Skip to content

Closing PR #46

Closing PR #46 #48

name: Increment Version on Merge
run-name: "${{ github.event.pull_request.merged && 'Increment version for' || 'Closing' }} PR #${{ github.event.pull_request.number }}"
on:
# https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
#
# GitHub's standard pull_request workflow trigger prevents write permissions and
# secrets access when the PR is from a public fork. PRs from branches and forks of
# internal/private repos are not limited the same way for the pull_request trigger.
#
# The pull_request_target trigger (which this workflow is using) relaxes some of those
# restrictions and allows PRs from public forks to have write permissions through the
# GH_TOKEN which we need in order to push new tags to the repo through this workflow.
#
# For this workflow, the elevated permissions should not be a problem because:
# • This workflow is only triggered when a PR is closed and the reusable workflow it
# calls only executes if it has been merged to the default branch. This means the PR
# has been reviewed and approved by a CODEOWNER and merged by someone with Write
# access before this workflow with its elevated permissions gets executed. Any code
# that doesn't meet our standards should be caught before it gets to this point.
# • The "Require approval for all outside collaborators" setting is set at the org-level.
# Before a workflow can execute for a PR generated by an outside collaborator, a user
# with Write access must manually approve the request to execute the workflow run.
# Prior to doing so they should have had a chance to review any changes in the PR
pull_request_target:
types: [closed]
# paths:
# Do not include specific paths here. reusable-increment-version-on-merge.yml will decide
# if this action should be incremented and if new tags should be pushed to the repo based
# on the same criteria used in the build-and-review-pr.yml workflow.
# ------------------------------------------------------------------------------------
# NOTE: This repo duplicates the reusable increment workflow in im-open/.github that
# the rest of the actions use. If changes are needed in this workflow they
# should also be made in im-open/.github. This workflow is duplicated because
# it uses the local copy of itself in the workflow which allows us to test the
# increment build with git-version-lite changes before we merge those changes.
# ------------------------------------------------------------------------------------
jobs:
increment-version:
runs-on: ubuntu-latest
env:
MERGE_TO_MAIN: 'false'
steps:
- name: Check if merge to default branch
id: merge
uses: actions/github-script@v7
with:
script: |
const defaultBranch = 'main';
const baseRef = '${{ github.event.pull_request.base.ref }}';
const merged = ${{ github.event.pull_request.merged }};
if (!merged){
console.log('PR is not merged. Skipping subsequent steps.');
core.exportVariable('MERGE_TO_MAIN', false);
return;
}
if (baseRef !== defaultBranch){
console.log(`PR is merged to ${baseRef} and not ${defaultBranch}. Skipping subsequent steps.`);
core.exportVariable('MERGE_TO_MAIN', false);
return;
}
console.log(`PR is merged to ${defaultBranch}. Proceed with subsequent steps.`);
core.exportVariable('MERGE_TO_MAIN', true);
- name: Checkout
if: env.MERGE_TO_MAIN == 'true'
uses: actions/checkout@v4
- name: If PR is merged to main - Check for code changes to the action source code
if: env.MERGE_TO_MAIN == 'true'
id: source-code
uses: im-open/did-custom-action-code-change@v1
with:
files-with-code: 'action.yml,package.json,package-lock.json'
folders-with-code: 'src,dist'
token: ${{ secrets.GITHUB_TOKEN }}
- name: If PR is merged to main - Print whether Action Source Code Changed (open for details)
if: env.MERGE_TO_MAIN == 'true'
run: |
if [ "${{ steps.source-code.outputs.HAS_CHANGES }}" == "true" ]; then
echo "This PR changes the action's source code. Proceed with subsequent steps."
else
echo "This PR does not change the action's source code. Skipping subsequent steps."
fi
- name: If PR is merged to main & PR has source code changes - Checkout
if: env.MERGE_TO_MAIN == 'true' && steps.source-code.outputs.HAS_CHANGES == 'true'
uses: actions/checkout@v4
with:
ref: main
fetch-depth: 0
- name: If PR is merged to main & PR has source code changes - Get the next version for the repo
if: env.MERGE_TO_MAIN == 'true' && steps.source-code.outputs.HAS_CHANGES == 'true'
id: version
uses: ./
- name: If PR is merged to main & PR has source code changes - Print action version (${{ steps.version.outputs.NEXT_VERSION || 'N/A'}})
if: env.MERGE_TO_MAIN == 'true' && steps.source-code.outputs.HAS_CHANGES == 'true'
run: echo "The next action version will be - ${{ steps.version.outputs.NEXT_VERSION }}"
- name: If PR is merged to main & PR has source code changes - Push tags to repo
if: env.MERGE_TO_MAIN == 'true' && steps.source-code.outputs.HAS_CHANGES == 'true'
run: |
git config user.name github-actions
git config user.email github-actions@github.com
git tag ${{ steps.version.outputs.NEXT_VERSION }} ${{ github.sha }}
git tag -f ${{ steps.version.outputs.NEXT_MAJOR_VERSION }} ${{ github.sha }}
git tag -f ${{ steps.version.outputs.NEXT_MINOR_VERSION }} ${{ github.sha }}
git push origin ${{ steps.version.outputs.NEXT_VERSION }}
git push origin ${{ steps.version.outputs.NEXT_MAJOR_VERSION }} -f
git push origin ${{ steps.version.outputs.NEXT_MINOR_VERSION }} -f