-
Notifications
You must be signed in to change notification settings - Fork 6
141 lines (138 loc) · 5.62 KB
/
verify.yml
File metadata and controls
141 lines (138 loc) · 5.62 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
---
name: verify
on: # yamllint disable-line rule:truthy
merge_group:
types:
- checks_requested
# We use the default activity types for the pull_request event as specified here:
# https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request
pull_request:
paths:
- .github/workflows/verify.yml
- action.yml
- dist/**
- package-lock.json
- package.json
- src/**
# Set a default shell for any run steps. The `-Eueo pipefail` sets errtrace,
# nounset, errexit, and pipefail. The `-x` will print all commands as they are
# run. Please see the GitHub Actions documentation for more information:
# https://docs.github.com/en/actions/using-jobs/setting-default-values-for-jobs
defaults:
run:
shell: bash -Eueo pipefail -x {0}
jobs:
diagnostics:
name: Run diagnostics
# This job does not need any permissions
permissions: {}
runs-on: ubuntu-latest
steps:
# Note that a duplicate of this step must be added at the top of
# each job.
- name: Apply standard cisagov job preamble
uses: cisagov/action-job-preamble@v1
with:
check_github_status: "true"
# This functionality is poorly implemented and has been
# causing problems due to the MITM implementation hogging or
# leaking memory. As a result we disable it by default. If
# you want to temporarily enable it, simply set
# monitor_permissions equal to "true".
#
# TODO: Re-enable this functionality when practical. See
# cisagov/skeleton-generic#207 for more details.
monitor_permissions: "false"
output_workflow_context: "true"
# Use a variable to specify the permissions monitoring
# configuration. By default this will yield the
# configuration stored in the cisagov organization-level
# variable, but if you want to use a different configuration
# then simply:
# 1. Create a repository-level variable with the name
# ACTIONS_PERMISSIONS_CONFIG.
# 2. Set this new variable's value to the configuration you
# want to use for this repository.
#
# Note in particular that changing the permissions
# monitoring configuration *does not* require you to modify
# this workflow.
permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
verify:
needs:
- diagnostics
permissions:
# actions/checkout needs this to fetch code
contents: read
runs-on: ubuntu-latest
steps:
- name: Apply standard cisagov job preamble
uses: cisagov/action-job-preamble@v1
with:
# This functionality is poorly implemented and has been
# causing problems due to the MITM implementation hogging or
# leaking memory. As a result we disable it by default. If
# you want to temporarily enable it, simply set
# monitor_permissions equal to "true".
#
# TODO: Re-enable this functionality when practical. See
# cisagov/skeleton-generic#207 for more details.
monitor_permissions: "false"
# Use a variable to specify the permissions monitoring
# configuration. By default this will yield the
# configuration stored in the cisagov organization-level
# variable, but if you want to use a different configuration
# then simply:
# 1. Create a repository-level variable with the name
# ACTIONS_PERMISSIONS_CONFIG.
# 2. Set this new variable's value to the configuration you
# want to use for this repository.
#
# Note in particular that changing the permissions
# monitoring configuration *does not* require you to modify
# this workflow.
permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
- name: Checkout the repository
uses: actions/checkout@v6
- id: setup-env
name: Run action from the local copy
uses: ./
- name: Install dependencies and build the action
run: |
npm ci
npm run package
- name: Verify that dist/ is up-to-date with changes in src/
run: |
# Fail if dist/ has changes of any kind
if [ -n "$(git status --porcelain dist/)" ]; then
echo "Changes detected in dist/ after running 'npm run package'."
git status --short dist/
exit 1
fi
- env:
ACTION_OUTPUTS: ${{ toJSON(steps.setup-env.outputs) }}
name: Verify expected functionality of the action
uses: actions/github-script@v8
with:
script: |
const { toolVersions } = require("./src/versions.js");
const outputVersions = JSON.parse(process.env.ACTION_OUTPUTS);
var failedChecks = 0;
for (const [key, value] of Object.entries(toolVersions)) {
const outputKey = `${key}-version`;
if (!Object.hasOwn(outputVersions, outputKey)) {
console.error("Missing '%s' in outputs", outputKey);
failedChecks++;
} else if (outputVersions[outputKey] !== value) {
console.error(
"Mismatched versions for %s: expected '%s', got '%s'",
key,
value,
outputVersions[outputKey],
);
failedChecks++;
}
}
if (failedChecks > 0) {
core.setFailed("Verification failed");
}