diff --git a/.github/workflows/gha-autofix.yml b/.github/workflows/gha-autofix.yml deleted file mode 100644 index bcd39a5..0000000 --- a/.github/workflows/gha-autofix.yml +++ /dev/null @@ -1,77 +0,0 @@ -name: Auto fix for GHA workflow files -on: workflow_call -jobs: - auto-fix: - timeout-minutes: 5 - runs-on: ubuntu-latest - if: github.event.pull_request.draft == false - permissions: - contents: write - pull-requests: write - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - ref: ${{ github.head_ref }} - sparse-checkout: .github - fetch-depth: 2 # we need history to get previous commit - - name: Install pinact - shell: bash - run: | - set -x - VERSION=1.6.0 - TARGET=linux_amd64 - SHA256_SUM=5562dfae2b70b9a14ba6bac99c691bec0bff41951411c713b5ea3fdbd28fbcc1 - curl --silent --show-error --fail --connect-timeout 3 --max-time 10 --retry 3 \ - --location --remote-name \ - "https://github.com/suzuki-shunsuke/pinact/releases/download/v${VERSION}/pinact_${TARGET}.tar.gz" - echo "${SHA256_SUM} pinact_${TARGET}.tar.gz" | sha256sum -c - tar --extract --gzip --file "pinact_${TARGET}.tar.gz" --verbose - sudo install pinact /usr/local/bin/pinact - - name: Install ghatm - shell: bash - run: | - set -x - VERSION=0.3.4 - TARGET=linux_amd64 - SHA256_SUM=8724d5946f5f62defa01d17b5651629eb9ff47963f0d2114dd2da30c0bad7205 - curl --silent --show-error --fail --connect-timeout 3 --max-time 10 --retry 3 \ - --location --remote-name \ - "https://github.com/suzuki-shunsuke/ghatm/releases/download/v${VERSION}/ghatm_${TARGET}.tar.gz" - echo "${SHA256_SUM} ghatm_${TARGET}.tar.gz" | sha256sum -c - tar --extract --gzip --file "ghatm_${TARGET}.tar.gz" --verbose - sudo install ghatm /usr/local/bin/ghatm - - name: Run linters - shell: bash - run: | - set -x - # Run pinact to pin GitHub Action versions - pinact run - # Run ghatm to set timeout-minutes - ghatm set --timeout-minutes 5 - - name: Run git diff - id: diff - run: git diff --name-only --exit-code - continue-on-error: true - - name: Commit and push if fmt changes code - if: steps.diff.outcome == 'failure' - env: - URL: ${{ github.event.pull_request.html_url }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - set -x - message='gha-autofix: Auto fix GHA workflow files' - prev_message="$(git log -1 --pretty=format:'%s')" - - if [ "${prev_message}" = "${message}" ]; then - echo "Detect auto generated commit-push loop" - exit 1 - else - git config user.name github-actions[bot] - # Use this email to show icon in commit view. - git config user.email github-actions[bot]@users.noreply.github.com - git add . - git commit -m "${message}" - git push - - gh pr comment --body 'Commits pushed by bot. Trigger CI jobs by "making this PR draft then ready-for-review again" or "pushing an empty commit" or "updating branch".' "${URL}" - fi diff --git a/.github/workflows/gha-lint.yml b/.github/workflows/gha-lint.yml new file mode 100644 index 0000000..c821b60 --- /dev/null +++ b/.github/workflows/gha-lint.yml @@ -0,0 +1,114 @@ +name: Lint GHA workflow files +on: workflow_call +jobs: + lint: + timeout-minutes: 5 + runs-on: ubuntu-latest + if: github.event.pull_request.draft == false + permissions: + contents: read + pull-requests: write + steps: + - name: Install pinact and ghatm + shell: bash + run: | + set -x + VERSION=1.6.0 + TARGET=linux_amd64 + SHA256_SUM=5562dfae2b70b9a14ba6bac99c691bec0bff41951411c713b5ea3fdbd28fbcc1 + curl --silent --show-error --fail --connect-timeout 3 --max-time 10 --retry 3 \ + --location --remote-name \ + "https://github.com/suzuki-shunsuke/pinact/releases/download/v${VERSION}/pinact_${TARGET}.tar.gz" + echo "${SHA256_SUM} pinact_${TARGET}.tar.gz" | sha256sum -c + tar --extract --gzip --file "pinact_${TARGET}.tar.gz" --verbose + sudo install pinact /usr/local/bin/pinact + + VERSION=0.3.4 + TARGET=linux_amd64 + SHA256_SUM=8724d5946f5f62defa01d17b5651629eb9ff47963f0d2114dd2da30c0bad7205 + curl --silent --show-error --fail --connect-timeout 3 --max-time 10 --retry 3 \ + --location --remote-name \ + "https://github.com/suzuki-shunsuke/ghatm/releases/download/v${VERSION}/ghatm_${TARGET}.tar.gz" + echo "${SHA256_SUM} ghatm_${TARGET}.tar.gz" | sha256sum -c + tar --extract --gzip --file "ghatm_${TARGET}.tar.gz" --verbose + sudo install ghatm /usr/local/bin/ghatm + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + ref: ${{ github.head_ref }} + sparse-checkout: .github + + - name: Run pinact lint and capture diff + id: pinact + shell: bash + run: | + set -x + PINACT_DIFF_FILE="$(mktemp)" + echo "diff_file=${PINACT_DIFF_FILE}" >> "${GITHUB_OUTPUT}" + + pinact run + + git diff > "${PINACT_DIFF_FILE}" + + if [[ -s "${PINACT_DIFF_FILE}" ]]; then + echo "has_changes=true" >> "${GITHUB_OUTPUT}" + cat "${PINACT_DIFF_FILE}" + else + echo "has_changes=false" >> "${GITHUB_OUTPUT}" + fi + + git reset --hard HEAD + + - name: Run ghatm lint and capture diff + id: ghatm + shell: bash + run: | + set -x + GHATM_DIFF_FILE="$(mktemp)" + echo "diff_file=${GHATM_DIFF_FILE}" >> "${GITHUB_OUTPUT}" + + ghatm set --timeout-minutes 5 + + git diff > "${GHATM_DIFF_FILE}" + + if [[ -s "${GHATM_DIFF_FILE}" ]]; then + echo "has_changes=true" >> "${GITHUB_OUTPUT}" + cat "${GHATM_DIFF_FILE}" + else + echo "has_changes=false" >> "${GITHUB_OUTPUT}" + fi + + git reset --hard HEAD + + - name: Install reviewdog + if: steps.pinact.outputs.has_changes == 'true' || steps.ghatm.outputs.has_changes == 'true' + shell: bash + run: | + set -x + VERSION=0.20.3 + TARGET=Linux_x86_64 + SHA256_SUM=2c634dbc00bd4a86e4d4c47029d2af9185fab06643a9df0ae10e7c4d644781b6 + curl --silent --show-error --fail --connect-timeout 3 --max-time 10 --retry 3 \ + --location --remote-name \ + "https://github.com/reviewdog/reviewdog/releases/download/v${VERSION}/reviewdog_${VERSION}_${TARGET}.tar.gz" + echo "${SHA256_SUM} reviewdog_${VERSION}_${TARGET}.tar.gz" | sha256sum -c + tar --extract --gzip --file "reviewdog_${VERSION}_${TARGET}.tar.gz" --verbose + sudo install reviewdog /usr/local/bin/reviewdog + + - name: Report pinact suggestions with reviewdog + if: steps.pinact.outputs.has_changes == 'true' + env: + REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }} + shell: bash + run: | + set -x + reviewdog -f=diff -f.diff.strip=1 -name="pinact" -reporter=github-pr-review < ${{ steps.pinact.outputs.diff_file }} + + - name: Report ghatm suggestions with reviewdog + if: steps.ghatm.outputs.has_changes == 'true' + env: + REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }} + shell: bash + run: | + set -x + reviewdog -f=diff -f.diff.strip=1 -name="ghatm" -reporter=github-pr-review < ${{ steps.ghatm.outputs.diff_file }} diff --git a/.github/workflows/test-gha-autofix.yml b/.github/workflows/test-gha-lint.yml similarity index 76% rename from .github/workflows/test-gha-autofix.yml rename to .github/workflows/test-gha-lint.yml index 7777289..669adee 100644 --- a/.github/workflows/test-gha-autofix.yml +++ b/.github/workflows/test-gha-lint.yml @@ -10,11 +10,12 @@ on: # Manually trigger this workflow to pass required status check - ready_for_review paths: - - ".github/workflows/gha-autofix.yml" + - ".github/workflows/gha-lint.yml" + - ".github/workflows/test-gha-lint.yml" jobs: - call-gha-autofix: + call-gha-lint: permissions: - contents: write + contents: read pull-requests: write - uses: ./.github/workflows/gha-autofix.yml + uses: ./.github/workflows/gha-lint.yml secrets: inherit