ospo-resources/.github/workflows/synchronise-ospo-workflows.yml at main · National-Digital-Twin/ospo-resources · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
# SPDX-License-Identifier: Apache-2.0
# © Crown Copyright 2025. This work has been developed by the National Digital Twin Programme and is legally attributed to the Department for Business and Trade (UK) as the governing entity.

name: Synchronise OSPO Workflows

on:
  pull_request:
    # we should not inject commits into Pull Requests targeting the main branch
    # everything should go via develop and then be merged to main via release/hotfix
    branches-ignore:
      - "main"

jobs:
  synchronise-ospo-workflows:
    if: github.actor != 'dependabot[bot]'
    runs-on: ubuntu-latest

    permissions:
      contents: read

    steps:
      - name: Fetch GitHub App token for target repo (write)
        id: target_token
        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
        with:
          app-id: ${{ secrets.OSPO_WORKFLOW_APP_ID }}
          private-key: ${{ secrets.OSPO_WORKFLOW_PRIVATE_KEY }}
          # principle of least privilege, request only the permissions needed for this job
          permission-contents: write
          permission-workflows: write

      - name: Checkout target repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          token: ${{ steps.target_token.outputs.token }}

      - name: Checkout OSPO source repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          repository: National-Digital-Twin/ospo-resources
          path: ospo-resources

      - name: Copy and compare workflow files from OSPO repo
        run: |
          while IFS= read -r file || [ -n "$file" ]; do
            # Skip comments and empty lines
            if [[ -z "$file" || "$file" == \#* ]]; then
              continue
            fi

            src="ospo-resources/$file"
            filename="$(basename "$file")"
            tgt=".github/workflows/$filename"

            if [ ! -f "$src" ]; then
              echo "WARNING: Source file not found in OSPO repository: $src"
              continue
            fi

            mkdir -p "$(dirname "$tgt")"

            if [ ! -f "$tgt" ]; then
              echo "File missing in target repo: $tgt"
              cp "$src" "$tgt"
            elif ! cmp -s "$src" "$tgt"; then
              echo "File differs and will be updated: $tgt"
              cp "$src" "$tgt"
            else
              echo "File is already up to date: $tgt"
            fi
          done < ospo-resources/organisation-required-workflows.txt

      - name: Copy and compare fork-specific workflow files from OSPO repo
        if: github.event.repository.fork == true && vars.FORK_WORKFLOWS_OPT_IN == 'true'
        run: |
          while IFS= read -r file || [ -n "$file" ]; do
            # Skip comments and empty lines
            if [[ -z "$file" || "$file" == \#* ]]; then
              continue
            fi

            src="ospo-resources/tools/fork-support/$file"
            filename="$(basename "$file")"
            tgt=".github/workflows/$filename"

            if [ ! -f "$src" ]; then
              echo "WARNING: Source file not found in OSPO repository: $src"
              continue
            fi

            mkdir -p "$(dirname "$tgt")"

            if [ ! -f "$tgt" ]; then
              echo "File missing in target repo: $tgt"
              cp "$src" "$tgt"
            elif ! cmp -s "$src" "$tgt"; then
              echo "File differs and will be updated: $tgt"
              cp "$src" "$tgt"
            else
              echo "File is already up to date: $tgt"
            fi
          done < ospo-resources/organisation-required-workflows-forks.txt

      - name: Check out pull request branch
        env:
          HEAD_REF: ${{ github.head_ref }}
        run: |
          git fetch origin "$HEAD_REF"
          git checkout "$HEAD_REF"

      - name: Auto-commit updated workflow files (if applicable)
        uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # v7.1.0
        with:
          commit_message: "feat(OSPO): synchronise OSPO workflows"
          commit_user_name: ${{ steps.target_token.outputs.app-slug }}[bot]
          commit_user_email: ${{ steps.target_token.outputs.user-id }}+${{ steps.target_token.outputs.app-slug }}[bot]@users.noreply.github.com
          file_pattern: .github/workflows/*
          skip_fetch: true

      - name: Check for file changes and fail if sync is not complete
        run: |
          if [ "$(git status --porcelain .github/workflows)" != "" ]; then
            echo "Some workflow files were changed. Failing status check to block merge until sync is complete."
            exit 1
          else
            echo "No changes required. All OSPO workflow files are in sync."
          fi