withinfocus.github.io/.github/workflows/pr.yml at a2ec0172a9e51897ced541e3b8de399620c958cd · withinfocus/withinfocus.github.io · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
name: PR Validation

on:
  pull_request:
    branches: [develop]
  workflow_dispatch: # checkov:skip=CKV_GHA_7:Input only used to select PR for validation, does not affect build output
    inputs:
      pull_request_number:
        description: "Pull Request Number"
        required: true
        type: number

permissions: {}

concurrency:
  group: ${{ github.ref }}-${{ github.workflow }}
  cancel-in-progress: true

jobs:
  lint:
    name: Lint
    runs-on: ubuntu-latest
    permissions:
      checks: write
      contents: write
      pull-requests: write

    steps:
      - name: Get PR details
        id: pr-details
        run: |
          if [ "$EVENT_NAME" = "workflow_dispatch" ]; then
            echo "Fetching details for PR #$PR_NUMBER"

            PR_DATA=$(gh pr view "$PR_NUMBER" --repo "$REPO" --json headRefName,headRepository,author)
            HEAD_REF=$(echo "$PR_DATA" | jq -r '.headRefName')
            AUTHOR_LOGIN=$(echo "$PR_DATA" | jq -r '.author.login')
            HEAD_REPO=$(echo "$PR_DATA" | jq -r '.headRepository.nameWithOwner')

            {
              echo "head_ref=$HEAD_REF"
              echo "author_login=$AUTHOR_LOGIN"
              echo "head_repo=$HEAD_REPO"
            } >> "$GITHUB_OUTPUT"
          else
            {
              echo "head_ref=$PR_HEAD_REF"
              echo "author_login=$PR_AUTHOR_LOGIN"
              echo "head_repo=$PR_HEAD_REPO"
            } >> "$GITHUB_OUTPUT"
          fi
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          EVENT_NAME: ${{ github.event_name }}
          PR_NUMBER: ${{ inputs.pull_request_number }}
          REPO: ${{ github.repository }}
          PR_HEAD_REF: ${{ github.event.pull_request.head.ref }}
          PR_AUTHOR_LOGIN: ${{ github.event.pull_request.user.login }}
          PR_HEAD_REPO: ${{ github.event.pull_request.head.repo.full_name }}

      - name: Check out repository
        uses: actions/checkout@v6
        with:
          ref: ${{ steps.pr-details.outputs.head_ref }}
          token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
          fetch-depth: 0

      - name: Run MegaLinter
        id: ml
        uses: oxsecurity/megalinter/flavors/dotnetweb@v9
        env:
          VALIDATE_ALL_CODEBASE: false
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          LLM_ADVISOR_ENABLED: >-
            ${{
              steps.pr-details.outputs.author_login != 'dependabot[bot]' &&
              steps.pr-details.outputs.author_login != 'github-actions[bot]' &&
              !startsWith(steps.pr-details.outputs.author_login, 'dependabot')
            }}

      - name: Upload lint reports
        if: always()
        uses: actions/upload-artifact@v5
        with:
          name: Lint Report
          path: |
            megalinter-reports
            mega-linter.log

      - name: Prepare git directory
        if: >-
          steps.ml.outputs.has_updated_sources == 1 &&
          steps.pr-details.outputs.head_repo == github.repository
        run: sudo chown -Rc $UID .git/

      - name: Commit and push MegaLinter fixes
        if: >-
          steps.ml.outputs.has_updated_sources == 1 &&
          steps.pr-details.outputs.head_repo == github.repository
        run: |
          git config user.name "megalinter-bot"
          git config user.email "129584137+megalinter-bot@users.noreply.github.com"

          if [[ -n $(git status -s) ]]; then
            git add .
            git commit -m "Apply lint fixes"

            for i in {1..4}; do
              if git push; then
                echo "✅ MegaLinter fixes pushed successfully"
                break
              else
                if [[ "$i" -lt 4 ]]; then
                  WAIT_TIME=$((2 ** i))
                  echo "⚠️ Push failed, retrying in ${WAIT_TIME}s..."
                  sleep "$WAIT_TIME"
                else
                  echo "❌ Push failed after 4 attempts"
                  exit 1
                fi
              fi
            done
          else
            echo "ℹ️ No MegaLinter changes to commit"
          fi

  build:
    name: Build
    runs-on: ubuntu-latest
    permissions:
      checks: write
      contents: write
      pull-requests: write

    steps:
      - name: Get PR details
        id: pr-details
        run: |
          if [ "$EVENT_NAME" = "workflow_dispatch" ]; then
            echo "Fetching details for PR #$PR_NUMBER"

            PR_DATA=$(gh pr view "$PR_NUMBER" --repo "$REPO" --json headRefName)
            HEAD_REF=$(echo "$PR_DATA" | jq -r '.headRefName')

            echo "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"
          else
            echo "head_ref=$PR_HEAD_REF" >> "$GITHUB_OUTPUT"
          fi
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          EVENT_NAME: ${{ github.event_name }}
          PR_NUMBER: ${{ inputs.pull_request_number }}
          REPO: ${{ github.repository }}
          PR_HEAD_REF: ${{ github.event.pull_request.head.ref }}

      - name: Check out repository
        uses: actions/checkout@v6
        with:
          ref: ${{ steps.pr-details.outputs.head_ref }}

      - name: Set up .NET SDK
        uses: actions/setup-dotnet@v5

      - name: Run build
        run: dotnet run

      - name: Upload output
        uses: actions/upload-artifact@v5
        with:
          name: Generated Site
          path: output/
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}