@@ -38,148 +38,8 @@ concurrency:
3838permissions : {}
3939
4040jobs :
41- # Checks a PR for uncommitted changes to built files.
42- #
43- # This job uses a GitHub App instead of $GITHUB_TOKEN because Dependabot pull requests are only granted
44- # read-only access.
45- #
46- # Performs the following steps:
47- # - Generates a token for authenticating with the GitHub App.
48- # - Checks out the repository.
49- # - Sets up Node.js.
50- # - Configures caching for Composer.
51- # - Installs Composer dependencies.
52- # - Logs general debug information about the runner.
53- # - Installs npm dependencies.
54- # - Builds CSS file using SASS.
55- # - Builds Emoji files.
56- # - Builds bundled Root Certificate files.
57- # - Builds WordPress.
58- # - Configures the Git author.
59- # - Checks for changes to versioned files.
60- # - Stages changes.
61- # - Commits changes.
62- # - Pushes changes.
6341 update-built-files :
64- name : Check and update built files
65- runs-on : ubuntu-24.04
42+ name : Update built files
6643 permissions :
67- contents : write
68- # This prevents a second run after changes are committed back because Dependabot always rebases updates onto trunk.
69- if : ${{ github.actor != 'dependabot[bot]' || github.event.commits < 2 }}
70- steps :
71- - name : Generate Installation Token
72- id : generate_token
73- env :
74- GH_APP_ID : ${{ secrets.GH_APP_ID }}
75- GH_APP_PRIVATE_KEY : ${{ secrets.GH_APP_PRIVATE_KEY }}
76- run : |
77- echo "$GH_APP_PRIVATE_KEY" > private-key.pem
78-
79- # Generate JWT
80- JWT=$(python3 - <<EOF
81- import jwt, time
82- private_key = open("private-key.pem", "r").read()
83- payload = {
84- "iat": int(time.time()),
85- "exp": int(time.time()) + 600, # 10-minute expiration
86- "iss": $GH_APP_ID
87- }
88- print(jwt.encode(payload, private_key, algorithm="RS256"))
89- EOF
90- )
91-
92- # Get Installation ID
93- INSTALLATION_ID=$(curl -s -X GET -H "Authorization: Bearer $JWT" \
94- -H "Accept: application/vnd.github.v3+json" \
95- https://api.github.com/app/installations | jq -r '.[0].id')
96-
97- # Request Installation Access Token
98- ACCESS_TOKEN=$(curl -s -X POST -H "Authorization: Bearer $JWT" \
99- -H "Accept: application/vnd.github.v3+json" \
100- "https://api.github.com/app/installations/$INSTALLATION_ID/access_tokens" | jq -r '.token')
101-
102- echo "ACCESS_TOKEN=$ACCESS_TOKEN" >> "$GITHUB_ENV"
103-
104- rm -f private-key.pem
105-
106- name : Checkout repository
107- uses : actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
108- with :
109- ref : ${{ github.head_ref }}
110- show-progress : ${{ runner.debug == '1' && 'true' || 'false' }}
111- token : ${{ env.ACCESS_TOKEN }}
112-
113- - name : Set up Node.js
114- uses : actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
115- with :
116- node-version-file : ' .nvmrc'
117- cache : npm
118-
119- # This date is used to ensure that the PHPCS cache is cleared at least once every week.
120- # http://man7.org/linux/man-pages/man1/date.1.html
121- - name : " Get last Monday's date"
122- id : get-date
123- run : echo "date=$(/bin/date -u --date='last Mon' "+%F")" >> "$GITHUB_OUTPUT"
124-
125- # Since Composer dependencies are installed using `composer update` and no lock file is in version control,
126- # passing a custom cache suffix ensures that the cache is flushed at least once per week.
127- - name : Install Composer dependencies
128- uses : ramsey/composer-install@57532f8be5bda426838819c5ee9afb8af389d51a # v3.0.0
129- with :
130- custom-cache-suffix : ${{ steps.get-date.outputs.date }}
131-
132- - name : Log debug information
133- run : |
134- npm --version
135- node --version
136- curl --version
137- git --version
138-
139- name : Install npm Dependencies
140- run : npm ci
141-
142- - name : Run SASS precommit tasks
143- run : npm run grunt precommit:css
144-
145- - name : Run Emoji precommit task
146- run : npm run grunt precommit:emoji
147- env :
148- GH_TOKEN : ${{ secrets.GITHUB_TOKEN }}
149-
150- - name : Run certificate tasks
151- run : npm run grunt copy:certificates
152-
153- - name : Build WordPress
154- run : npm run build:dev
155-
156- - name : Configure git user name and email
157- run : |
158- git config user.name "dependabot[bot]"
159- git config user.email 49699333+dependabot[bot]@users.noreply.github.com
160-
161- name : Check for changes to versioned files
162- id : built-file-check
163- run : |
164- if git diff --quiet; then
165- echo "uncommitted_changes=false" >> "$GITHUB_OUTPUT"
166- else
167- echo "uncommitted_changes=true" >> "$GITHUB_OUTPUT"
168- fi
169-
170- name : Display changes to versioned files
171- run : git diff
172-
173- - name : Stage changes
174- if : ${{ steps.built-file-check.outputs.uncommitted_changes == 'true' }}
175- run : git add .
176-
177- - name : Commit changes
178- if : ${{ steps.built-file-check.outputs.uncommitted_changes == 'true' }}
179- run : |
180- git commit -m "Automation: Updating built files with changes. [dependabot skip]"
181-
182- name : Push changes
183- if : ${{ steps.built-file-check.outputs.uncommitted_changes == 'true' }}
184- run : git push
185-
44+ pull-requests : write
45+ uses : ./.github/workflows/reusable-check-built-files.yml
0 commit comments