feat: Idempotent action and auto-skip Frogbot for internal PRs (#23)

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: sverdlov93

.github/workflows/frogbot.yml

@@ -17,9 +17,14 @@ jobs:
   frogbot-scan:
     runs-on: ubuntu-latest
 
-    # A pull request needs to be approved before Frogbot scans it. Any GitHub user who is associated with the
-    # "frogbot" GitHub environment can approve the pull request to be scanned.
-    environment: frogbot
+    # External PRs (forks or different repo) require approval via "frogbot" environment.
+    # Internal PRs from same repo run automatically without approval.
+    environment: >-
+      ${{
+        (github.event.pull_request.head.repo.fork == true ||
+         github.event.pull_request.head.repo.full_name != github.repository)
+        && 'frogbot' || ''
+      }}
 
     steps:
       - uses: jfrog/frogbot@v2

lib/index.js

@@ -8,21 +8,20 @@
 
 // Copyright (c) JFrog Ltd. (2025)
 Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.GITHUB_STATUS_SKIPPED = exports.GITHUB_STATUS_TIMED_OUT = exports.GITHUB_STATUS_CANCELLED = exports.GITHUB_STATUS_FAILURE = exports.GITHUB_STATUS_SUCCESS = exports.FLY_CLI_SETUP_OUTPUT_PATH = exports.FLY_CLI_PATH = exports.STATE_FLY_PACKAGE_MANAGERS = exports.STATE_FLY_ACCESS_TOKEN = exports.STATE_FLY_URL = exports.INPUT_GITHUB_TOKEN = exports.INPUT_IGNORE_PACKAGE_MANAGERS = exports.INPUT_URL = void 0;
+exports.GITHUB_STATUS_TIMED_OUT = exports.GITHUB_STATUS_CANCELLED = exports.GITHUB_STATUS_FAILURE = exports.GITHUB_STATUS_SUCCESS = exports.ENV_FLY_ACTION_CONFIGURED = exports.STATE_FLY_PACKAGE_MANAGERS = exports.STATE_FLY_ACCESS_TOKEN = exports.STATE_FLY_URL = exports.INPUT_GITHUB_TOKEN = exports.INPUT_IGNORE_PACKAGE_MANAGERS = exports.INPUT_URL = void 0;
 exports.INPUT_URL = "url";
 exports.INPUT_IGNORE_PACKAGE_MANAGERS = "ignore";
 exports.INPUT_GITHUB_TOKEN = "github_token";
 exports.STATE_FLY_URL = "fly-url";
 exports.STATE_FLY_ACCESS_TOKEN = "fly-access-token";
 exports.STATE_FLY_PACKAGE_MANAGERS = "fly-package-managers";
-exports.FLY_CLI_PATH = "fly-cli-path";
-exports.FLY_CLI_SETUP_OUTPUT_PATH = "fly-cli-setup-output-path";
+// Environment variable to track if action has already run in this job
+exports.ENV_FLY_ACTION_CONFIGURED = "FLY_ACTION_CONFIGURED";
 // GitHub step/job conclusion statuses
 exports.GITHUB_STATUS_SUCCESS = "success";
 exports.GITHUB_STATUS_FAILURE = "failure";
 exports.GITHUB_STATUS_CANCELLED = "cancelled";
 exports.GITHUB_STATUS_TIMED_OUT = "timed_out";
-exports.GITHUB_STATUS_SKIPPED = "skipped";
 
 
 /***/ }),
@@ -91,6 +90,11 @@ function resolveFlyCLIBinaryPath() {
 }
 async function run() {
     core.info("Main run() function started.");
+    // Idempotency check: skip if action has already run in this job
+    if (process.env[constants_1.ENV_FLY_ACTION_CONFIGURED] === "true") {
+        core.info("Fly action has already been configured in this job, skipping duplicate run.");
+        return;
+    }
     try {
         const url = core.getInput(constants_1.INPUT_URL, { required: true });
         core.info(`URL: ${url}`);
@@ -128,6 +132,9 @@ async function run() {
             throw new Error("Fly setup command failed");
         }
         core.info("Fly CLI setup command completed successfully.");
+        // Mark action as configured to prevent duplicate runs in same job
+        core.exportVariable(constants_1.ENV_FLY_ACTION_CONFIGURED, "true");
+        core.info("Marked Fly action as configured for this job.");
     }
     catch (error) {
         core.error("Error occurred during execution.");

lib/post.js

@@ -8,21 +8,20 @@
 
 // Copyright (c) JFrog Ltd. (2025)
 Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.GITHUB_STATUS_SKIPPED = exports.GITHUB_STATUS_TIMED_OUT = exports.GITHUB_STATUS_CANCELLED = exports.GITHUB_STATUS_FAILURE = exports.GITHUB_STATUS_SUCCESS = exports.FLY_CLI_SETUP_OUTPUT_PATH = exports.FLY_CLI_PATH = exports.STATE_FLY_PACKAGE_MANAGERS = exports.STATE_FLY_ACCESS_TOKEN = exports.STATE_FLY_URL = exports.INPUT_GITHUB_TOKEN = exports.INPUT_IGNORE_PACKAGE_MANAGERS = exports.INPUT_URL = void 0;
+exports.GITHUB_STATUS_TIMED_OUT = exports.GITHUB_STATUS_CANCELLED = exports.GITHUB_STATUS_FAILURE = exports.GITHUB_STATUS_SUCCESS = exports.ENV_FLY_ACTION_CONFIGURED = exports.STATE_FLY_PACKAGE_MANAGERS = exports.STATE_FLY_ACCESS_TOKEN = exports.STATE_FLY_URL = exports.INPUT_GITHUB_TOKEN = exports.INPUT_IGNORE_PACKAGE_MANAGERS = exports.INPUT_URL = void 0;
 exports.INPUT_URL = "url";
 exports.INPUT_IGNORE_PACKAGE_MANAGERS = "ignore";
 exports.INPUT_GITHUB_TOKEN = "github_token";
 exports.STATE_FLY_URL = "fly-url";
 exports.STATE_FLY_ACCESS_TOKEN = "fly-access-token";
 exports.STATE_FLY_PACKAGE_MANAGERS = "fly-package-managers";
-exports.FLY_CLI_PATH = "fly-cli-path";
-exports.FLY_CLI_SETUP_OUTPUT_PATH = "fly-cli-setup-output-path";
+// Environment variable to track if action has already run in this job
+exports.ENV_FLY_ACTION_CONFIGURED = "FLY_ACTION_CONFIGURED";
 // GitHub step/job conclusion statuses
 exports.GITHUB_STATUS_SUCCESS = "success";
 exports.GITHUB_STATUS_FAILURE = "failure";
 exports.GITHUB_STATUS_CANCELLED = "cancelled";
 exports.GITHUB_STATUS_TIMED_OUT = "timed_out";
-exports.GITHUB_STATUS_SKIPPED = "skipped";
 
 
 /***/ }),
@@ -236,9 +235,16 @@ function analyzeJobSteps(steps) {
     return constants_1.GITHUB_STATUS_SUCCESS;
 }
 /**
- * Determines workflow status by checking if any main steps failed
+ * Determines job status by checking if any main steps failed.
  * When post actions run, all main steps have completed but post steps are still pending.
- * We only examine main steps to determine if the workflow succeeded up to this point.
+ * We only examine main steps to determine if the job succeeded up to this point.
+ *
+ * Job identification strategy:
+ * 1. Match GITHUB_JOB against the API job name (works when no custom name: attribute).
+ * 2. Fallback: find the single in_progress job (our job is always in_progress while
+ *    its post steps run; completed jobs have finished all post steps).
+ * 3. If multiple jobs are in_progress (parallel execution), we check ALL of them
+ *    for failures — conservative approach when we can't pinpoint our exact job.
  */
 async function determineJobStatus() {
     try {
@@ -259,12 +265,43 @@ async function determineJobStatus() {
             jobs.jobs.forEach((job) => {
                 core.info(`  - Job: ${job.name}, Status: ${job.status}, Conclusion: ${job.conclusion}, Steps: ${job.steps?.length || 0}`);
             });
-            // Find the current job (case-insensitive comparison)
-            const currentJob = jobs.jobs.find((job) => job.name.toLowerCase() === env.jobName.toLowerCase());
+            // Find the current job:
+            // 1. Primary: match GITHUB_JOB (yaml key) against job name.
+            //    Works when the job has no custom `name:` attribute.
+            // 2. Fallback: find the job that is still in_progress.
+            //    When our post step runs, our job is always in_progress (post steps
+            //    are part of the job). Completed jobs have already finished all their
+            //    post steps. This handles the case where a custom `name:` attribute
+            //    makes GITHUB_JOB (yaml key) differ from the API name (display name).
+            let currentJob;
+            // Try name match first (works when no custom name: attribute)
+            currentJob = jobs.jobs.find((job) => job.name.toLowerCase() === env.jobName.toLowerCase());
             if (currentJob) {
-                core.info(`✓ Found current job: ${currentJob.name}`);
-                core.info(`  Status: ${currentJob.status}, Conclusion: ${currentJob.conclusion || "null"}`);
-                core.info(`  Steps count: ${currentJob.steps?.length || 0}`);
+                core.info(`✓ Found current job by name: ${currentJob.name}`);
+            }
+            // Fallback: match by in_progress status
+            if (!currentJob) {
+                const inProgressJobs = jobs.jobs.filter((job) => job.status === "in_progress");
+                if (inProgressJobs.length === 1) {
+                    currentJob = inProgressJobs[0];
+                    core.info(`✓ Found current job by in_progress status: ${currentJob.name}`);
+                }
+                else if (inProgressJobs.length > 1) {
+                    // Multiple jobs running concurrently — check all for failures
+                    core.info(`Found ${inProgressJobs.length} in_progress jobs, analyzing all for failures`);
+                    for (const job of inProgressJobs) {
+                        if (job.steps && job.steps.length > 0) {
+                            const result = analyzeJobSteps(job.steps);
+                            if (result === constants_1.GITHUB_STATUS_FAILURE) {
+                                return constants_1.GITHUB_STATUS_FAILURE;
+                            }
+                        }
+                    }
+                    return constants_1.GITHUB_STATUS_SUCCESS;
+                }
+            }
+            if (currentJob) {
+                core.info(`  Status: ${currentJob.status}, Conclusion: ${currentJob.conclusion || "null"}, Steps: ${currentJob.steps?.length || 0}`);
                 // Check individual step statuses
                 if (currentJob.steps && currentJob.steps.length > 0) {
                     return analyzeJobSteps(currentJob.steps);
@@ -307,17 +344,17 @@ async function determineJobStatus() {
     }
 }
 async function runPost() {
-    core.info("🏁 Notifying Fly that CI job has ended...");
-    const flyUrl = core.getState(constants_1.STATE_FLY_URL); // Corrected constant
-    const accessToken = core.getState(constants_1.STATE_FLY_ACCESS_TOKEN); // Corrected constant
+    const flyUrl = core.getState(constants_1.STATE_FLY_URL);
+    const accessToken = core.getState(constants_1.STATE_FLY_ACCESS_TOKEN);
     if (!flyUrl) {
-        core.info("No Fly URL found in state, skipping CI end notification"); // Changed from debug to info
+        core.info("No Fly URL found in state, skipping CI end notification");
         return;
     }
     if (!accessToken) {
-        core.info("No access token found in state, skipping CI end notification"); // Changed from debug to info
+        core.info("No access token found in state, skipping CI end notification");
         return;
     }
+    core.info("🏁 Notifying Fly that CI job has ended...");
     const packageManagersState = core.getState(constants_1.STATE_FLY_PACKAGE_MANAGERS);
     let packageManagers = [];
     if (packageManagersState) {

src/constants.ts

@@ -8,12 +8,11 @@ export const STATE_FLY_URL = "fly-url";
 export const STATE_FLY_ACCESS_TOKEN = "fly-access-token";
 export const STATE_FLY_PACKAGE_MANAGERS = "fly-package-managers";
 
-export const FLY_CLI_PATH = "fly-cli-path";
-export const FLY_CLI_SETUP_OUTPUT_PATH = "fly-cli-setup-output-path";
+// Environment variable to track if action has already run in this job
+export const ENV_FLY_ACTION_CONFIGURED = "FLY_ACTION_CONFIGURED";
 
 // GitHub step/job conclusion statuses
 export const GITHUB_STATUS_SUCCESS = "success";
 export const GITHUB_STATUS_FAILURE = "failure";
 export const GITHUB_STATUS_CANCELLED = "cancelled";
 export const GITHUB_STATUS_TIMED_OUT = "timed_out";
-export const GITHUB_STATUS_SKIPPED = "skipped";

src/index.spec.ts

@@ -21,7 +21,11 @@ import {
   getAllPackageManagers,
   SUPPORTED_PACKAGE_MANAGERS,
 } from "./package-detection";
-import { STATE_FLY_URL, STATE_FLY_ACCESS_TOKEN } from "./constants";
+import {
+  STATE_FLY_URL,
+  STATE_FLY_ACCESS_TOKEN,
+  ENV_FLY_ACTION_CONFIGURED,
+} from "./constants";
 
 jest.mock("./oidc", () => ({
   authenticateOidc: jest.fn(),
@@ -297,3 +301,86 @@ describe("run exec and binary error branches", () => {
     );
   });
 });
+
+describe("run idempotency", () => {
+  const getInputSpy = jest.spyOn(core, "getInput");
+  const setFailedSpy = jest.spyOn(core, "setFailed");
+  const saveStateSpy = jest.spyOn(core, "saveState");
+  const exportVariableSpy = jest.spyOn(core, "exportVariable");
+  const infoSpy = jest.spyOn(core, "info");
+  const execSpy = jest.spyOn(exec, "exec");
+
+  beforeEach(() => {
+    jest.resetAllMocks();
+    // Remove the env var before each test
+    delete process.env[ENV_FLY_ACTION_CONFIGURED];
+    // Stub file system to simulate binary present
+    (fs.existsSync as jest.Mock).mockReturnValue(true);
+    (path.resolve as jest.Mock).mockReturnValue("/fake/bin");
+    (detectPackageManagers as jest.Mock).mockReturnValue([]);
+  });
+
+  afterEach(() => {
+    // Clean up env var after tests
+    delete process.env[ENV_FLY_ACTION_CONFIGURED];
+  });
+
+  it("skips execution when FLY_ACTION_CONFIGURED is already set", async () => {
+    // Set the env var to simulate action already ran
+    process.env[ENV_FLY_ACTION_CONFIGURED] = "true";
+
+    await run();
+
+    // Should log skip message
+    expect(infoSpy).toHaveBeenCalledWith(
+      "Fly action has already been configured in this job, skipping duplicate run.",
+    );
+    // Should NOT call authentication or exec
+    expect(authenticateOidc).not.toHaveBeenCalled();
+    expect(execSpy).not.toHaveBeenCalled();
+    // Should NOT save state
+    expect(saveStateSpy).not.toHaveBeenCalled();
+    // Should NOT set failed
+    expect(setFailedSpy).not.toHaveBeenCalled();
+  });
+
+  it("exports FLY_ACTION_CONFIGURED after successful run", async () => {
+    getInputSpy.mockImplementation((name: string) =>
+      name === "url" ? "https://test.com" : "",
+    );
+    (authenticateOidc as jest.Mock).mockResolvedValue({
+      user: "user",
+      accessToken: "token",
+    });
+    execSpy.mockResolvedValue(0);
+
+    await run();
+
+    // Should export the env var
+    expect(exportVariableSpy).toHaveBeenCalledWith(
+      ENV_FLY_ACTION_CONFIGURED,
+      "true",
+    );
+    expect(setFailedSpy).not.toHaveBeenCalled();
+  });
+
+  it("does not export FLY_ACTION_CONFIGURED when setup fails", async () => {
+    getInputSpy.mockImplementation((name: string) =>
+      name === "url" ? "https://test.com" : "",
+    );
+    (authenticateOidc as jest.Mock).mockResolvedValue({
+      user: "user",
+      accessToken: "token",
+    });
+    execSpy.mockResolvedValue(1); // Non-zero exit code
+
+    await run();
+
+    // Should NOT export the env var on failure
+    expect(exportVariableSpy).not.toHaveBeenCalledWith(
+      ENV_FLY_ACTION_CONFIGURED,
+      "true",
+    );
+    expect(setFailedSpy).toHaveBeenCalled();
+  });
+});

src/index.ts

@@ -12,6 +12,7 @@ import {
   STATE_FLY_URL,
   STATE_FLY_ACCESS_TOKEN,
   STATE_FLY_PACKAGE_MANAGERS,
+  ENV_FLY_ACTION_CONFIGURED,
 } from "./constants";
 
 /**
@@ -31,6 +32,15 @@ export function resolveFlyCLIBinaryPath(): string {
 
 export async function run(): Promise<void> {
   core.info("Main run() function started.");
+
+  // Idempotency check: skip if action has already run in this job
+  if (process.env[ENV_FLY_ACTION_CONFIGURED] === "true") {
+    core.info(
+      "Fly action has already been configured in this job, skipping duplicate run.",
+    );
+    return;
+  }
+
   try {
     const url = core.getInput(INPUT_URL, { required: true });
     core.info(`URL: ${url}`);
@@ -80,6 +90,10 @@ export async function run(): Promise<void> {
       throw new Error("Fly setup command failed");
     }
     core.info("Fly CLI setup command completed successfully.");
+
+    // Mark action as configured to prevent duplicate runs in same job
+    core.exportVariable(ENV_FLY_ACTION_CONFIGURED, "true");
+    core.info("Marked Fly action as configured for this job.");
   } catch (error) {
     core.error("Error occurred during execution.");