-
Notifications
You must be signed in to change notification settings - Fork 1
185 lines (157 loc) · 9.15 KB
/
build-and-review-pr.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
name: Build and Review PR
run-name: 'Build and Review PR #${{ github.event.pull_request.number }}'
on:
# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
#
# This workflow uses the pull_request trigger which prevents write permissions on the
# GH_TOKEN and secrets access from public forks. This should remain as a pull_request
# trigger to minimize the access public forks have in the repository. The reduced
# permissions are adequate but do mean that re-compiles and readme changes will have to be
# made manually by the PR author. These auto-updates could be done by this workflow
# for branches but in order to re-trigger a PR build (which is needed for status checks),
# we would make the commits with a different user and their PAT. To minimize exposure
# and complication we will request those changes be manually made by the PR author.
pull_request:
types: [opened, synchronize, reopened]
# paths:
# Do not include specific paths here. We always want this build to run and produce a
# status check which are branch protection rules can use. If this is skipped because of
# path filtering, a status check will not be created and we won't be able to merge the PR
# without disabling that requirement. If we have a status check that is always produced,
# we can also use that to require all branches be up to date before they are merged.
jobs:
build-and-review-pr:
# This reusable workflow will check to see if an action's source code has changed based on
# whether the PR includes files that match the files-with-code arg or are in one of the
# dirs-with-code directories. If there are source code changes, this reusable workflow
# will then run the action's build (if one was provided) and update the README.md with the
# the latest version of the action. If those two steps result in any changes that need to
# be committed, the workflow will fail because the PR needs some updates. Instructions for
# updating the PR will be available in the build log, the workflow summary and as a PR
# comment if the PR came from a branch (not a fork).
# This workflow assumes:
# - The main README.md is at the root of the repo
# - The README contains a contribution guidelines and usage examples section
uses: im-open/.github/.github/workflows/reusable-build-and-review-pr.yml@v1
with:
action-name: ${{ github.repository }}
default-branch: main
readme-name: 'README.md'
# The id of the contribution guidelines section of the README.md
readme-contribution-id: '#contributing'
# The id of the usage examples section of the README.md
readme-examples-id: '#usage-examples'
# The files that contain source code for the action. Only files that affect the action's execution
# should be included like action.yml or package.json. Do not include files like README.md or .gitignore.
# Files do not need to be explicitly provided here if they fall under one of the dirs in dirs-with-code.
# ** This value must match the same files-with-code argument specified in increment-version-on-merge.yml.
files-with-code: 'action.yml,package.json,package-lock.json'
# The directories that contain source code for the action. Only dirs with files that affect the action's
# execution should be included like src or dist. Do not include dirs like .github or node_modules.
# ** This value must match the same dirs-with-code argument specified in increment-version-on-merge.yml.
dirs-with-code: 'src,dist'
# The npm script to run to build the action. This is typically 'npm run build' if the
# action needs to be compiled. For composite-run-steps actions this is typically empty.
build-command: 'npm run build'
test:
runs-on: ubuntu-latest
env:
COMMITISH: '77564a921ca7aa4028d563cc14799df040ed4133' # v1.1.3
UPLOAD_TAG: ''
ASSET_NAME: 'test asset'
steps:
#--------------------------------------
# SETUP
#--------------------------------------
- name: Fail test job if fork
run: |
if [ "${{ github.event.pull_request.head.repo.fork }}" == "true" ]; then
echo "This test job requires write scopes on GITHUB_TOKEN that PRs from forks will not have access to. Before this PR can be merged, the tests should be run on an intermediate branch created by repository owners."
exit 1
fi
- name: '-------------------------------------------------------------------------------------------------------'
run: echo ""
- name: Setup - Checkout the action
uses: actions/checkout@v4
- name: Setup - Dynamically generate tags for each of the scenarios to use with their release
run: |
tag=$(date +'%Y%m%d%H%M%S')
echo "UPLOAD_TAG=uploadTest_$tag" >> $GITHUB_ENV
- name: Setup - Create a release
uses: im-open/create-release@v3
id: release
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
tag-name: ${{ env.UPLOAD_TAG }}
commitish: ${{ env.COMMITISH }}
#--------------------------------------
# UPLOAD TO EXISTING RELEASE
#--------------------------------------
- name: '-------------------------------------------------------------------------------------------------------'
run: echo ""
- name: When uploading an asset to a release that exists
uses: ./
if: always()
id: upload
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
upload-url: ${{ steps.release.outputs.asset-upload-url }}
asset-path: './test/files/test-asset.txt'
asset-name: ${{ env.ASSET_NAME }}
asset-content-type: 'application/text'
- name: Then the outcome should be success
if: always()
run: ./test/assert-values-match.sh --name "step outcome" --expected "success" --actual "${{ steps.upload.outcome }}"
- name: And the asset should exist
if: always()
id: actual
uses: actions/github-script@v7
with:
script: |
const assertAssetExists = require('./test/assert-asset-exists.js');
const releaseId = '${{ steps.release.outputs.release-id }}';
const assetName = '${{ env.ASSET_NAME }}';
const actualRelease = await assertAssetExists(github, core, releaseId, assetName);
- name: And the asset download url should match the action output
if: always()
run: ./test/assert-values-match.sh --name "asset download url" --expected "${{ steps.upload.outputs.asset-browser-download-url }}" --actual "${{ steps.actual.outputs.ACTUAL_BROWSER_DOWNLOAD_URL }}"
#----------------------------------------
# UPLOAD TO A RELEASE THAT DOES NOT EXIST
#----------------------------------------
- name: '-------------------------------------------------------------------------------------------------------'
run: echo ""
- name: When uploading an asset to a release that does not exist
uses: ./
if: always()
id: non-existent
continue-on-error: true # This is needed because we expect the step to fail. We need it to "pass" in order for the test job to succeed.
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
upload-url: 'https://uploads.github.com/repos/im-open/upload-release-asset/releases/999999999/assets{?name,label}'
asset-path: './test/files/test-asset.txt'
asset-name: ${{ env.ASSET_NAME }}
asset-content-type: 'application/text'
- name: Then the outcome should be failure
if: always()
run: ./test/assert-values-match.sh --name "step outcome" --expected "failure" --actual "${{ steps.non-existent.outcome }}"
- name: And the action output should be undefined
if: always()
run: ./test/assert-values-match.sh --name "asset download url" --expected "" --actual "${{ steps.non-existent.outputs.asset-browser-download-url }}"
#--------------------------------------
# TEARDOWN
#--------------------------------------
- name: '-------------------------------------------------------------------------------------------------------'
run: echo ""
- name: Teardown - Cleanup all the releases by deleting them
if: always()
uses: actions/github-script@v7
with:
script: |
// Not all of these will end up with a tag and a release, but run them all just in case any of the tests
// fail unexpectedly. We don't want a bunch of test releases and tags cluttering up the real thing.
const deleteReleaseFromGitHub = require('./test/teardown/delete-release-from-github.js')
await deleteReleaseFromGitHub(github, core, '${{ steps.release.outputs.release-id }}');
const deleteTagFromGitHub = require('./test/teardown/delete-tag-from-github.js')
await deleteTagFromGitHub(github, core, '${{ env.UPLOAD_TAG }}');
- name: '-------------------------------------------------------------------------------------------------------'
run: echo ""