Closing PR #45 #44
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Increment Version on Merge | |
| run-name: "${{ github.event.pull_request.merged && 'Increment version for' || 'Closing' }} PR #${{ github.event.pull_request.number }}" | |
| on: | |
| # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ | |
| # https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token | |
| # | |
| # GitHub's standard pull_request workflow trigger prevents write permissions and | |
| # secrets access when the PR is from a public fork. PRs from branches and forks of | |
| # internal/private repos are not limited the same way for the pull_request trigger. | |
| # | |
| # The pull_request_target trigger (which this workflow is using) relaxes some of those | |
| # restrictions and allows PRs from public forks to have write permissions through the | |
| # GH_TOKEN which we need in order to push new tags to the repo through this workflow. | |
| # | |
| # For this workflow, the elevated permissions should not be a problem because: | |
| # • This workflow is only triggered when a PR is closed and the reusable workflow it | |
| # calls only executes if it has been merged to the default branch. This means the PR | |
| # has been reviewed and approved by a CODEOWNER and merged by someone with Write | |
| # access before this workflow with its elevated permissions gets executed. Any code | |
| # that doesn't meet our standards should be caught before it gets to this point. | |
| # • The "Require approval for all outside collaborators" setting is set at the org-level. | |
| # Before a workflow can execute for a PR generated by an outside collaborator, a user | |
| # with Write access must manually approve the request to execute the workflow run. | |
| # Prior to doing so they should have had a chance to review any changes in the PR | |
| pull_request_target: | |
| types: [closed] | |
| # paths: | |
| # Do not include specific paths here. reusable-increment-version-on-merge.yml will decide | |
| # if this action should be incremented and if new tags should be pushed to the repo based | |
| # on the same criteria used in the build-and-review-pr.yml workflow. | |
| # ------------------------------------------------------------------------------------ | |
| # NOTE: This repo duplicates the reusable increment workflow in im-open/.github that | |
| # the rest of the actions use. If changes are needed in this workflow they | |
| # should also be made in im-open/.github. This workflow is duplicated because | |
| # it uses the local copy of itself in the workflow which allows us to test the | |
| # increment build with git-version-lite changes before we merge those changes. | |
| # ------------------------------------------------------------------------------------ | |
| jobs: | |
| increment-version: | |
| runs-on: ubuntu-latest | |
| env: | |
| MERGE_TO_MAIN: 'false' | |
| steps: | |
| - name: Check if merge to default branch | |
| id: merge | |
| uses: actions/github-script@v6 | |
| with: | |
| script: | | |
| const defaultBranch = 'main'; | |
| const baseRef = '${{ github.event.pull_request.base.ref }}'; | |
| const merged = ${{ github.event.pull_request.merged }}; | |
| if (!merged){ | |
| console.log('PR is not merged. Skipping subsequent steps.'); | |
| core.exportVariable('MERGE_TO_MAIN', false); | |
| return; | |
| } | |
| if (baseRef !== defaultBranch){ | |
| console.log(`PR is merged to ${baseRef} and not ${defaultBranch}. Skipping subsequent steps.`); | |
| core.exportVariable('MERGE_TO_MAIN', false); | |
| return; | |
| } | |
| console.log(`PR is merged to ${defaultBranch}. Proceed with subsequent steps.`); | |
| core.exportVariable('MERGE_TO_MAIN', true); | |
| - name: Checkout | |
| if: env.MERGE_TO_MAIN == 'true' | |
| uses: actions/checkout@v3 | |
| - name: If PR is merged to main - Check for code changes to the action source code | |
| if: env.MERGE_TO_MAIN == 'true' | |
| id: source-code | |
| uses: im-open/did-custom-action-code-change@v1 | |
| with: | |
| files-with-code: 'action.yml,package.json,package-lock.json' | |
| folders-with-code: 'src,dist' | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: If PR is merged to main - Print whether Action Source Code Changed (open for details) | |
| if: env.MERGE_TO_MAIN == 'true' | |
| run: | | |
| if [ "${{ steps.source-code.outputs.HAS_CHANGES }}" == "true" ]; then | |
| echo "This PR changes the action's source code. Proceed with subsequent steps." | |
| else | |
| echo "This PR does not change the action's source code. Skipping subsequent steps." | |
| fi | |
| - name: If PR is merged to main & PR has source code changes - Checkout | |
| if: env.MERGE_TO_MAIN == 'true' && steps.source-code.outputs.HAS_CHANGES == 'true' | |
| uses: actions/checkout@v3 | |
| with: | |
| ref: main | |
| fetch-depth: 0 | |
| - name: If PR is merged to main & PR has source code changes - Get the next version for the repo | |
| if: env.MERGE_TO_MAIN == 'true' && steps.source-code.outputs.HAS_CHANGES == 'true' | |
| id: version | |
| uses: ./ | |
| - name: If PR is merged to main & PR has source code changes - Print action version (${{ steps.version.outputs.NEXT_VERSION || 'N/A'}}) | |
| if: env.MERGE_TO_MAIN == 'true' && steps.source-code.outputs.HAS_CHANGES == 'true' | |
| run: echo "The next action version will be - ${{ steps.version.outputs.NEXT_VERSION }}" | |
| - name: If PR is merged to main & PR has source code changes - Push tags to repo | |
| if: env.MERGE_TO_MAIN == 'true' && steps.source-code.outputs.HAS_CHANGES == 'true' | |
| run: | | |
| git config user.name github-actions | |
| git config user.email github-actions@github.com | |
| git tag ${{ steps.version.outputs.NEXT_VERSION }} ${{ github.sha }} | |
| git tag -f ${{ steps.version.outputs.NEXT_MAJOR_VERSION }} ${{ github.sha }} | |
| git tag -f ${{ steps.version.outputs.NEXT_MINOR_VERSION }} ${{ github.sha }} | |
| git push origin ${{ steps.version.outputs.NEXT_VERSION }} | |
| git push origin ${{ steps.version.outputs.NEXT_MAJOR_VERSION }} -f | |
| git push origin ${{ steps.version.outputs.NEXT_MINOR_VERSION }} -f |