Process auto-discovery algorithm analysis #11321
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: 'Validate skip QA label' | |
| # Runs under the fork-PR threat model: | |
| # - No repository secrets are exposed (pull_request from a fork). | |
| # - GITHUB_TOKEN is forcibly read-only. | |
| # - No id-token: write and no OIDC/STS exchange happen here, so even if a | |
| # fork PR modifies this workflow or the render composite action, there is | |
| # no writable credential to steal. | |
| # | |
| # The rendered comment body is handed off to .github/workflows/post-pr-comment.yml | |
| # (triggered via workflow_run, always runs from master) using this artifact | |
| # contract: | |
| # - name: pr-comment | |
| # - files: | |
| # body.md rendered markdown (treated as opaque, attacker-controlled text) | |
| # | |
| # The central workflow owns the hidden marker used by find-comment; producers | |
| # here are not concerned with it. | |
| on: | |
| pull_request: | |
| types: [opened, synchronize] | |
| branches: | |
| - master | |
| jobs: | |
| validate-skip-qa: | |
| if: '!github.event.pull_request.draft' | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| env: | |
| PYTHON_VERSION: "3.13" | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Set up Python ${{ env.PYTHON_VERSION }} | |
| uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 | |
| with: | |
| python-version: "${{ env.PYTHON_VERSION }}" | |
| # json: true produces a JSON array. escape_json / safe_output are | |
| # string-mode sanitizers that would double-encode a JSON array, so we | |
| # disable them. The JSON flows through env vars into a Python json.loads | |
| # in the composite action, never through a shell expansion. | |
| - name: Get files changed | |
| id: changed_files | |
| uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5 | |
| with: | |
| json: true | |
| escape_json: false | |
| safe_output: false | |
| files: | | |
| **/datadog_checks/** | |
| **/changelog.d/** | |
| **/pyproject.toml | |
| **/hatch.toml | |
| files_ignore: | | |
| ddev/** | |
| datadog_checks_dev/** | |
| datadog_checks_tests_helper/** | |
| - name: Debug - Show detected changed files | |
| env: | |
| ANY_CHANGED: ${{ steps.changed_files.outputs.any_changed }} | |
| ALL_CHANGED_FILES: ${{ steps.changed_files.outputs.all_changed_files }} | |
| ALL_MODIFIED_FILES: ${{ steps.changed_files.outputs.all_modified_files }} | |
| ADDED_FILES: ${{ steps.changed_files.outputs.added_files }} | |
| MODIFIED_FILES: ${{ steps.changed_files.outputs.modified_files }} | |
| DELETED_FILES: ${{ steps.changed_files.outputs.deleted_files }} | |
| RENAMED_FILES: ${{ steps.changed_files.outputs.renamed_files }} | |
| HAS_SKIP_QA_LABEL: ${{ contains(github.event.pull_request.labels.*.name, 'qa/skip-qa') }} | |
| run: | | |
| echo "any_changed=${ANY_CHANGED}" | |
| echo "has_skip_qa_label=${HAS_SKIP_QA_LABEL}" | |
| echo "all_changed_files=${ALL_CHANGED_FILES}" | |
| echo "all_modified_files=${ALL_MODIFIED_FILES}" | |
| echo "added_files=${ADDED_FILES}" | |
| echo "modified_files=${MODIFIED_FILES}" | |
| echo "deleted_files=${DELETED_FILES}" | |
| echo "renamed_files=${RENAMED_FILES}" | |
| - name: Render comment body - Add skip qa label | |
| id: render_add | |
| if: steps.changed_files.outputs.any_changed == 'false' && !contains(github.event.pull_request.labels.*.name, 'qa/skip-qa') | |
| uses: ./.github/actions/render-skip-qa-comment | |
| with: | |
| mode: add-label | |
| output: pr-comment/body.md | |
| - name: Render comment body - Remove skip qa label | |
| id: render_remove | |
| if: steps.changed_files.outputs.any_changed == 'true' && contains(github.event.pull_request.labels.*.name, 'qa/skip-qa') | |
| uses: ./.github/actions/render-skip-qa-comment | |
| with: | |
| mode: remove-label | |
| changed-files-json: ${{ steps.changed_files.outputs.all_changed_files }} | |
| output: pr-comment/body.md | |
| - name: Upload comment artifact | |
| if: steps.render_add.outcome == 'success' || steps.render_remove.outcome == 'success' | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: pr-comment | |
| path: pr-comment/ | |
| retention-days: 1 | |
| if-no-files-found: error |