From e871b15d3dc6f0f1d24b1928c81bb213e6dbadde Mon Sep 17 00:00:00 2001 From: Cursor Agent Date: Fri, 20 Jun 2025 20:10:16 +0000 Subject: [PATCH] Improve GitHub Actions workflows with environment variable handling --- .github/workflows/danger.yml | 17 +++++-- .github/workflows/updater.yml | 69 ++++++++++++++++++-------- sentry-cli/integration-test/action.yml | 7 ++- 3 files changed, 66 insertions(+), 27 deletions(-) diff --git a/.github/workflows/danger.yml b/.github/workflows/danger.yml index 0d3abb5..40d21c0 100644 --- a/.github/workflows/danger.yml +++ b/.github/workflows/danger.yml @@ -23,19 +23,26 @@ jobs: fetch-depth: 0 - name: Download dangerfile.js - run: wget https://raw.githubusercontent.com/getsentry/github-workflows/${{ inputs._workflow_version }}/danger/dangerfile.js -P ${{ runner.temp }} + env: + WORKFLOW_VERSION: ${{ inputs._workflow_version }} + RUNNER_TEMP: ${{ runner.temp }} + run: wget "https://raw.githubusercontent.com/getsentry/github-workflows/$WORKFLOW_VERSION/danger/dangerfile.js" -P "$RUNNER_TEMP" # Using a pre-built docker image in GitHub container registry instaed of NPM to reduce possible attack vectors. - name: Run DangerJS id: danger + env: + GITHUB_WORKSPACE: ${{ github.workspace }} + RUNNER_TEMP: ${{ runner.temp }} + GITHUB_TOKEN: ${{ github.token }} run: | docker run \ - --volume ${{ github.workspace }}:/github/workspace \ - --volume ${{ runner.temp }}:${{ runner.temp }} \ + --volume "$GITHUB_WORKSPACE":/github/workspace \ + --volume "$RUNNER_TEMP":"$RUNNER_TEMP" \ --workdir /github/workspace \ --user $UID \ -e "INPUT_ARGS" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e GITHUB_ACTIONS=true -e CI=true \ - -e GITHUB_TOKEN="${{ github.token }}" \ + -e GITHUB_TOKEN="$GITHUB_TOKEN" \ -e DANGER_DISABLE_TRANSPILATION="true" \ ghcr.io/danger/danger-js:11.3.1 \ - --failOnErrors --dangerfile ${{ runner.temp }}/dangerfile.js + --failOnErrors --dangerfile "$RUNNER_TEMP"/dangerfile.js diff --git a/.github/workflows/updater.yml b/.github/workflows/updater.yml index 7b70200..85a2118 100644 --- a/.github/workflows/updater.yml +++ b/.github/workflows/updater.yml @@ -111,21 +111,30 @@ jobs: - name: Check out workflow scripts # Note: cannot use `actions/checkout` at the moment because you can't clone outside of the repo root. # Follow https://github.com/actions/checkout/issues/197 + env: + RUNNER_TEMP: ${{ runner.temp }} + WORKFLOW_VERSION: ${{ inputs._workflow_version }} run: | - mkdir -p ${{ runner.temp }}/ghwf - cd ${{ runner.temp }}/ghwf + mkdir -p "$RUNNER_TEMP/ghwf" + cd "$RUNNER_TEMP/ghwf" git init git remote add origin https://github.com/getsentry/github-workflows.git - git fetch --depth 1 origin ${{ inputs._workflow_version }} + git fetch --depth 1 origin "$WORKFLOW_VERSION" git checkout FETCH_HEAD - name: Update to the latest version id: target - run: ${{ runner.temp }}/ghwf/updater/scripts/update-dependency.ps1 -Path '${{ inputs.path }}' -Pattern '${{ inputs.pattern }}' + env: + RUNNER_TEMP: ${{ runner.temp }} + INPUT_PATH: ${{ inputs.path }} + INPUT_PATTERN: ${{ inputs.pattern }} + run: "$env:RUNNER_TEMP/ghwf/updater/scripts/update-dependency.ps1" -Path "$env:INPUT_PATH" -Pattern "$env:INPUT_PATTERN" - name: Get the base repo info if: steps.target.outputs.latestTag != steps.target.outputs.originalTag id: root + env: + RUNNER_TEMP: ${{ runner.temp }} run: | $mainBranch = $(git remote show origin | Select-String "HEAD branch: (.*)").Matches[0].Groups[1].Value $prBranch = switch ('${{ inputs.pr-strategy }}') @@ -136,7 +145,7 @@ jobs: } "baseBranch=$mainBranch" | Tee-Object $env:GITHUB_OUTPUT -Append "prBranch=$prBranch" | Tee-Object $env:GITHUB_OUTPUT -Append - $nonBotCommits = ${{ runner.temp }}/ghwf/updater/scripts/nonbot-commits.ps1 ` + $nonBotCommits = "$env:RUNNER_TEMP/ghwf/updater/scripts/nonbot-commits.ps1" ` -RepoUrl "$(git config --get remote.origin.url)" -PrBranch $prBranch -MainBranch $mainBranch $changed = $nonBotCommits.Length -gt 0 ? 'true' : 'false' "changed=$changed" | Tee-Object $env:GITHUB_OUTPUT -Append @@ -150,8 +159,10 @@ jobs: id: existing-pr env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_REPOSITORY: ${{ github.repository }} + GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }} run: | - $urls = @(gh api 'repos/${{ github.repository }}/pulls?base=${{ steps.root.outputs.baseBranch }}&head=${{ github.repository_owner }}:${{ steps.root.outputs.prBranch }}' --jq '.[].html_url') + $urls = @(gh api "repos/$GITHUB_REPOSITORY/pulls?base=${{ steps.root.outputs.baseBranch }}&head=$GITHUB_REPOSITORY_OWNER:${{ steps.root.outputs.prBranch }}" --jq '.[].html_url') if ($urls.Length -eq 0) { "url=" | Tee-Object $env:GITHUB_OUTPUT -Append @@ -170,12 +181,17 @@ jobs: - name: Get target changelog if: ${{ ( steps.target.outputs.latestTag != steps.target.outputs.originalTag ) && ( steps.root.outputs.changed == 'false') }} + env: + RUNNER_TEMP: ${{ runner.temp }} + TARGET_URL: ${{ steps.target.outputs.url }} + ORIGINAL_TAG: ${{ steps.target.outputs.originalTag }} + LATEST_TAG: ${{ steps.target.outputs.latestTag }} run: | - $changelog = ${{ runner.temp }}/ghwf/updater/scripts/get-changelog.ps1 ` - -RepoUrl '${{ steps.target.outputs.url }}' ` - -OldTag '${{ steps.target.outputs.originalTag }}' ` - -NewTag '${{ steps.target.outputs.latestTag }}' - ${{ runner.temp }}/ghwf/updater/scripts/set-github-env.ps1 TARGET_CHANGELOG $changelog + $changelog = "$env:RUNNER_TEMP/ghwf/updater/scripts/get-changelog.ps1" ` + -RepoUrl "$env:TARGET_URL" ` + -OldTag "$env:ORIGINAL_TAG" ` + -NewTag "$env:LATEST_TAG" + "$env:RUNNER_TEMP/ghwf/updater/scripts/set-github-env.ps1" TARGET_CHANGELOG $changelog # First we create a PR only if it doesn't exist. We will later overwrite the content with the same action. - name: Create a PR @@ -223,19 +239,32 @@ jobs: - name: 'After new PR: redo the update' if: ${{ ( steps.target.outputs.latestTag != steps.target.outputs.originalTag ) && ( steps.existing-pr.outputs.url == '') && ( steps.root.outputs.changed == 'false') }} - run: ${{ runner.temp }}/ghwf/updater/scripts/update-dependency.ps1 -Path '${{ inputs.path }}' -Tag '${{ steps.target.outputs.latestTag }}' + env: + RUNNER_TEMP: ${{ runner.temp }} + INPUT_PATH: ${{ inputs.path }} + LATEST_TAG: ${{ steps.target.outputs.latestTag }} + run: "$env:RUNNER_TEMP/ghwf/updater/scripts/update-dependency.ps1" -Path "$env:INPUT_PATH" -Tag "$env:LATEST_TAG" - name: Update Changelog if: ${{ inputs.changelog-entry && ( steps.target.outputs.latestTag != steps.target.outputs.originalTag ) && ( steps.root.outputs.changed == 'false') }} + env: + RUNNER_TEMP: ${{ runner.temp }} + INPUT_NAME: ${{ inputs.name }} + PR_URL: ${{ steps.pr.outputs.url }} + TARGET_URL: ${{ steps.target.outputs.url }} + MAIN_BRANCH: ${{ steps.target.outputs.mainBranch }} + ORIGINAL_TAG: ${{ steps.target.outputs.originalTag }} + LATEST_TAG: ${{ steps.target.outputs.latestTag }} + CHANGELOG_SECTION: ${{ inputs.changelog-section }} run: | - ${{ runner.temp }}/ghwf/updater/scripts/update-changelog.ps1 ` - -Name '${{ inputs.name }}' ` - -PR '${{ steps.pr.outputs.url }}' ` - -RepoUrl '${{ steps.target.outputs.url }}' ` - -MainBranch '${{ steps.target.outputs.mainBranch }}' ` - -OldTag '${{ steps.target.outputs.originalTag }}' ` - -NewTag '${{ steps.target.outputs.latestTag }}' ` - -Section '${{ inputs.changelog-section }}' + "$env:RUNNER_TEMP/ghwf/updater/scripts/update-changelog.ps1" ` + -Name "$env:INPUT_NAME" ` + -PR "$env:PR_URL" ` + -RepoUrl "$env:TARGET_URL" ` + -MainBranch "$env:MAIN_BRANCH" ` + -OldTag "$env:ORIGINAL_TAG" ` + -NewTag "$env:LATEST_TAG" ` + -Section "$env:CHANGELOG_SECTION" - run: git --no-pager diff if: ${{ ( steps.target.outputs.latestTag != steps.target.outputs.originalTag ) && ( steps.root.outputs.changed == 'false') }} diff --git a/sentry-cli/integration-test/action.yml b/sentry-cli/integration-test/action.yml index 79d3158..cf6fa2d 100644 --- a/sentry-cli/integration-test/action.yml +++ b/sentry-cli/integration-test/action.yml @@ -16,6 +16,9 @@ runs: steps: - name: Run tests shell: pwsh + env: + GITHUB_ACTION_PATH: ${{ github.action_path }} + INPUT_PATH: ${{ inputs.path }} run: | - Import-Module -Name ${{ github.action_path }}/action.psm1 -Force - Invoke-Pester -Output Detailed '${{ inputs.path }}' + Import-Module -Name "$env:GITHUB_ACTION_PATH/action.psm1" -Force + Invoke-Pester -Output Detailed "$env:INPUT_PATH"