Skip to content

Commit

Permalink
Merge pull request #47 from im-open/ITHD-239408
Browse files Browse the repository at this point in the history 
Update to node20 +semver:minor
  • Loading branch information
@cbchadb35
cbchadb35 authored Apr 3, 2024
2 parents cefcef4 + 6d874e9 commit e87a591
Show file tree
Hide file tree
Showing 4 changed files with 156 additions and 159 deletions.
37 changes: 17 additions & 20 deletions .github/workflows/build-and-review-pr.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ jobs:

steps:
- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
fetch-depth: 0

Expand Down Expand Up @@ -103,16 +103,16 @@ jobs:

- name: Checkout
if: env.HAS_CODE_CHANGES == 'true'
uses: actions/checkout@v3
uses: actions/checkout@v4

# -----------------------------------
# Check if action has been recompiled
# -----------------------------------
- name: If action has build step - Setup Node 16.x
uses: actions/setup-node@v3
- name: If action has build step - Setup Node 20.x
uses: actions/setup-node@v4
if: env.HAS_CODE_CHANGES == 'true' && env.HAS_BUILD_STEP == 'true'
with:
node-version: 16.x
node-version: 20.x

- name: If action has build step - Build the action
if: env.HAS_CODE_CHANGES == 'true' && env.HAS_BUILD_STEP == 'true'
Expand Down Expand Up @@ -156,7 +156,7 @@ jobs:
- name: Fail the workflow if there are any outstanding changes
if: env.HAS_CODE_CHANGES == 'true' && (env.NEEDS_BUILD_COMMIT == 'true' || env.NEEDS_README_COMMIT == 'true')
id: summary
uses: actions/github-script@v6
uses: actions/github-script@v7
with:
script: |
Expand Down Expand Up @@ -224,7 +224,7 @@ jobs:
NEXT_MAJOR_VERSION_NO_PREFIX: ''

# Info for the repo we'll be testing git-version-lite against
TESTING_REPO: 'im-open/internal-repo-for-testing'
TESTING_REPO: 'im-open/internal-repo-for-testing-purple-actions'
TEST_BRANCH: 'my-test-branch'

# These is based on the fetch-depth not being set. git-version-lite starts from 0.0.0 when calculating the next version
Expand Down Expand Up @@ -252,16 +252,16 @@ jobs:

- name: Setup - Checkout testing repo in the root directory
if: always()
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
ref: main
repository: ${{ env.TESTING_REPO }}
ssh-key: ${{ secrets.SSH_KEY_TESTING_REPO }}
# fetch-depth: 0 # Do not use this because we want to test what happens when fetch-depth is not set
fetch-depth: 0

- name: Setup - Checkout this action (git-version-lite) into a 'gvl' subdirectory
if: always()
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
path: ./gvl

Expand Down Expand Up @@ -326,10 +326,7 @@ jobs:
- name: '-------------------------------------------------------------------------------------------------------'
run: echo ""

- name: When a repo has all of its tags locally
run: git fetch -t

- name: And a new version is requested with fallback-to-no-prefix set
- name: When a new version is requested with fallback-to-no-prefix set
if: always()
uses: ./gvl
id: fallback
Expand Down Expand Up @@ -396,7 +393,7 @@ jobs:
NEXT_MAJOR_VERSION_NO_PREFIX: ''

# Info for the repo we'll be testing git-version-lite against
TESTING_REPO: 'im-open/internal-repo-for-testing'
TESTING_REPO: 'im-open/internal-repo-for-testing-purple-actions'
TEST_BRANCH: 'my-test-branch'

# These NEXT tags are set based on the fetch-depth not being set, so
Expand All @@ -422,7 +419,7 @@ jobs:

- name: Setup - Checkout testing repo in the root directory
if: always()
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
ref: main
repository: ${{ env.TESTING_REPO }}
Expand All @@ -431,7 +428,7 @@ jobs:

- name: Setup - Checkout this action (git-version-lite) into a 'gvl' subdirectory
if: always()
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
path: ./gvl

Expand Down Expand Up @@ -598,7 +595,7 @@ jobs:
NEXT_MAJOR_VERSION_NO_PREFIX: ''

# Info for the repo we'll be testing git-version-lite against
TESTING_REPO: 'im-open/internal-repo-for-testing'
TESTING_REPO: 'im-open/internal-repo-for-testing-purple-actions'
TEST_BRANCH: 'my-test-branch'

# All the remaining tags are for TESTING_REPO. If anything changes tag-wise in that repo, these values need to be updated.
Expand Down Expand Up @@ -705,7 +702,7 @@ jobs:

- name: Setup - Checkout testing repo in the root directory
if: always()
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
ref: main
repository: ${{ env.TESTING_REPO }}
Expand All @@ -714,7 +711,7 @@ jobs:

- name: Setup - Checkout this action (git-version-lite) into a 'gvl' subdirectory
if: always()
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
path: ./gvl

Expand Down
240 changes: 120 additions & 120 deletions .github/workflows/increment-version-on-merge.yml
View file
Original file line number Diff line number Diff line change
@@ -1,120 +1,120 @@
name: Increment Version on Merge
run-name: "${{ github.event.pull_request.merged && 'Increment version for' || 'Closing' }} PR #${{ github.event.pull_request.number }}"
on:
# https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
#
# GitHub's standard pull_request workflow trigger prevents write permissions and
# secrets access when the PR is from a public fork. PRs from branches and forks of
# internal/private repos are not limited the same way for the pull_request trigger.
#
# The pull_request_target trigger (which this workflow is using) relaxes some of those
# restrictions and allows PRs from public forks to have write permissions through the
# GH_TOKEN which we need in order to push new tags to the repo through this workflow.
#
# For this workflow, the elevated permissions should not be a problem because:
# • This workflow is only triggered when a PR is closed and the reusable workflow it
# calls only executes if it has been merged to the default branch. This means the PR
# has been reviewed and approved by a CODEOWNER and merged by someone with Write
# access before this workflow with its elevated permissions gets executed. Any code
# that doesn't meet our standards should be caught before it gets to this point.
# • The "Require approval for all outside collaborators" setting is set at the org-level.
# Before a workflow can execute for a PR generated by an outside collaborator, a user
# with Write access must manually approve the request to execute the workflow run.
# Prior to doing so they should have had a chance to review any changes in the PR
pull_request_target:
types: [closed]
# paths:
# Do not include specific paths here. reusable-increment-version-on-merge.yml will decide
# if this action should be incremented and if new tags should be pushed to the repo based
# on the same criteria used in the build-and-review-pr.yml workflow.


# ------------------------------------------------------------------------------------
# NOTE: This repo duplicates the reusable increment workflow in im-open/.github that
# the rest of the actions use. If changes are needed in this workflow they
# should also be made in im-open/.github. This workflow is duplicated because
# it uses the local copy of itself in the workflow which allows us to test the
# increment build with git-version-lite changes before we merge those changes.
# ------------------------------------------------------------------------------------

jobs:
increment-version:
runs-on: ubuntu-latest
env:
MERGE_TO_MAIN: 'false'

steps:
- name: Check if merge to default branch
id: merge
uses: actions/github-script@v6
with:
script: |
const defaultBranch = 'main';
const baseRef = '${{ github.event.pull_request.base.ref }}';
const merged = ${{ github.event.pull_request.merged }};
if (!merged){
console.log('PR is not merged. Skipping subsequent steps.');
core.exportVariable('MERGE_TO_MAIN', false);
return;
}
if (baseRef !== defaultBranch){
console.log(`PR is merged to ${baseRef} and not ${defaultBranch}. Skipping subsequent steps.`);
core.exportVariable('MERGE_TO_MAIN', false);
return;
}
console.log(`PR is merged to ${defaultBranch}. Proceed with subsequent steps.`);
core.exportVariable('MERGE_TO_MAIN', true);
- name: Checkout
if: env.MERGE_TO_MAIN == 'true'
uses: actions/checkout@v3

- name: If PR is merged to main - Check for code changes to the action source code
if: env.MERGE_TO_MAIN == 'true'
id: source-code
uses: im-open/did-custom-action-code-change@v1
with:
files-with-code: 'action.yml,package.json,package-lock.json'
folders-with-code: 'src,dist'
token: ${{ secrets.GITHUB_TOKEN }}

- name: If PR is merged to main - Print whether Action Source Code Changed (open for details)
if: env.MERGE_TO_MAIN == 'true'
run: |
if [ "${{ steps.source-code.outputs.HAS_CHANGES }}" == "true" ]; then
echo "This PR changes the action's source code. Proceed with subsequent steps."
else
echo "This PR does not change the action's source code. Skipping subsequent steps."
fi
- name: If PR is merged to main & PR has source code changes - Checkout
if: env.MERGE_TO_MAIN == 'true' && steps.source-code.outputs.HAS_CHANGES == 'true'
uses: actions/checkout@v3
with:
ref: main
fetch-depth: 0

- name: If PR is merged to main & PR has source code changes - Get the next version for the repo
if: env.MERGE_TO_MAIN == 'true' && steps.source-code.outputs.HAS_CHANGES == 'true'
id: version
uses: ./

- name: If PR is merged to main & PR has source code changes - Print action version (${{ steps.version.outputs.NEXT_VERSION || 'N/A'}})
if: env.MERGE_TO_MAIN == 'true' && steps.source-code.outputs.HAS_CHANGES == 'true'
run: echo "The next action version will be - ${{ steps.version.outputs.NEXT_VERSION }}"

- name: If PR is merged to main & PR has source code changes - Push tags to repo
if: env.MERGE_TO_MAIN == 'true' && steps.source-code.outputs.HAS_CHANGES == 'true'
run: |
git config user.name github-actions
git config user.email github-actions@github.com
git tag ${{ steps.version.outputs.NEXT_VERSION }} ${{ github.sha }}
git tag -f ${{ steps.version.outputs.NEXT_MAJOR_VERSION }} ${{ github.sha }}
git tag -f ${{ steps.version.outputs.NEXT_MINOR_VERSION }} ${{ github.sha }}
git push origin ${{ steps.version.outputs.NEXT_VERSION }}
git push origin ${{ steps.version.outputs.NEXT_MAJOR_VERSION }} -f
git push origin ${{ steps.version.outputs.NEXT_MINOR_VERSION }} -f
name: Increment Version on Merge
run-name: "${{ github.event.pull_request.merged && 'Increment version for' || 'Closing' }} PR #${{ github.event.pull_request.number }}"
on:
# https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
#
# GitHub's standard pull_request workflow trigger prevents write permissions and
# secrets access when the PR is from a public fork. PRs from branches and forks of
# internal/private repos are not limited the same way for the pull_request trigger.
#
# The pull_request_target trigger (which this workflow is using) relaxes some of those
# restrictions and allows PRs from public forks to have write permissions through the
# GH_TOKEN which we need in order to push new tags to the repo through this workflow.
#
# For this workflow, the elevated permissions should not be a problem because:
# • This workflow is only triggered when a PR is closed and the reusable workflow it
# calls only executes if it has been merged to the default branch. This means the PR
# has been reviewed and approved by a CODEOWNER and merged by someone with Write
# access before this workflow with its elevated permissions gets executed. Any code
# that doesn't meet our standards should be caught before it gets to this point.
# • The "Require approval for all outside collaborators" setting is set at the org-level.
# Before a workflow can execute for a PR generated by an outside collaborator, a user
# with Write access must manually approve the request to execute the workflow run.
# Prior to doing so they should have had a chance to review any changes in the PR
pull_request_target:
types: [closed]
# paths:
# Do not include specific paths here. reusable-increment-version-on-merge.yml will decide
# if this action should be incremented and if new tags should be pushed to the repo based
# on the same criteria used in the build-and-review-pr.yml workflow.


# ------------------------------------------------------------------------------------
# NOTE: This repo duplicates the reusable increment workflow in im-open/.github that
# the rest of the actions use. If changes are needed in this workflow they
# should also be made in im-open/.github. This workflow is duplicated because
# it uses the local copy of itself in the workflow which allows us to test the
# increment build with git-version-lite changes before we merge those changes.
# ------------------------------------------------------------------------------------

jobs:
increment-version:
runs-on: ubuntu-latest
env:
MERGE_TO_MAIN: 'false'

steps:
- name: Check if merge to default branch
id: merge
uses: actions/github-script@v7
with:
script: |
const defaultBranch = 'main';
const baseRef = '${{ github.event.pull_request.base.ref }}';
const merged = ${{ github.event.pull_request.merged }};
if (!merged){
console.log('PR is not merged. Skipping subsequent steps.');
core.exportVariable('MERGE_TO_MAIN', false);
return;
}
if (baseRef !== defaultBranch){
console.log(`PR is merged to ${baseRef} and not ${defaultBranch}. Skipping subsequent steps.`);
core.exportVariable('MERGE_TO_MAIN', false);
return;
}
console.log(`PR is merged to ${defaultBranch}. Proceed with subsequent steps.`);
core.exportVariable('MERGE_TO_MAIN', true);
- name: Checkout
if: env.MERGE_TO_MAIN == 'true'
uses: actions/checkout@v4

- name: If PR is merged to main - Check for code changes to the action source code
if: env.MERGE_TO_MAIN == 'true'
id: source-code
uses: im-open/did-custom-action-code-change@v1
with:
files-with-code: 'action.yml,package.json,package-lock.json'
folders-with-code: 'src,dist'
token: ${{ secrets.GITHUB_TOKEN }}

- name: If PR is merged to main - Print whether Action Source Code Changed (open for details)
if: env.MERGE_TO_MAIN == 'true'
run: |
if [ "${{ steps.source-code.outputs.HAS_CHANGES }}" == "true" ]; then
echo "This PR changes the action's source code. Proceed with subsequent steps."
else
echo "This PR does not change the action's source code. Skipping subsequent steps."
fi
- name: If PR is merged to main & PR has source code changes - Checkout
if: env.MERGE_TO_MAIN == 'true' && steps.source-code.outputs.HAS_CHANGES == 'true'
uses: actions/checkout@v4
with:
ref: main
fetch-depth: 0

- name: If PR is merged to main & PR has source code changes - Get the next version for the repo
if: env.MERGE_TO_MAIN == 'true' && steps.source-code.outputs.HAS_CHANGES == 'true'
id: version
uses: ./

- name: If PR is merged to main & PR has source code changes - Print action version (${{ steps.version.outputs.NEXT_VERSION || 'N/A'}})
if: env.MERGE_TO_MAIN == 'true' && steps.source-code.outputs.HAS_CHANGES == 'true'
run: echo "The next action version will be - ${{ steps.version.outputs.NEXT_VERSION }}"

- name: If PR is merged to main & PR has source code changes - Push tags to repo
if: env.MERGE_TO_MAIN == 'true' && steps.source-code.outputs.HAS_CHANGES == 'true'
run: |
git config user.name github-actions
git config user.email github-actions@github.com
git tag ${{ steps.version.outputs.NEXT_VERSION }} ${{ github.sha }}
git tag -f ${{ steps.version.outputs.NEXT_MAJOR_VERSION }} ${{ github.sha }}
git tag -f ${{ steps.version.outputs.NEXT_MINOR_VERSION }} ${{ github.sha }}
git push origin ${{ steps.version.outputs.NEXT_VERSION }}
git push origin ${{ steps.version.outputs.NEXT_MAJOR_VERSION }} -f
git push origin ${{ steps.version.outputs.NEXT_MINOR_VERSION }} -f
Loading

0 comments on commit e87a591

Please sign in to comment.