carpentries/actions/comment-diff@main
with:
pr: ${{ env.NR }}
path: ${{ github.workspace }}/diff.md
# Comment if the PR is open and matches the SHA, but the workflow files have
# changed
comment-changed-workflow:
name: "Comment if workflow files have changed"
needs: test-pr
runs-on: ubuntu-latest
if: ${{ always() && needs.test-pr.outputs.is_valid == 'false' }}
env:
NR: ${{ github.event.workflow_run.pull_requests[0].number }}
body: ${{ needs.test-pr.outputs.msg }}
permissions:
pull-requests: write
steps:
- name: 'Check for spoofing'
id: dl
uses: carpentries/actions/download-workflow-artifact@main
with:
run: ${{ github.event.workflow_run.id }}
name: 'built'
- name: 'Alert if spoofed'
id: spoof
if: ${{ steps.dl.outputs.success == 'true' }}
run: |
echo 'body<<EOF' >> $GITHUB_ENV
echo '' >> $GITHUB_ENV
echo '## :x: DANGER :x:' >> $GITHUB_ENV
echo 'This pull request has modified workflows that created output. Close this now.' >> $GITHUB_ENV
echo '' >> $GITHUB_ENV
echo 'EOF' >> $GITHUB_ENV
- name: "Comment on PR"
id: comment-diff
uses: carpentries/actions/comment-diff@main
with:
pr: ${{ env.NR }}
body: ${{ env.body }}