From aac982984d2d047b811001127ecffdd22a74f3e0 Mon Sep 17 00:00:00 2001
From: lucas <lucas-zimerman1@hotmail.com>
Date: Fri, 10 Oct 2025 17:38:50 +0100
Subject: [PATCH] branch cleanup

---
 danger/README.md     |  2 ++
 danger/action.yml    | 54 ++++++++++++++++++++++++++++++++++++++++----
 danger/dangerfile.js | 27 ++++++++++++++++++++++
 3 files changed, 78 insertions(+), 5 deletions(-)

diff --git a/danger/README.md b/danger/README.md
index daaee7d..3793178 100644
--- a/danger/README.md
+++ b/danger/README.md
@@ -29,6 +29,8 @@ jobs:
   * type: string
   * required: false
   * default: `${{ github.token }}`
+  * extra-dangerfile: Path to an additional dangerfile to run custom checks.
+  * extra-install-packages: Additional packages that are required by the extra-dangerfile, you can find a list of packages here: https://packages.debian.org/search?suite=bookworm&keywords=curl.
 
 ## Outputs
 
diff --git a/danger/action.yml b/danger/action.yml
index dcdc110..0fbc118 100644
--- a/danger/action.yml
+++ b/danger/action.yml
@@ -7,6 +7,14 @@ inputs:
     description: 'Token for the repo. Can be passed in using {{ secrets.GITHUB_TOKEN }}'
     required: false
     default: ${{ github.token }}
+  extra-dangerfile:
+    description: 'Path to additional dangerfile to run after the main checks'
+    type: string
+    required: false
+  extra-install-packages:
+    description: 'Additional apt packages to install in the DangerJS container (space-separated package names)'
+    type: string
+    required: false
 
 outputs:
   outcome:
@@ -22,12 +30,31 @@ runs:
         token: ${{ inputs.api-token }}
         fetch-depth: 0
 
+    # Read the Danger version from the properties file
+    - name: Get Danger version
+      id: config
+      shell: pwsh
+      run: Get-Content '${{ github.action_path }}/danger.properties' | Tee-Object $env:GITHUB_OUTPUT -Append
+
+    # Validate extra-install-packages to prevent code injection
+    - name: Validate package names
+      if: ${{ inputs.extra-install-packages }}
+      shell: bash
+      run: |
+        packages="${{ inputs.extra-install-packages }}"
+        # Only allow alphanumeric characters, hyphens, periods, plus signs, underscores, and spaces
+        if ! echo "$packages" | grep -E '^[a-zA-Z0-9._+-]+( [a-zA-Z0-9._+-]+)*$' > /dev/null; then
+          echo "::error::Invalid package names in extra-install-packages. Only alphanumeric characters, hyphens, periods, plus signs, underscores, and spaces are allowed."
+          exit 1
+        fi
+
     # Using a pre-built docker image in GitHub container registry instead of NPM to reduce possible attack vectors.
-    - name: Run DangerJS
-      id: danger
+    - name: Setup container
       shell: bash
       run: |
-        docker run \
+        # Start a detached container with all necessary volumes and environment variables
+        docker run -td --name danger \
+          --entrypoint /bin/bash \
           --volume ${{ github.workspace }}:/github/workspace \
           --volume ${{ github.action_path }}:${{ github.action_path }} \
           --volume ${{ github.event_path }}:${{ github.event_path }} \
@@ -36,5 +63,22 @@ runs:
           -e "INPUT_ARGS" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e GITHUB_ACTIONS=true -e CI=true \
           -e GITHUB_TOKEN="${{ inputs.api-token }}" \
           -e DANGER_DISABLE_TRANSPILATION="true" \
-          ghcr.io/danger/danger-js:11.3.1 \
-          --failOnErrors --dangerfile ${{ github.action_path }}/dangerfile.js
\ No newline at end of file
+          -e EXTRA_DANGERFILE_INPUT="${{ inputs.extra-dangerfile }}" \
+          ghcr.io/danger/danger-js:${{ steps.config.outputs.version }} \
+          -c "sleep infinity"
+
+    - name: Setup additional packages
+      if: ${{ inputs.extra-install-packages }}
+      shell: bash
+      run: |
+        docker exec --user root danger apt-get update
+        echo "Installing packages: ${{ inputs.extra-install-packages }}"
+        docker exec --user root danger sh -c "apt-get install -y ${{ inputs.extra-install-packages }}"
+        echo "All additional packages installed successfully."
+
+    - name: Run DangerJS
+      id: danger
+      shell: bash
+      run: |
+        trap "docker rm -f danger || true" EXIT
+        docker exec --user $(id -u) danger danger ci --fail-on-errors --dangerfile ${{ github.action_path }}/dangerfile.js
\ No newline at end of file
diff --git a/danger/dangerfile.js b/danger/dangerfile.js
index 997a9c0..f82c06a 100644
--- a/danger/dangerfile.js
+++ b/danger/dangerfile.js
@@ -1,4 +1,5 @@
 const { getFlavorConfig, extractPRFlavor } = require('./dangerfile-utils.js');
+const fs = require('fs');
 
 const headRepoName = danger.github.pr.head.repo.git_url;
 const baseRepoName = danger.github.pr.base.repo.git_url;
@@ -186,10 +187,36 @@ async function checkActionsArePinned() {
   }
 }
 
+async function CheckFromExternalChecks() {
+  // Get the external dangerfile path from environment variable (passed via workflow input)
+  // Priority: EXTRA_DANGERFILE (absolute path) -> EXTRA_DANGERFILE_INPUT (relative path)
+  const customPath = process.env.EXTRA_DANGERFILE || process.env.EXTRA_DANGERFILE_INPUT;
+  console.log(`::debug:: Checking from external checks: ${customPath}`);
+  if (customPath) {
+    try {
+      const extraModule = require(`/github/workspace/${customPath}`);
+      await extraModule({
+        fail: fail, 
+        warn: warn,
+        message: message, 
+        markdown: markdown,
+        danger: danger,
+      });
+    } catch (err) {
+      if (err.message && err.message.includes('Cannot use import statement outside a module')) {
+        warn(`External dangerfile uses ES6 imports. Please convert to CommonJS syntax (require/module.exports) or use .mjs extension with proper module configuration.\nFile: ${customPath}`);
+      } else {
+        warn(`Could not load custom Dangerfile: ${customPath}\n${err}`);
+      }
+    }
+  }
+}
+
 async function checkAll() {
   await checkDocs();
   await checkChangelog();
   await checkActionsArePinned();
+  await CheckFromExternalChecks();
 }
 
 schedule(checkAll);