-
Notifications
You must be signed in to change notification settings - Fork 10
148 lines (131 loc) · 6.39 KB
/
validate-this-gha-refs.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
name: Validate GitHub Actions Refs
on:
push:
branches:
- dev
pull_request:
pull_request_review:
types: [submitted]
merge_group:
jobs:
validate-gha-refs:
runs-on: ubuntu-24.04
steps:
- name: Checkout Repository (Pull & Approve/Merge PR)
if: |
github.event_name == 'pull_request' ||
(github.event_name == 'pull_request_review' && github.event.review.state == 'approved') ||
github.event_name == 'merge_group'
uses: Lombiq/GitHub-Actions/.github/actions/checkout@dev
with:
fetch-depth: 0
- name: Checkout Repository (Push)
if: github.event_name == 'push'
uses: Lombiq/GitHub-Actions/.github/actions/checkout@dev
- name: Check Merge Queue Adds
id: check-merge-queue-adds
if: github.event_name == 'pull_request' || (github.event_name == 'pull_request_review' && github.event.review.state == 'approved')
uses: Lombiq/GitHub-Actions/.github/actions/check-merge-queue-adds@dev
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Determine Diff-Filter for Git File Changes
id: git-diff-filter
if: |
github.event_name == 'pull_request' ||
(github.event_name == 'pull_request_review' && github.event.review.state == 'approved') ||
github.event_name == 'merge_group'
shell: pwsh
run: |
$eventName = "${{ github.event_name }}"
$mergeQueueApproved = "${{ steps.check-merge-queue-adds.outputs.added-to-merge-queue }}"
$filter = ($eventName -eq 'pull_request_review' -or $eventName -eq 'merge_group' -or ($eventName -eq 'pull_request' -and $mergeQueueApproved -eq 'True')) ? 'CMRT' : 'ACMRT'
$output = "git-diff-filter=$filter"
Write-Output "output=$output"
$output >> $env:GITHUB_OUTPUT
- name: Get Applicable Git File Changes
id: git-diff
if: |
github.event_name == 'pull_request' ||
(github.event_name == 'pull_request_review' && github.event.review.state == 'approved') ||
github.event_name == 'merge_group'
uses: Lombiq/GitHub-Actions/.github/actions/get-changed-files-from-git-diff@dev
with:
left-commit: ${{ github.event_name == 'merge_group' && github.event.merge_group.base_sha || github.event.pull_request.base.sha }}
right-commit: ${{ github.sha }}
diff-filter: ${{ steps.git-diff-filter.outputs.git-diff-filter }}
- name: Get GitHub Actions Item Changes from File Changes
id: changed-items
if: |
github.event_name == 'pull_request' ||
(github.event_name == 'pull_request_review' && github.event.review.state == 'approved') ||
github.event_name == 'merge_group'
uses: Lombiq/GitHub-Actions/.github/actions/get-changed-gha-items@dev
with:
file-include-list: ${{ steps.git-diff.outputs.changed-files }}
- name: Prefix File Names with Owner/Repo Name
id: add-prefix
if: |
github.event_name == 'pull_request' ||
(github.event_name == 'pull_request_review' && github.event.review.state == 'approved') ||
github.event_name == 'merge_group'
shell: pwsh
run: |
$prefix = "${{ github.repository }}"
$files = ${{ steps.changed-items.outputs.changed-items }}
$files = $files.ForEach({ Join-Path -Path $prefix -ChildPath $PSItem })
$output = "prefixed-files=@(" + $($files | Join-String -DoubleQuote -Separator ',') + ")"
Write-Output "output=$output"
$output >> $env:GITHUB_OUTPUT
- name: Check PR Reviews
id: check-pr-reviews
if: github.event_name == 'pull_request' || (github.event_name == 'pull_request_review' && github.event.review.state == 'approved')
uses: Lombiq/GitHub-Actions/.github/actions/check-pull-request-reviews@dev
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Determine Expected Ref for GitHub Actions Files
id: determine-ref
if: |
github.event_name == 'pull_request' ||
(github.event_name == 'pull_request_review' && github.event.review.state == 'approved') ||
github.event_name == 'merge_group'
shell: pwsh
run: |
$eventName = "${{ github.event_name }}"
if ($eventName -eq 'merge_group') {
$headRef = "${{ github.event.merge_group.head_ref }}"
$baseRef = "${{ github.event.merge_group.base_ref }}"
# For merge group context, the refs are the full path rather than just the branch name, so adjust.
$headRef = $headRef.replace('refs/heads/', '')
$baseRef = $baseRef.replace('refs/heads/', '')
}
elseif ($eventName -eq 'pull_request_review') {
$headRef = "${{ github.event.pull_request.head.ref }}"
$baseRef = "${{ github.event.pull_request.base.ref }}"
}
else {
$headRef = "${{ github.head_ref }}"
$baseRef = "${{ github.base_ref }}"
}
$lastReviewApproved = "${{ steps.check-pr-reviews.outputs.last-review-approved }}"
$mergeQueueApproved = "${{ steps.check-merge-queue-adds.outputs.added-to-merge-queue }}"
# Ternary operator syntax available starting in PowerShell 7.0.
$expectedRef = (
$lastReviewApproved -eq 'True' -or
$eventName -eq 'merge_group' -or
($eventName -eq 'pull_request' -and $mergeQueueApproved -eq 'True')
) ? $baseRef : $headRef
$output = "expected-ref=$expectedRef"
$output >> $env:GITHUB_OUTPUT
- name: Verify GitHub Actions Items Match Expected Ref (Pull & Approve/Merge PR)
if: |
(github.event_name == 'pull_request' ||
(github.event_name == 'pull_request_review' && github.event.review.state == 'approved') ||
github.event_name == 'merge_group') &&
steps.add-prefix.outputs.prefixed-files != '@()'
uses: Lombiq/GitHub-Actions/.github/actions/verify-gha-refs@dev
with:
called-repo-base-include-list: ${{ steps.add-prefix.outputs.prefixed-files }}
expected-ref: ${{ steps.determine-ref.outputs.expected-ref }}
- name: Verify GitHub Actions Items Match Expected Ref (Push)
if: github.event_name == 'push'
uses: Lombiq/GitHub-Actions/.github/actions/verify-gha-refs@dev