opa-springboot/.github/workflows/pull-request.yaml at main · open-policy-agent/opa-springboot · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
name: PR Checks

on:
  workflow_dispatch: {}
  pull_request: {}


permissions:
  contents: read
  checks: write

# When a new revision is pushed to a PR, cancel all in-progress CI runs for that
# PR. See https://docs.github.com/en/actions/using-jobs/using-concurrency
concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

jobs:
  release-check:
    name: Release version bump check
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write
    steps:
      - name: Tune GitHub-hosted runner network
        uses: smorimoto/tune-github-hosted-runner-network@v1
      - uses: actions/checkout@v6
        with:
          fetch-depth: 0  # Fetch full history to access all commits
      - name: Check for release commits
        id: check-release
        run: |
          RESULT=$(./scripts/get-release-from-commits.sh "origin/${{ github.base_ref }}" "origin/${{ github.head_ref }}")
          echo "Release commits detected: $RESULT"
          if [ -n $RESULT ]; then
            echo "result=true" >> $GITHUB_OUTPUT
          else
            echo "result=false" >> $GITHUB_OUTPUT
          fi
      - name: Post or update warning comment (release commit detected)
        if: steps.check-release.outputs.result == 'true'
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          REPO: ${{ github.repository }}
          PR_NUMBER: ${{ github.event.pull_request.number }}
          MARKER: "<!-- release-commit-warning -->"
        run: |
          # Get latest version from CHANGELOG.md:
          CHANGELOG_VERSION=$(grep -o -E '## [0-9.]+' CHANGELOG.md | head -n 1 | sed 's/## //')

          # Get version from main csproj:
          GRADLE_VERSION=$(./gradlew properties | grep "^version:" | cut -d' ' -f2)

          # Release commit version:
          COMMIT_VERSION=$(./scripts/get-release-from-commits.sh "origin/${{ github.base_ref }}" "origin/${{ github.head_ref }}")

          COMMENT=$(mktemp)
          echo "ℹ️ **Release Commit Detected**"                                                                      >> "$COMMENT"
          echo ""                                                                                                    >> "$COMMENT"
          echo "This PR contains commit(s) that match the case-insensitive regex \`^Release .*\`"                    >> "$COMMENT"
          echo ""                                                                                                    >> "$COMMENT"
          echo "Here are the latest versions reported from the places the release workflows will use:"               >> "$COMMENT"
          echo ""                                                                                                    >> "$COMMENT"
          echo "| Source | Version |"                                                                                >> "$COMMENT"
          echo "| --- | --- |"                                                                                       >> "$COMMENT"
          echo "| Commit matching \`^Release .*\` | $COMMIT_VERSION |"                                               >> "$COMMENT"
          echo "| \`CHANGELOG.md\` | $CHANGELOG_VERSION |"                                                           >> "$COMMENT"
          echo "| \`gradle properties\` project version (from \`gradle.properties\`) | $GRADLE_VERSION |"            >> "$COMMENT"

          echo "Posting or updating release warning comment."
          export COMMENT_BODY="$(cat "$COMMENT")"
          ./scripts/release-pr-comment.sh "$REPO" "$PR_NUMBER" "$MARKER"
      - name: Update warning comment if present (no release commit)
        if: steps.check-release.outputs.result != 'true'
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          REPO: ${{ github.repository }}
          PR_NUMBER: ${{ github.event.pull_request.number }}
          MARKER: "<!-- release-commit-warning -->"
          COMMENT_BODY: |
            ℹ️ A release commit was detected in earlier versions of this PR.

            The current PR commits do not appear to be a release.
        run: |
          EXISTING_COMMENT=$(gh api repos/$REPO/issues/$PR_NUMBER/comments \
              --jq ".[] | select(.body | contains(\"$MARKER\")) | .id" | head -1) || {
              echo "Error: Failed to fetch existing comments" >&2
              exit 2
          }

          if [ -n "$EXISTING_COMMENT" ]; then
            echo "Updating release warning comment."
            ./scripts/release-pr-comment.sh "$REPO" "$PR_NUMBER" "$MARKER"
          else
            echo "No release warning comment found."
          fi

  test-and-lint:
    name: Test and Lint
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
      - name: Pre-pull container image
        run: docker pull ghcr.io/open-policy-agent/eopa:latest
      - uses: gradle/actions/setup-gradle@v5
      - run: ./gradlew test lint checkstyleMain checkstyleTest jar
      - name: Publish Test Report
        uses: mikepenz/action-junit-report@v6
        if: success() || failure() # always run even if the previous step fails
        with:
          report_paths: "**/build/test-results/test/TEST-*.xml"
      - name: Publish Checkstyle report
        uses: Juuxel/publish-checkstyle-report@v2
        if: ${{ failure() || success() }}
        with:
          # required: The glob paths to report XML files as a multiline string
          # The format below works for the Gradle Checkstyle plugin with default configurations
          reports: |
            build/reports/checkstyle/*.xml