-
Notifications
You must be signed in to change notification settings - Fork 0
138 lines (118 loc) · 4.5 KB
/
pr-baseline.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
name: PR Deps Baseline
# Add the necessary changes to the dependency update PRs.
on:
pull_request:
types: [ opened, reopened, synchronize ]
permissions:
contents: write
# We appear to need write permission for both pull-requests and
# issues to post a comment to a pull request.
pull-requests: write
issues: write
jobs:
pr-deps:
runs-on: ubuntu-latest
if: github.actor == 'dependabot[bot]'
concurrency:
group: '${{ github.workflow }}-${{ github.ref }}'
cancel-in-progress: true
env:
RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
disable-sudo: true
egress-policy: audit
# Verify that the PR is from Dependabot
- uses: dependabot/fetch-metadata@v2
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Confirm start in the comment
uses: actions/github-script@v7
continue-on-error: true
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const { RUN_URL } = process.env
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: `🔄 Baseline update [started](${RUN_URL})...`
})
- uses: actions/checkout@v4
with:
# Needed for correct git commit --amend.
fetch-depth: 3
# Checkout pull request HEAD commit instead of merge commit.
ref: ${{ github.event.pull_request.head.sha }}
- name: Set up JDK
uses: actions/setup-java@v4
with:
distribution: temurin
java-version: 22
- name: Setup Gradle
uses: gradle/actions/setup-gradle@v3
with:
gradle-version: release-candidate
cache-disabled: true
cache-read-only: true
- name: Update baseline
run: ./updateBaseline
- name: Setup GIT
run: |
# Set GIT user email and name to match author of the last commit.
#git config --local user.name "$(git log --pretty=format:'%an' -1)"
#git config --local user.email "$(git log --pretty='%ae' -1)"
git config --local user.name "Baseline Action"
git config --local user.email "[email protected]"
# Create SSH key
#mkdir -p ~/.ssh/
#echo "${{ secrets.BOT_GIT_SSH_KEY }}" > ~/.ssh/id_rsa_bot
#chmod 666 ~/.ssh/id_rsa_bot
# Configure GH commit signing key.
# TODO: Fix it, doesn't work atm. Fails for SSH key saved and used this way.
#git config --local commit.gpgsign true
#git config --local gpg.format ssh
#git config --local user.signingkey ~/.ssh/id_rsa
- name: GIT add
run: |
git add -v .
- name: Commit amend and push
env:
GITHUB_HEAD_REF: ${{ github.head_ref }}
run: |
if [ -n "$(git diff --name-only --cached)" ]; then
# Show what's available.
git log -n 3 --pretty=format:"%h - %an, %ar : %s"
# Amend the baseline changes to the last commit.
git commit --amend --no-edit -vv
# Show what we are about to push.
git log -n 3 --pretty=format:"%h - %an, %ar : %s"
# Push changes back to branch
git push --force -v origin "HEAD:refs/heads/${GITHUB_HEAD_REF}"
else
echo "No changes needed."
fi
# Track result in the comment
- uses: actions/github-script@v7
continue-on-error: true
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const { RUN_URL } = process.env
github.rest.issues.createComment({
issue_number: context.issue.number, owner: context.repo.owner, repo: context.repo.repo,
body: `✅ Baseline [updated](${RUN_URL}).`
})
- uses: actions/github-script@v7
if: failure()
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const { RUN_URL } = process.env
github.rest.issues.createComment({
issue_number: context.issue.number, owner: context.repo.owner, repo: context.repo.repo,
body: `❌ Baseline update [failed](${RUN_URL})!`
})