[Snyk] Fix for 1 vulnerabilities #6
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build woff2 font file | |
on: | |
pull_request: | |
types: [synchronize, opened] | |
permissions: | |
actions: read | |
checks: none | |
contents: write | |
deployments: none | |
issues: write | |
packages: none | |
pull-requests: write | |
repository-projects: none | |
security-events: none | |
statuses: none | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Detect branch for PR | |
id: vars | |
run: | | |
PR="${{ github.event.pull_request.number }}" | |
PR_INFO=$( curl \ | |
--request GET \ | |
--header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' \ | |
--header 'content-type: application/json' \ | |
--url https://api.github.com/repos/$GITHUB_REPOSITORY/pulls/$PR ) | |
REF=$(echo "${PR_INFO}" | jq -r .head.ref) | |
BASE=$(echo "${PR_INFO}" | jq -r .head.repo.full_name) | |
STATE=$(echo "${PR_INFO}" | jq -r .state) | |
BASE_SHA=$(echo "${PR_INFO}" | jq -r .base.sha) | |
if [[ $STATE == "closed" ]] | |
then | |
echo "Pull Request already closed." | |
exit 0; | |
fi | |
echo "islocalbranch=$(expr $BASE == $GITHUB_REPOSITORY)" >> $GITHUB_OUTPUT | |
echo "branch=$REF" >> $GITHUB_OUTPUT | |
echo "base=$BASE_SHA" >> $GITHUB_OUTPUT | |
- uses: actions/checkout@v3 | |
with: | |
lfs: false | |
persist-credentials: false | |
if: steps.vars.outputs.branch != '' | |
- name: Check ttf changes | |
id: ttfcheck | |
run: | | |
git fetch --depth=1 origin ${{ steps.vars.outputs.base }} | |
TTF_FILE_MODIFIED=$(git diff --name-only ${{ steps.vars.outputs.base }} -- plugins/Morpheus/fonts/matomo.ttf | wc -l) | |
if [[ $TTF_FILE_MODIFIED == "0" ]] | |
then | |
echo "Font file not modified" | |
exit 0; | |
fi | |
echo "ttf_modified=1" >> $GITHUB_OUTPUT | |
if: steps.vars.outputs.branch != '' | |
- name: Build woff2 file | |
run: | | |
git clone --recursive https://github.com/google/woff2.git tmp_woff2 | |
cd tmp_woff2 | |
make clean all | |
cd .. | |
./tmp_woff2/woff2_compress plugins/Morpheus/fonts/matomo.ttf | |
if: steps.vars.outputs.branch != '' && steps.ttfcheck.outputs.ttf_modified == '1' | |
- name: Prepare git config | |
run: | | |
cat <<- EOF > $HOME/.netrc | |
machine github.com | |
login $GITHUB_ACTOR | |
password $GITHUB_TOKEN | |
machine api.github.com | |
login $GITHUB_ACTOR | |
password $GITHUB_TOKEN | |
EOF | |
chmod 600 $HOME/.netrc | |
git config --global user.email "$GITHUB_ACTOR@users.noreply.github.com" | |
git config --global user.name "$GITHUB_ACTOR" | |
git remote set-url origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/$GITHUB_REPOSITORY | |
if [[ ${{ steps.vars.outputs.islocalbranch }} ]] | |
then | |
git fetch --depth=1 origin $BRANCH_NAME | |
git checkout $BRANCH_NAME | |
fi | |
env: | |
BRANCH_NAME: ${{ steps.vars.outputs.branch }} | |
if: steps.vars.outputs.branch != '' && steps.ttfcheck.outputs.ttf_modified == '1' | |
- name: Push changes | |
id: push | |
run: | | |
if [[ $( git diff --numstat plugins/Morpheus/fonts/matomo.woff2 ) ]] | |
then | |
if [[ ! ${{ steps.vars.outputs.islocalbranch }} ]] | |
then | |
echo "It's only possible to update local branches automatically. Adding a comment instead." | |
echo "failure=1" >> $GITHUB_OUTPUT | |
else | |
cd $GITHUB_WORKSPACE | |
git add plugins/Morpheus/fonts/matomo.woff2 | |
git commit -m "built woff2 file" | |
git push | |
fi | |
fi | |
if: steps.vars.outputs.branch != '' && steps.ttfcheck.outputs.ttf_modified == '1' | |
- uses: actions/github-script@v6 | |
with: | |
script: | | |
github.rest.issues.createComment({ | |
issue_number: context.issue.number, | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
body: 'woff2 font file is not up to date. See https://developer.matomo.org/guides/matomo-font for details how to update the font correctly.' | |
}) | |
if: steps.push.outputs.failure == '1' | |
- name: Fail if not up to date | |
run: exit 1 | |
if: steps.push.outputs.failure == '1' |