Skip to content

Use safevalues to fix trusted types issues reported by tsec #12279

Use safevalues to fix trusted types issues reported by tsec

Use safevalues to fix trusted types issues reported by tsec #12279

# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: Check Changeset
on:
pull_request:
branches:
- master
env:
GITHUB_PULL_REQUEST_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
GITHUB_PULL_REQUEST_BASE_SHA: ${{ github.event.pull_request.base.sha }}
jobs:
check_changeset:
name: Check changeset vs changed files
runs-on: ubuntu-latest
steps:
- name: Checkout Repo
uses: actions/checkout@master
with:
# This makes Actions fetch all Git history so check_changeset script can diff properly.
fetch-depth: 0
- name: Set up Node (20)
uses: actions/setup-node@v3
with:
node-version: 20.x
- name: Yarn install
run: yarn
- name: Run changeset script
# pull master so changeset can diff against it
run: |
git pull -f --no-rebase origin master:master
yarn ts-node-script scripts/ci/check_changeset.ts
id: check-changeset
- name: Print changeset checker output
run: |
cat << 'eof_delimiter_that_will_never_occur_in_CHANGESET_ERROR_MESSAGE'
${{steps.check-changeset.outputs.CHANGESET_ERROR_MESSAGE}}
eof_delimiter_that_will_never_occur_in_CHANGESET_ERROR_MESSAGE
- name: Print blocking failure status
run: echo "${{steps.check-changeset.outputs.BLOCKING_FAILURE}}"
- name: Find Comment
uses: peter-evans/find-comment@v1
id: fc
with:
issue-number: ${{github.event.number}}
body-includes: Changeset File Check
- name: Create comment (missing packages)
if: ${{!steps.fc.outputs.comment-id && steps.check-changeset.outputs.CHANGESET_ERROR_MESSAGE}}
uses: peter-evans/create-or-update-comment@v1
with:
issue-number: ${{github.event.number}}
body: |
### Changeset File Check :warning:
${{steps.check-changeset.outputs.CHANGESET_ERROR_MESSAGE}}
- name: Update comment (missing packages)
if: ${{steps.fc.outputs.comment-id}}
uses: peter-evans/create-or-update-comment@v1
with:
comment-id: ${{steps.fc.outputs.comment-id}} && steps.check-changeset.outputs.CHANGESET_ERROR_MESSAGE}}
edit-mode: replace
body: |
### Changeset File Check :warning:
${{steps.check-changeset.outputs.CHANGESET_ERROR_MESSAGE}}
- name: Update comment (no missing packages)
if: ${{steps.fc.outputs.comment-id && !steps.check-changeset.outputs.CHANGESET_ERROR_MESSAGE}}
uses: peter-evans/create-or-update-comment@v1
with:
comment-id: ${{steps.fc.outputs.comment-id}}
edit-mode: replace
body: |
### Changeset File Check :white_check_mark:
- No modified packages are missing from the changeset file.
- No changeset formatting errors detected.
# Don't want it to throw before editing the comment.
- name: Fail if checker script logged a blocking failure
if: ${{steps.check-changeset.outputs.BLOCKING_FAILURE == 'true'}}
run: exit 1