Skip to content
Commit Built File Changes

Commit Built File Changes (PRs) #6

Sign in to view logs

Commit Built File Changes (PRs)

Commit Built File Changes (PRs) #6

Workflow file for this run

.github/workflows/commit-built-file-changes.yml at 3040542
# Commits missed changes to built files back to pull request branches.
name: Commit Built File Changes
on:
workflow_run:
workflows: [ 'Check built files' ]
types:
- completed
# Cancels all previous workflow runs for pull requests that have not completed.
concurrency:
# The concurrency group contains the workflow name and the branch name for pull requests
# or the commit hash for any other events.
group: ${{ github.workflow }}-${{ github.event_name == 'workflow_run' && format( '{0}-{1}', github.event.workflow_run.head_branch, github.event.workflow_run.head_repository.name ) || github.sha }}
# Disable permissions for all available scopes by default.
# Any needed permissions should be configured at the job level.
permissions: {}
jobs:
# Checks a PR for uncommitted changes to built files.
#
# This job uses a GitHub App instead of $GITHUB_TOKEN because Dependabot pull requests are only granted
# read-only access.
#
# Performs the following steps:
# - Generates a token for authenticating with the GitHub App.
# - Checks out the repository.
# - Sets up Node.js.
# - Configures caching for Composer.
# - Installs Composer dependencies.
# - Logs general debug information about the runner.
# - Installs npm dependencies.
# - Builds CSS file using SASS.
# - Builds Emoji files.
# - Builds bundled Root Certificate files.
# - Builds WordPress.
# - Checks for changes to versioned files.
# - Displays the result of git diff for debugging purposes.
# - Configures the Git author.
# - Stages changes.
# - Commits changes.
# - Pushes changes.
update-built-files:
name: Check and update built files
runs-on: ubuntu-24.04
# This prevents an unnecessary second run after changes are committed back because Dependabot always rebases
# updates and force pushes.
if: ${{ true || github.event.workflow_run.actor != 'dependabot[bot]' || github.event.commits < 2 }}
timeout-minutes: 10
permissions:
contents: write
steps:
- name: Download artifact
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
const artifacts = await github.rest.actions.listWorkflowRunArtifacts( {
owner: context.repo.owner,
repo: context.repo.repo,
run_id: process.env.RUN_ID,
} );
const matchArtifact = artifacts.data.artifacts.filter( ( artifact ) => {
return artifact.name === 'pr-data'
} )[0];
if ( ! matchArtifact ) {
core.info( 'No artifact found!' );
return;
}
const download = await github.rest.actions.downloadArtifact( {
owner: context.repo.owner,
repo: context.repo.repo,
artifact_id: matchArtifact.id,
archive_format: 'zip',
} );
const fs = require( 'fs' );
fs.writeFileSync( '${{ github.workspace }}/pr-data.zip', Buffer.from( download.data ) )
env:
RUN_ID: ${{ github.event.workflow_run.id }}
- name: Check for artifact
id: artifact-check
run: |
if [ -f "${{ github.workspace }}/pr-data.zip" ]; then
echo "exists=false" >> "$GITHUB_OUTPUT"
else
echo "exists=true" >> "$GITHUB_OUTPUT"
fi
- name: Unzip the artifact containing the PR data
if: ${{ steps.artifact-check.outputs.exists == 'true' }}
run: unzip pr-data.zip
- name: Generate Installation Token
id: generate_token
if: ${{ steps.artifact-check.outputs.exists == 'true' }}
env:
GH_APP_ID: ${{ secrets.GH_APP_ID }}
GH_APP_PRIVATE_KEY: ${{ secrets.GH_APP_PRIVATE_KEY }}
run: |
echo "$GH_APP_PRIVATE_KEY" > private-key.pem
# Generate JWT
JWT=$(python3 - <<EOF
import jwt, time
private_key = open("private-key.pem", "r").read()
payload = {
"iat": int(time.time()),
"exp": int(time.time()) + 600, # 10-minute expiration
"iss": $GH_APP_ID
}
print(jwt.encode(payload, private_key, algorithm="RS256"))
EOF
)
# Get Installation ID
INSTALLATION_ID=$(curl -s -X GET -H "Authorization: Bearer $JWT" \
-H "Accept: application/vnd.github.v3+json" \
https://api.github.com/app/installations | jq -r '.[0].id')
# Request Installation Access Token
ACCESS_TOKEN=$(curl -s -X POST -H "Authorization: Bearer $JWT" \
-H "Accept: application/vnd.github.v3+json" \
"https://api.github.com/app/installations/$INSTALLATION_ID/access_tokens" | jq -r '.token')
echo "ACCESS_TOKEN=$ACCESS_TOKEN" >> "$GITHUB_ENV"
rm -f private-key.pem
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
if: ${{ steps.artifact-check.outputs.exists == 'true' }}
with:
repository: ${{ github.event.workflow_run.repository.full_name }}
ref: ${{ github.event.workflow_run.head_branch }}
show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
token: ${{ env.ACCESS_TOKEN }}
- name: Apply patch
if: ${{ steps.artifact-check.outputs.exists == 'true' }}
run: git apply ../pr-data/patch.diff
- name: Display changes to versioned files
if: ${{ steps.artifact-check.outputs.exists == 'true' }}
run: git diff
- name: Configure git user name and email
if: ${{ steps.artifact-check.outputs.exists == 'true' }}
run: |
git config user.name "test-wp-build-script-commit[bot]"
git config user.email ${{ env.GH_APP_ID }}+test-wp-build-script-commit[bot]@users.noreply.github.com
- name: Stage changes
if: ${{ steps.artifact-check.outputs.exists == 'true' }}
run: git add .
- name: Commit changes
if: ${{ steps.artifact-check.outputs.exists == 'true' }}
run: |
git commit -m "Automation: Updating built files with changes. [dependabot skip]"
- name: Push changes
if: ${{ steps.artifact-check.outputs.exists == 'true' }}
run: git push