[BRE-2027] Adding shared action for uploading modified files (#833)

Author: pixman20

.github/workflows/test-upload-modified-files.yml

@@ -0,0 +1,143 @@
+---
+name: Test Upload Modified Files
+
+on:
+  workflow_dispatch:
+  pull_request:
+    paths:
+      - "upload-modified-files/**"
+      - ".github/workflows/test-upload-modified-files.yml"
+
+permissions: {}
+
+jobs:
+  upload-and-verify:
+    name: Upload And Verify
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Modify tracked files at different depths
+        run: |
+          echo "modified by test at $(date -u +%s)" >> README.md
+          echo "modified by test at $(date -u +%s)" >> upload-modified-files/README.md
+
+      - name: Upload modified files
+        id: upload
+        uses: ./upload-modified-files
+        with:
+          artifact_name: test-modified-files
+
+      - name: Verify outputs
+        env:
+          _COUNT: ${{ steps.upload.outputs.count }}
+          _MODIFIED_FILES: ${{ steps.upload.outputs.modified_files }}
+        run: |
+          echo "Count: $_COUNT"
+          echo "Modified files:"
+          echo "$_MODIFIED_FILES"
+          if [[ "$_COUNT" != "2" ]]; then
+            echo "::error::Expected 2 modified files, got '$_COUNT'"
+            exit 1
+          fi
+
+  download-and-verify:
+    name: Download And Verify
+    runs-on: ubuntu-24.04
+    needs: upload-and-verify
+    permissions:
+      contents: read
+      actions: read
+    steps:
+      - name: Download artifact
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        with:
+          name: test-modified-files
+          path: downloaded
+
+      - name: Extract and verify preserved paths
+        run: |
+          mkdir restored
+          tar -xzf downloaded/modified-files.tar.gz -C restored
+          echo "Restored tree:"
+          find restored -type f
+
+          if [[ ! -f restored/README.md ]]; then
+            echo "::error::Expected restored/README.md to exist"
+            exit 1
+          fi
+          if [[ ! -f restored/upload-modified-files/README.md ]]; then
+            echo "::error::Expected restored/upload-modified-files/README.md (nested path) to be preserved"
+            exit 1
+          fi
+          if ! grep -q "modified by test at" restored/upload-modified-files/README.md; then
+            echo "::error::Restored nested file is missing the modification"
+            exit 1
+          fi
+
+  fail-on-added:
+    name: Fail On Added File
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Create an untracked file
+        run: echo "brand new" > a-new-untracked-file.txt
+
+      - name: Run action (expected to fail)
+        id: upload
+        continue-on-error: true
+        uses: ./upload-modified-files
+        with:
+          artifact_name: should-not-upload-added
+
+      - name: Assert the action failed
+        env:
+          _OUTCOME: ${{ steps.upload.outcome }}
+        run: |
+          if [[ "$_OUTCOME" != "failure" ]]; then
+            echo "::error::Expected the action to fail on an added file, but outcome was '$_OUTCOME'"
+            exit 1
+          fi
+          echo "Action correctly failed on an added file."
+
+  fail-on-deleted:
+    name: Fail On Deleted File
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Delete a tracked file
+        run: rm README.md
+
+      - name: Run action (expected to fail)
+        id: upload
+        continue-on-error: true
+        uses: ./upload-modified-files
+        with:
+          artifact_name: should-not-upload-deleted
+
+      - name: Assert the action failed
+        env:
+          _OUTCOME: ${{ steps.upload.outcome }}
+        run: |
+          if [[ "$_OUTCOME" != "failure" ]]; then
+            echo "::error::Expected the action to fail on a deleted file, but outcome was '$_OUTCOME'"
+            exit 1
+          fi
+          echo "Action correctly failed on a deleted file."

upload-modified-files/README.md

@@ -0,0 +1,101 @@
+# Upload Modified Files Action
+
+## Description
+
+The `upload-modified-files` action detects files that have been modified in the working tree of a checked-out repository and uploads them to the current workflow run as an artifact. It is designed for the pattern where one repository (for example, a build repo) produces changes to tracked files — such as version bumps — and a downstream repository (for example, a deploy repo) downloads those changes and commits them back using a bot with direct push access.
+
+The action runs in two steps:
+
+1. **Detect modified files.** Inspects `git status` and collects modifications to existing tracked files. It **fails if any files are added (new/untracked) or deleted**, because the downstream consumer commits the files over an existing checkout and cannot safely reconcile additions or removals.
+2. **Upload to the workflow run.** Archives the modified files into a `tar.gz` that preserves their exact repo-relative paths, then uploads it as an artifact.
+
+## Key Features
+
+- **Modification-only safety check**: Fails fast on added or deleted files so only in-place edits are propagated.
+- **Exact path preservation**: Files are archived with their full repo-relative paths, so they restore to the same structure when extracted in another repo — even when the changes span subdirectories.
+- **Simple, self-contained**: Pure `git` and `tar`, no external dependencies beyond what GitHub-hosted runners provide.
+
+## How to Use It
+
+Add this step after a step that modifies tracked files (e.g. a version bump). The repository must already be checked out.
+
+```yaml
+- name: Checkout
+  uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+  with:
+    persist-credentials: false
+
+# ... step(s) that modify tracked files, e.g. a version bump ...
+
+- name: Upload modified files
+  id: upload
+  uses: bitwarden/gh-actions/upload-modified-files@main
+  with:
+    artifact_name: modified-files
+    retention_days: '7'
+```
+
+### Inputs
+
+| Input            | Required | Default          | Description                                              |
+| ---------------- | -------- | ---------------- | -------------------------------------------------------- |
+| `artifact_name`  | No       | `modified-files` | Name of the artifact to upload the modified files under. |
+| `retention_days` | No       | `7`              | Number of days to retain the uploaded artifact.          |
+
+### Outputs
+
+| Output           | Description                                                  |
+| ---------------- | ------------------------------------------------------------ |
+| `artifact_name`  | Name of the artifact the modified files were uploaded under. |
+| `count`          | Number of modified files detected and uploaded.              |
+| `modified_files` | Newline-separated list of modified file paths.               |
+
+## Consuming the Artifact
+
+The artifact contains a single file, `modified-files.tar.gz`, holding the modified files at their original repo-relative paths. In a downstream repository, download it, extract it over the checkout, and commit:
+
+```yaml
+- name: Checkout target repo
+  uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+- name: Download modified files
+  uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+  with:
+    name: modified-files
+    path: modified-files-tmp
+    github-token: ${{ steps.app-token.outputs.token }}
+    run-id: ${{ github.event.workflow_run.id }}
+    repository: bitwarden/source-repo
+
+- name: Apply and commit
+  run: |
+    tar -xzf modified-files-tmp/modified-files.tar.gz
+    git add --update
+    git commit -m "Apply modified files from upstream run"
+    git push
+```
+
+> For cross-repo downloads, generate a GitHub App token scoped to the source repository and pass it to `actions/download-artifact` via `github-token`, along with the upstream `run-id` and `repository`.
+
+## Requirements
+
+- The repository must be checked out before this action runs (`actions/checkout`), with the modifications present in the working tree.
+- `git` and `tar` must be available on the runner (present by default on GitHub-hosted runners).
+
+## Troubleshooting
+
+### "Detected added/untracked files, which are not supported"
+
+- The working tree contains new files that are not tracked by git. This action only uploads modifications to existing tracked files. Remove the new files or handle them separately.
+
+### "Detected deleted files, which are not supported"
+
+- A tracked file was removed from the working tree. The downstream consumer cannot safely apply deletions; revert the deletion or handle it separately.
+
+### "No modified files detected. Nothing to upload."
+
+- The working tree is clean. Confirm the step that is supposed to modify files ran before this action and actually changed something.
+
+### Nested paths are missing after download
+
+- Ensure you extract `modified-files.tar.gz` from the repository root in the downstream job so the preserved repo-relative paths land in the right place.

upload-modified-files/action.yml

@@ -0,0 +1,51 @@
+---
+name: "Upload Modified Files"
+description: "Detect git-modified files and upload them to the workflow run as an artifact."
+
+inputs:
+  artifact_name:
+    description: "Name of the artifact to upload the modified files under."
+    default: "modified-files"
+  retention_days:
+    description: "Number of days to retain the uploaded artifact."
+    default: "7"
+
+outputs:
+  artifact_name:
+    description: "Name of the artifact the modified files were uploaded under."
+    value: ${{ inputs.artifact_name }}
+  count:
+    description: "Number of modified files detected and uploaded."
+    value: ${{ steps.detect.outputs.count }}
+  modified_files:
+    description: "Newline-separated list of modified file paths."
+    value: ${{ steps.detect.outputs.modified_files }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Detect modified files
+      id: detect
+      shell: bash
+      env:
+        MODIFIED_FILES_LIST: ${{ runner.temp }}/modified_files_list.txt
+      run: bash "${{ github.action_path }}/detect-modified-files.sh"
+
+    - name: Archive modified files
+      shell: bash
+      env:
+        MODIFIED_FILES_LIST: ${{ runner.temp }}/modified_files_list.txt
+        ARCHIVE_PATH: ${{ runner.temp }}/modified-files.tar.gz
+      run: |
+        # Archive from the workspace so paths are stored repo-relative and
+        # restore to the same structure when extracted downstream.
+        tar -czf "$ARCHIVE_PATH" -T "$MODIFIED_FILES_LIST"
+        echo "Created archive at $ARCHIVE_PATH"
+
+    - name: Upload modified files
+      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+      with:
+        name: ${{ inputs.artifact_name }}
+        path: ${{ runner.temp }}/modified-files.tar.gz
+        retention-days: ${{ inputs.retention_days }}
+        if-no-files-found: error

upload-modified-files/detect-modified-files.sh

@@ -0,0 +1,82 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Detect git-modified files in the working tree and emit them for upload.
+#
+# Only modifications to existing tracked files are supported. The action fails
+# if any files are added (new/untracked) or deleted, because the downstream
+# consumer commits the downloaded files over an existing checkout and cannot
+# safely reconcile additions or removals.
+#
+# Required environment:
+#   MODIFIED_FILES_LIST - path to write the newline-separated list of modified
+#                         files to (consumed by tar in the next step).
+#   GITHUB_OUTPUT       - set by GitHub Actions; receives `count` and
+#                         `modified_files` outputs.
+
+modified=()
+added=()
+deleted=()
+other=()
+
+# core.quotepath=false keeps non-ASCII paths unquoted so tar can read them.
+while IFS= read -r line; do
+  [[ -z "$line" ]] && continue
+  status="${line:0:2}"
+  path="${line:3}"
+  x="${status:0:1}"
+  y="${status:1:1}"
+
+  if [[ "$status" == "??" ]]; then
+    added+=("$path")
+  elif [[ "$x" == "A" || "$y" == "A" ]]; then
+    added+=("$path")
+  elif [[ "$x" == "D" || "$y" == "D" ]]; then
+    deleted+=("$path")
+  elif [[ "$x" == "R" || "$y" == "R" || "$x" == "C" || "$y" == "C" ]]; then
+    other+=("$path ($status)")
+  elif [[ "$x" == "M" || "$y" == "M" || "$x" == "T" || "$y" == "T" ]]; then
+    modified+=("$path")
+  else
+    other+=("$path ($status)")
+  fi
+done < <(git -c core.quotepath=false status --porcelain)
+
+fail=0
+if [[ ${#added[@]} -gt 0 ]]; then
+  echo "::error::Detected added/untracked files, which are not supported:"
+  printf '::error::  %s\n' "${added[@]}"
+  fail=1
+fi
+if [[ ${#deleted[@]} -gt 0 ]]; then
+  echo "::error::Detected deleted files, which are not supported:"
+  printf '::error::  %s\n' "${deleted[@]}"
+  fail=1
+fi
+if [[ ${#other[@]} -gt 0 ]]; then
+  echo "::error::Detected renamed/copied/unsupported changes, which are not supported:"
+  printf '::error::  %s\n' "${other[@]}"
+  fail=1
+fi
+if [[ $fail -ne 0 ]]; then
+  exit 1
+fi
+
+if [[ ${#modified[@]} -eq 0 ]]; then
+  echo "::error::No modified files detected. Nothing to upload."
+  exit 1
+fi
+
+echo "Detected ${#modified[@]} modified file(s):"
+printf '  %s\n' "${modified[@]}"
+
+# Write the list for tar consumption (one path per line).
+printf '%s\n' "${modified[@]}" > "$MODIFIED_FILES_LIST"
+
+# Emit step outputs.
+{
+  echo "count=${#modified[@]}"
+  echo "modified_files<<EOF"
+  printf '%s\n' "${modified[@]}"
+  echo "EOF"
+} >> "$GITHUB_OUTPUT"