-
Notifications
You must be signed in to change notification settings - Fork 28
237 lines (207 loc) · 7.57 KB
/
Copy pathpull-request.yml
File metadata and controls
237 lines (207 loc) · 7.57 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
##############################################################################
##############################################################################
#
# NOTE!
#
# Please read the README.md file in this directory that defines what should
# be placed in this file
#
##############################################################################
##############################################################################
name: PR Workflow
on:
pull_request:
branches:
- '**'
env:
CODECOV_UNIQUE_NAME: CODECOV_UNIQUE_NAME-${{ github.run_id }}-${{ github.run_number }}
jobs:
Code-Quality-Checks:
name: Performs linting, formatting, type-checking, checking for different source and target branch
runs-on: ubuntu-latest
strategy:
matrix:
node-version: ['24.x']
steps:
- name: Checkout the Repository
uses: actions/checkout@v4
with:
fetch-depth: 0 # Fetch all history for all branches and tags
- uses: pnpm/action-setup@v4
name: Install pnpm
with:
run_install: false
- name: Install Node.js
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
cache: 'pnpm'
- name: Install dependencies
run: pnpm install
- name: Check formatting
if: steps.changed-files.outputs.only_changed != 'true'
run: pnpm run format:check
- name: Run formatting if check fails
if: failure()
run: pnpm run format:fix
- name: Type-checking
run: pnpm run typecheck
- name: checking linting
run: pnpm run lint:check
- name: Check if the source and target branches are different
if: ${{ github.event.pull_request.base.ref == github.event.pull_request.head.ref }}
run: |
echo "Source Branch ${{ github.event.pull_request.head.ref }}"
echo "Target Branch ${{ github.event.pull_request.base.ref }}"
echo "Error: Source and Target Branches are the same. Please ensure they are different."
echo "Error: Close this PR and try again."
exit 1
- name: Check for unused files, exports and dependencies
run: pnpm knip
Check-Sensitive-Files:
if: ${{ github.actor != 'dependabot[bot]' }}
name: Checks if sensitive files have been changed without authorization
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0 # Fetch all history for all branches and tags
- name: Get PR labels
id: check-labels
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
if [ -z "${{ github.event.pull_request.number }}" ]; then
echo "skip=false" >> $GITHUB_OUTPUT
exit 0
fi
LABELS="$(gh api repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels --jq '.[].name' | tr '\n' ' ')"
if echo "$LABELS" | grep -qw "ignore-sensitive-files-pr"; then
echo "::notice::Skipping sensitive files check due to 'ignore-sensitive-files-pr' label."
echo "skip=true" >> $GITHUB_OUTPUT
else
echo "skip=false" >> $GITHUB_OUTPUT
fi
- name: Get Changed Unauthorized files
if: steps.check-labels.outputs.skip != 'true'
id: changed-unauth-files
run: |
# Skip if not in PR context
if [ -z "${{ github.event.pull_request.base.sha }}" ]; then
echo "any_changed=false" >> $GITHUB_OUTPUT
exit 0
fi
# Determine base and head commits for comparison
HEAD_SHA="${{ github.event.pull_request.head.sha || github.sha }}"
BASE_SHA=$(git merge-base "${{ github.event.pull_request.base.sha }}" "$HEAD_SHA")
# Define sensitive files patterns as a bash array
SENSITIVE_PATTERNS=(
".github/"
"CNAME$"
"static/CNAME"
"package.json"
"sidebar"
"docusaurus.config.js"
"babel.config.js"
"CODEOWNERS"
"LICENSE"
"./*.md"
"package-lock.json"
"tsconfig.json"
"pnpm-lock.yaml"
".gitignore"
".prettierignore"
".prettierrc"
'^src/.*'
'^.gitignore$'
'.node-version$'
'.eslintrc.json$'
'.eslintignore$'
'CODEOWNERS$'
'LICENSE$'
'.coderabbit.yaml$'
'.*.pem$'
'.*.key$'
'.*.cert$'
'.*.password$'
'.*.secret$'
'.*.credentials$'
'.nojekyll$'
)
# Check for changes in sensitive files
CHANGED_UNAUTH_FILES=""
for pattern in "${SENSITIVE_PATTERNS[@]}"; do
FILES=$(git diff --name-only --diff-filter=ACMRD "$BASE_SHA" "$HEAD_SHA" | grep -E "$pattern" || true)
if [ ! -z "$FILES" ]; then
CHANGED_UNAUTH_FILES="$CHANGED_UNAUTH_FILES $FILES"
fi
done
# Trim and format output
CHANGED_UNAUTH_FILES=$(echo "$CHANGED_UNAUTH_FILES" | xargs)
echo "all_changed_files=$CHANGED_UNAUTH_FILES" >> $GITHUB_OUTPUT
# Check if any unauthorized files changed
if [ ! -z "$CHANGED_UNAUTH_FILES" ]; then
echo "any_changed=true" >> $GITHUB_OUTPUT
else
echo "any_changed=false" >> $GITHUB_OUTPUT
fi
- name: List all changed unauthorized files
if: steps.changed-unauth-files.outputs.any_changed == 'true'
env:
CHANGED_UNAUTH_FILES: ${{ steps.changed-unauth-files.outputs.all_changed_files }}
run: |
echo "::error::Unauthorized changes detected in sensitive files:"
echo ""
for file in $CHANGED_UNAUTH_FILES; do
echo "- $file"
done
echo ""
echo "To override:"
echo "Add the 'ignore-sensitive-files-pr' label to this PR."
exit 1
Test-Docusaurus-Deployment:
name: Test Deployment to https://developer.palisadoes.org
runs-on: ubuntu-latest
needs: [Code-Quality-Checks]
strategy:
matrix:
node-version: ['24.x']
# Run only if the develop branch and not dependabot
if: ${{ github.event.pull_request.base.ref == 'main' }}
steps:
- name: Checkout the Repository
uses: actions/checkout@v4
with:
fetch-depth: 0 # Fetch all history for all branches and tags
- uses: pnpm/action-setup@v4
name: Install pnpm
with:
run_install: false
cache: pnpm
cache-dependency-path: |
pnpm-lock.yaml
package.json
- name: Install Node.js
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
cache: 'pnpm'
# Run Docusaurus in the ./docs directory
- name: Install dependencies
working-directory: ./
run: pnpm install --frozen-lockfile
- name: Test building the website
working-directory: ./
run: pnpm build
Check-Target-Branch:
if: ${{ github.actor != 'dependabot[bot]' }}
name: Check Target Branch
runs-on: ubuntu-latest
steps:
- name: Check if the target branch is 'main'
if: github.event.pull_request.base.ref != 'main'
run: |
echo "Error: Pull request target branch must be 'main'. Please refer PR_GUIDELINES.md"
echo "Error: Close this PR and try again."
exit 1