image-prefetcher/.github/workflows/fixxxer.yaml at master · stackrox/image-prefetcher · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
# Based on https://github.com/stackrox/stackrox/blob/master/.github/workflows/fixxxer.yaml
# TODO(porridge): find a way to share the code without copying.

name: PR Fixxxer

on:
  issue_comment:
    types: [created]

permissions:
  contents: write

jobs:
  pr_commented:
    name: Run PR Fixxxer
    # TODO: support leading and trailing whitespace too
    if: ${{ github.event.issue.pull_request && github.event.comment.body == '/fixxx' }}
    runs-on: ubuntu-latest
    steps:

      - name: Fetch PR metadata
        id: pr-metadata
        run: |
          curl --silent --retry 7 "$PR_URL" > pr.json
          pr_head_repo="$(jq --raw-output .head.repo.full_name pr.json)"

          if [ "$pr_head_repo" != "${THIS_REPO}" ]; then
            echo "This comment was issued on a PR from branch in repo $pr_head_repo. Currently only PRs from branches in repo $THIS_REPO are supported."
            # TODO: we could still run commands and point at results in a PR comment, even if we do not have permissions to push there.
            exit 1
          fi

          branch="$(jq --raw-output .head.ref pr.json)"
          # If branch name is empty, push action defaults to pushing to main, which we do not want to do.
          if [ -z "${branch}" ]; then
            echo "Failed to detect source branch."
            # TODO: more checks for safe branch names
            exit 1
          fi
          echo "branch=$branch" >> "$GITHUB_OUTPUT"
          rm pr.json
        env:
          PR_URL: ${{ github.event.issue.pull_request.url }}
          THIS_REPO: ${{ github.repository }}

      - name: Dump GitHub context
        env:
          GITHUB_CONTEXT: ${{ toJson(github) }}
        run: echo "$GITHUB_CONTEXT" | jq .
      - name: Dump job context
        env:
          JOB_CONTEXT: ${{ toJson(job) }}
        run: echo "$JOB_CONTEXT" | jq .
      - name: Dump steps context
        env:
          STEPS_CONTEXT: ${{ toJson(steps) }}
        run: echo "$STEPS_CONTEXT" | jq .

      - uses: actions/checkout@v6
        with:
          ref: ${{ steps.pr-metadata.outputs.branch }}
          fetch-depth: 0
          token: ${{ secrets.RHACS_BOT_GITHUB_TOKEN }}

      - name: Setup Go environment
        uses: actions/setup-go@v6
        with:
          go-version-file: go.mod

      - name: Configure Git
        run: |
          set -ex
          git config --global --add safe.directory "$(pwd)"
          git config --global user.email "nobody@redhat.com"
          git config --global user.name "StackRox PR Fixxxer"

      - run: ./scripts/fixxxer.sh

      - uses: ad-m/github-push-action@v1.0.0
        with:
          branch: ${{ steps.pr-metadata.outputs.branch }}
          github_token: ${{ secrets.RHACS_BOT_GITHUB_TOKEN }}