azure-sdk-for-js/.github/workflows/format-auto-fix.yml at e491abc3eb2680b93bc34d2a4d8d0d431185471f · Azure/azure-sdk-for-js · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
name: SDK Format Auto-Fix

on:
  workflow_dispatch:
    inputs:
      pr_number:
        description: PR number to run format fix on
        required: true
        type: string

jobs:
  fix-format:
    runs-on: ubuntu-latest
    # One run per PR at a time; queued runs wait rather than being cancelled.
    concurrency:
      group: format-auto-fix-${{ github.event.inputs.pr_number }}
      cancel-in-progress: false
    permissions:
      contents: write
      pull-requests: write
    steps:
      - name: Fetch and validate PR
        id: find-pr
        uses: actions/github-script@v9
        with:
          script: |
            const prNumberStr = context.payload.inputs?.pr_number;
            if (!prNumberStr) {
              core.warning('No pr_number input provided');
              core.setOutput('has-pr', 'false');
              return;
            }
            const prNumber = parseInt(prNumberStr);
            core.info(`Got PR #${prNumber} from workflow_dispatch input`);
            const { data: pr } = await github.rest.pulls.get({
              ...context.repo,
              pull_number: prNumber,
            });
            if (pr.state !== 'open') {
              core.info(`PR #${prNumber} is not open — skipping`);
              core.setOutput('has-pr', 'false');
              core.setOutput('is-fork', 'false');
              return;
            }
            // Security: only auto-fix branches in the base repository.
            // Checking out a fork and running its package.json scripts with a
            // write token would allow an attacker to execute arbitrary code.
            const baseRepo = `${context.repo.owner}/${context.repo.repo}`;
            if (pr.head.repo.full_name !== baseRepo) {
              core.warning(`PR #${prNumber} is from fork ${pr.head.repo.full_name} — skipping auto-fix`);
              core.setOutput('has-pr', 'false');
              core.setOutput('is-fork', 'true');
              return;
            }
            core.info(`Processing PR #${pr.number} on branch ${pr.head.ref}`);
            core.setOutput('has-pr', 'true');
            core.setOutput('is-fork', 'false');
            core.setOutput('pr-branch', pr.head.ref);
            core.setOutput('pr-repo', pr.head.repo.full_name);

      - name: Notify fork PR author
        if: steps.find-pr.outputs.is-fork == 'true'
        uses: actions/github-script@v9
        with:
          script: |
            await github.rest.issues.createComment({
              ...context.repo,
              issue_number: parseInt(context.payload.inputs.pr_number),
              body: [
                '⚠️ **Format auto-fix skipped for fork PR.**',
                '',
                'The auto-fix workflow does not run on pull requests from forks to avoid',
                'executing untrusted code with repository write access.',
                '',
                'Please run `pnpm format` locally in the affected package(s) and push the',
                'formatting changes to your branch.',
              ].join('\n'),
            });

      - name: Checkout PR branch
        if: steps.find-pr.outputs.has-pr == 'true'
        uses: actions/checkout@v4
        with:
          ref: ${{ steps.find-pr.outputs.pr-branch }}
          repository: ${{ steps.find-pr.outputs.pr-repo }}
          fetch-depth: 0

      - name: Setup Node.js
        if: steps.find-pr.outputs.has-pr == 'true'
        uses: actions/setup-node@v4
        with:
          node-version: 'lts/*'

      - name: Setup pnpm
        if: steps.find-pr.outputs.has-pr == 'true'
        uses: pnpm/action-setup@v4
        with:
          version: '10.33.0'

      - name: Find affected packages and run pnpm format
        if: steps.find-pr.outputs.has-pr == 'true'
        run: |
          UPSTREAM_REPO_URL="${{ github.server_url }}/${{ github.repository }}.git"
          UPSTREAM_DEFAULT_BRANCH="${{ github.event.repository.default_branch }}"

          # `origin` points at the PR head repository after checkout, which may be a fork.
          # Fetch the workflow repository's default branch explicitly and diff against that.
          if git remote get-url upstream >/dev/null 2>&1; then
            git remote set-url upstream "$UPSTREAM_REPO_URL"
          else
            git remote add upstream "$UPSTREAM_REPO_URL"
          fi
          git fetch --no-tags upstream "${UPSTREAM_DEFAULT_BRANCH}:refs/remotes/upstream/${UPSTREAM_DEFAULT_BRANCH}"

          # Find unique package directories (sdk/<service>/<package>) from changed files
          PKGS=$(git diff --name-only "upstream/${UPSTREAM_DEFAULT_BRANCH}...HEAD" \
            | grep '^sdk/' \
            | sed 's|\(sdk/[^/]*/[^/]*\)/.*|\1|' \
            | sort -u)

          echo "Affected packages:"
          echo "$PKGS"

          if [ -z "$PKGS" ]; then
            echo "No sdk/ packages changed, nothing to format"
            exit 0
          fi

          # Build pnpm/turbo filter args (e.g. --filter=@azure/arm-foo...)
          FILTERS=""
          for pkg in $PKGS; do
            if [ -f "$pkg/package.json" ]; then
              PKG_NAME=$(node -p "require('./$pkg/package.json').name")
              FILTERS="$FILTERS --filter=${PKG_NAME}"
            fi
          done

          # Install only the affected packages and their dependencies
          # --ignore-scripts prevents pre/postinstall lifecycle scripts from running
          pnpm install $FILTERS --frozen-lockfile=false --ignore-scripts

          # Run format across all affected packages in one turbo invocation
          pnpm turbo run format $FILTERS

      - name: Commit and push formatting changes
        if: steps.find-pr.outputs.has-pr == 'true'
        id: commit
        run: |
          git config user.name "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"

          if git diff --quiet; then
            echo "No formatting changes needed"
            echo "CHANGES=false" >> $GITHUB_OUTPUT
          else
            git diff --name-only \
              | grep -E '\.(ts|mts|cts|tsx|js|mjs|cjs|jsx|json|md|yaml|yml)$' \
              | xargs -r git add --

            if git diff --cached --quiet; then
              echo "Formatting changes were detected, but none matched the commit allow-list"
              echo "CHANGES=false" >> $GITHUB_OUTPUT
            else
              git commit -m "chore: apply prettier format fixes"
              git push
              echo "CHANGES=true" >> $GITHUB_OUTPUT
            fi
          fi

      - name: Post result comment
        if: steps.find-pr.outputs.has-pr == 'true'
        uses: actions/github-script@v9
        env:
          CHANGES: ${{ steps.commit.outputs.CHANGES }}
        with:
          script: |
            const prNumber = parseInt(context.payload.inputs.pr_number);

            if (process.env.CHANGES === 'true') {
              await github.rest.issues.createComment({
                ...context.repo,
                issue_number: prNumber,
                body: '✅ Automatically ran `pnpm format` and pushed the formatting fixes. Check-format should now pass.'
              });
              core.info(`Posted success comment on PR #${prNumber}`);
            } else {
              core.info(`No formatting changes were needed for PR #${prNumber}`);
            }