From daa510119f261407fa22dd993f1fa108ecb11fd4 Mon Sep 17 00:00:00 2001 From: Taiki Ono Date: Fri, 25 Apr 2025 15:27:40 +0900 Subject: [PATCH 1/6] No autofix Signed-off-by: Taiki Ono --- .github/workflows/gha-autofix.yml | 77 ------------ .github/workflows/gha-lint.yml | 114 ++++++++++++++++++ ...test-gha-autofix.yml => test-gha-lint.yml} | 11 +- 3 files changed, 120 insertions(+), 82 deletions(-) delete mode 100644 .github/workflows/gha-autofix.yml create mode 100644 .github/workflows/gha-lint.yml rename .github/workflows/{test-gha-autofix.yml => test-gha-lint.yml} (73%) diff --git a/.github/workflows/gha-autofix.yml b/.github/workflows/gha-autofix.yml deleted file mode 100644 index bcd39a5..0000000 --- a/.github/workflows/gha-autofix.yml +++ /dev/null @@ -1,77 +0,0 @@ -name: Auto fix for GHA workflow files -on: workflow_call -jobs: - auto-fix: - timeout-minutes: 5 - runs-on: ubuntu-latest - if: github.event.pull_request.draft == false - permissions: - contents: write - pull-requests: write - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - ref: ${{ github.head_ref }} - sparse-checkout: .github - fetch-depth: 2 # we need history to get previous commit - - name: Install pinact - shell: bash - run: | - set -x - VERSION=1.6.0 - TARGET=linux_amd64 - SHA256_SUM=5562dfae2b70b9a14ba6bac99c691bec0bff41951411c713b5ea3fdbd28fbcc1 - curl --silent --show-error --fail --connect-timeout 3 --max-time 10 --retry 3 \ - --location --remote-name \ - "https://github.com/suzuki-shunsuke/pinact/releases/download/v${VERSION}/pinact_${TARGET}.tar.gz" - echo "${SHA256_SUM} pinact_${TARGET}.tar.gz" | sha256sum -c - tar --extract --gzip --file "pinact_${TARGET}.tar.gz" --verbose - sudo install pinact /usr/local/bin/pinact - - name: Install ghatm - shell: bash - run: | - set -x - VERSION=0.3.4 - TARGET=linux_amd64 - SHA256_SUM=8724d5946f5f62defa01d17b5651629eb9ff47963f0d2114dd2da30c0bad7205 - curl --silent --show-error --fail --connect-timeout 3 --max-time 10 --retry 3 \ - --location --remote-name \ - "https://github.com/suzuki-shunsuke/ghatm/releases/download/v${VERSION}/ghatm_${TARGET}.tar.gz" - echo "${SHA256_SUM} ghatm_${TARGET}.tar.gz" | sha256sum -c - tar --extract --gzip --file "ghatm_${TARGET}.tar.gz" --verbose - sudo install ghatm /usr/local/bin/ghatm - - name: Run linters - shell: bash - run: | - set -x - # Run pinact to pin GitHub Action versions - pinact run - # Run ghatm to set timeout-minutes - ghatm set --timeout-minutes 5 - - name: Run git diff - id: diff - run: git diff --name-only --exit-code - continue-on-error: true - - name: Commit and push if fmt changes code - if: steps.diff.outcome == 'failure' - env: - URL: ${{ github.event.pull_request.html_url }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - set -x - message='gha-autofix: Auto fix GHA workflow files' - prev_message="$(git log -1 --pretty=format:'%s')" - - if [ "${prev_message}" = "${message}" ]; then - echo "Detect auto generated commit-push loop" - exit 1 - else - git config user.name github-actions[bot] - # Use this email to show icon in commit view. - git config user.email github-actions[bot]@users.noreply.github.com - git add . - git commit -m "${message}" - git push - - gh pr comment --body 'Commits pushed by bot. Trigger CI jobs by "making this PR draft then ready-for-review again" or "pushing an empty commit" or "updating branch".' "${URL}" - fi diff --git a/.github/workflows/gha-lint.yml b/.github/workflows/gha-lint.yml new file mode 100644 index 0000000..8ceeb81 --- /dev/null +++ b/.github/workflows/gha-lint.yml @@ -0,0 +1,114 @@ +name: Lint GHA workflow files +on: workflow_call +jobs: + lint: + timeout-minutes: 5 + runs-on: ubuntu-latest + if: github.event.pull_request.draft == false + permissions: + contents: read + checks: write + steps: + - name: Install pinact and ghatm + shell: bash + run: | + set -x + VERSION=1.6.0 + TARGET=linux_amd64 + SHA256_SUM=5562dfae2b70b9a14ba6bac99c691bec0bff41951411c713b5ea3fdbd28fbcc1 + curl --silent --show-error --fail --connect-timeout 3 --max-time 10 --retry 3 \ + --location --remote-name \ + "https://github.com/suzuki-shunsuke/pinact/releases/download/v${VERSION}/pinact_${TARGET}.tar.gz" + echo "${SHA256_SUM} pinact_${TARGET}.tar.gz" | sha256sum -c + tar --extract --gzip --file "pinact_${TARGET}.tar.gz" --verbose + sudo install pinact /usr/local/bin/pinact + + VERSION=0.3.4 + TARGET=linux_amd64 + SHA256_SUM=8724d5946f5f62defa01d17b5651629eb9ff47963f0d2114dd2da30c0bad7205 + curl --silent --show-error --fail --connect-timeout 3 --max-time 10 --retry 3 \ + --location --remote-name \ + "https://github.com/suzuki-shunsuke/ghatm/releases/download/v${VERSION}/ghatm_${TARGET}.tar.gz" + echo "${SHA256_SUM} ghatm_${TARGET}.tar.gz" | sha256sum -c + tar --extract --gzip --file "ghatm_${TARGET}.tar.gz" --verbose + sudo install ghatm /usr/local/bin/ghatm + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + ref: ${{ github.head_ref }} + sparse-checkout: .github + + - name: Run pinact lint and capture diff + id: pinact + shell: bash + run: | + set -x + PINACT_DIFF_FILE="$(mktemp)" + echo "diff_file=${PINACT_DIFF_FILE}" >> "${GITHUB_OUTPUT}" + + pinact run + + git diff > "${PINACT_DIFF_FILE}" + + if [[ -s "${PINACT_DIFF_FILE}" ]]; then + echo "has_changes=true" >> "${GITHUB_OUTPUT}" + cat "${PINACT_DIFF_FILE}" + else + echo "has_changes=false" >> "${GITHUB_OUTPUT}" + fi + + git reset --hard HEAD + + - name: Run ghatm lint and capture diff + id: ghatm + shell: bash + run: | + set -x + GHATM_DIFF_FILE="$(mktemp)" + echo "diff_file=${GHATM_DIFF_FILE}" >> "${GITHUB_OUTPUT}" + + ghatm set --timeout-minutes 5 + + git diff > "${GHATM_DIFF_FILE}" + + if [[ -s "${GHATM_DIFF_FILE}" ]]; then + echo "has_changes=true" >> "${GITHUB_OUTPUT}" + cat "${GHATM_DIFF_FILE}" + else + echo "has_changes=false" >> "${GITHUB_OUTPUT}" + fi + + git reset --hard HEAD + + - name: Install reviewdog + if: steps.pinact.outputs.has_changes == 'true' || steps.ghatm.outputs.has_changes == 'true' + shell: bash + run: | + set -x + VERSION=0.20.3 + TARGET=Linux_x86_64 + SHA256_SUM=2c634dbc00bd4a86e4d4c47029d2af9185fab06643a9df0ae10e7c4d644781b6 + curl --silent --show-error --fail --connect-timeout 3 --max-time 10 --retry 3 \ + --location --remote-name \ + "https://github.com/reviewdog/reviewdog/releases/download/v${VERSION}/reviewdog_${VERSION}_${TARGET}.tar.gz" + echo "${SHA256_SUM} reviewdog_${VERSION}_${TARGET}.tar.gz" | sha256sum -c + tar --extract --gzip --file "reviewdog_${VERSION}_${TARGET}.tar.gz" --verbose + sudo install reviewdog /usr/local/bin/reviewdog + + - name: Report pinact suggestions with reviewdog + if: steps.pinact.outputs.has_changes == 'true' + env: + REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }} + shell: bash + run: | + set -x + reviewdog -f=diff -f.diff.strip=1 -name="pinact" -reporter=github-pr-review < ${{ steps.pinact.outputs.diff_file }} + + - name: Report ghatm suggestions with reviewdog + if: steps.ghatm.outputs.has_changes == 'true' + env: + REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }} + shell: bash + run: | + set -x + reviewdog -f=diff -f.diff.strip=1 -name="ghatm" -reporter=github-pr-review < ${{ steps.ghatm.outputs.diff_file }} diff --git a/.github/workflows/test-gha-autofix.yml b/.github/workflows/test-gha-lint.yml similarity index 73% rename from .github/workflows/test-gha-autofix.yml rename to .github/workflows/test-gha-lint.yml index 7777289..eeb930a 100644 --- a/.github/workflows/test-gha-autofix.yml +++ b/.github/workflows/test-gha-lint.yml @@ -10,11 +10,12 @@ on: # Manually trigger this workflow to pass required status check - ready_for_review paths: - - ".github/workflows/gha-autofix.yml" + - ".github/workflows/gha-lint.yml" + - ".github/workflows/test-gha-lint.yml" jobs: - call-gha-autofix: + call-gha-lint: permissions: - contents: write - pull-requests: write - uses: ./.github/workflows/gha-autofix.yml + contents: read + checks: write + uses: ./.github/workflows/gha-lint.yml secrets: inherit From 83c79980651e961415921bb5690ef8480ebeef1e Mon Sep 17 00:00:00 2001 From: Taiki Ono Date: Fri, 25 Apr 2025 15:51:01 +0900 Subject: [PATCH 2/6] Test commit Signed-off-by: Taiki Ono --- .github/workflows/gha-lint.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/gha-lint.yml b/.github/workflows/gha-lint.yml index 8ceeb81..f1a4d2c 100644 --- a/.github/workflows/gha-lint.yml +++ b/.github/workflows/gha-lint.yml @@ -2,7 +2,6 @@ name: Lint GHA workflow files on: workflow_call jobs: lint: - timeout-minutes: 5 runs-on: ubuntu-latest if: github.event.pull_request.draft == false permissions: @@ -33,7 +32,7 @@ jobs: tar --extract --gzip --file "ghatm_${TARGET}.tar.gz" --verbose sudo install ghatm /usr/local/bin/ghatm - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@v4 with: ref: ${{ github.head_ref }} sparse-checkout: .github From aa21ad17c49091f0d9a09b895716ab6c817c50c1 Mon Sep 17 00:00:00 2001 From: Taiki Ono Date: Fri, 25 Apr 2025 15:53:22 +0900 Subject: [PATCH 3/6] Correct reporter Signed-off-by: Taiki Ono --- .github/workflows/gha-lint.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gha-lint.yml b/.github/workflows/gha-lint.yml index f1a4d2c..294c78c 100644 --- a/.github/workflows/gha-lint.yml +++ b/.github/workflows/gha-lint.yml @@ -101,7 +101,7 @@ jobs: shell: bash run: | set -x - reviewdog -f=diff -f.diff.strip=1 -name="pinact" -reporter=github-pr-review < ${{ steps.pinact.outputs.diff_file }} + reviewdog -f=diff -f.diff.strip=1 -name="pinact" -reporter=github-pr-check < ${{ steps.pinact.outputs.diff_file }} - name: Report ghatm suggestions with reviewdog if: steps.ghatm.outputs.has_changes == 'true' @@ -110,4 +110,4 @@ jobs: shell: bash run: | set -x - reviewdog -f=diff -f.diff.strip=1 -name="ghatm" -reporter=github-pr-review < ${{ steps.ghatm.outputs.diff_file }} + reviewdog -f=diff -f.diff.strip=1 -name="ghatm" -reporter=github-pr-check < ${{ steps.ghatm.outputs.diff_file }} From a7c76006e9b9f8ee1b7999433cc914b5e65def79 Mon Sep 17 00:00:00 2001 From: Taiki Ono Date: Fri, 25 Apr 2025 15:55:17 +0900 Subject: [PATCH 4/6] Suggestion only works in review reporter Signed-off-by: Taiki Ono --- .github/workflows/gha-lint.yml | 6 +++--- .github/workflows/test-gha-lint.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/gha-lint.yml b/.github/workflows/gha-lint.yml index 294c78c..64bfd1a 100644 --- a/.github/workflows/gha-lint.yml +++ b/.github/workflows/gha-lint.yml @@ -6,7 +6,7 @@ jobs: if: github.event.pull_request.draft == false permissions: contents: read - checks: write + pull-requests: write steps: - name: Install pinact and ghatm shell: bash @@ -101,7 +101,7 @@ jobs: shell: bash run: | set -x - reviewdog -f=diff -f.diff.strip=1 -name="pinact" -reporter=github-pr-check < ${{ steps.pinact.outputs.diff_file }} + reviewdog -f=diff -f.diff.strip=1 -name="pinact" -reporter=github-pr-review < ${{ steps.pinact.outputs.diff_file }} - name: Report ghatm suggestions with reviewdog if: steps.ghatm.outputs.has_changes == 'true' @@ -110,4 +110,4 @@ jobs: shell: bash run: | set -x - reviewdog -f=diff -f.diff.strip=1 -name="ghatm" -reporter=github-pr-check < ${{ steps.ghatm.outputs.diff_file }} + reviewdog -f=diff -f.diff.strip=1 -name="ghatm" -reporter=github-pr-review < ${{ steps.ghatm.outputs.diff_file }} diff --git a/.github/workflows/test-gha-lint.yml b/.github/workflows/test-gha-lint.yml index eeb930a..669adee 100644 --- a/.github/workflows/test-gha-lint.yml +++ b/.github/workflows/test-gha-lint.yml @@ -16,6 +16,6 @@ jobs: call-gha-lint: permissions: contents: read - checks: write + pull-requests: write uses: ./.github/workflows/gha-lint.yml secrets: inherit From 08c01197d0af1a6224131362270abe6841a076dd Mon Sep 17 00:00:00 2001 From: Taiki Ono Date: Fri, 25 Apr 2025 15:56:18 +0900 Subject: [PATCH 5/6] Update .github/workflows/gha-lint.yml Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- .github/workflows/gha-lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/gha-lint.yml b/.github/workflows/gha-lint.yml index 64bfd1a..ec9ecee 100644 --- a/.github/workflows/gha-lint.yml +++ b/.github/workflows/gha-lint.yml @@ -32,7 +32,7 @@ jobs: tar --extract --gzip --file "ghatm_${TARGET}.tar.gz" --verbose sudo install ghatm /usr/local/bin/ghatm - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ github.head_ref }} sparse-checkout: .github From 1756d0167c9bd9e44559328c7d6074eedef04594 Mon Sep 17 00:00:00 2001 From: Taiki Ono Date: Fri, 25 Apr 2025 15:56:25 +0900 Subject: [PATCH 6/6] Update .github/workflows/gha-lint.yml Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- .github/workflows/gha-lint.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/gha-lint.yml b/.github/workflows/gha-lint.yml index ec9ecee..c821b60 100644 --- a/.github/workflows/gha-lint.yml +++ b/.github/workflows/gha-lint.yml @@ -2,6 +2,7 @@ name: Lint GHA workflow files on: workflow_call jobs: lint: + timeout-minutes: 5 runs-on: ubuntu-latest if: github.event.pull_request.draft == false permissions: