Semver checks example PR #40
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This workflow tests semver compatibilty. | |
# For PRs it checks if PR makes any API breaking changes, and assings appropriate label if so. | |
name: Semver checks | |
on: | |
pull_request_target: | |
branches: | |
- main | |
- 'branch-*' | |
# Just to test the PR | |
- semver-checks | |
push: | |
tags: | |
- v*.*.* | |
env: | |
CARGO_TERM_COLOR: always | |
RUST_BACKTRACE: full | |
PR_BASE: ${{ github.event.pull_request.base.sha }} | |
PR_HEAD: ${{ github.event.pull_request.head.sha }} | |
PR_ID: ${{ github.event.number }} | |
jobs: | |
semver-pull-request-check: | |
runs-on: ubuntu-latest | |
if: github.event_name == 'pull_request_target' | |
# Disable all permissions | |
# This is important, because this job runs on untrusted input from | |
# the user and it's possible for the user to take over the job, | |
# for example by adding malicious build.rs file. If the job had, | |
# for example, `pull_requests: write` permission, malicous user | |
# could do us a lot of harm. This is also the reason that there are | |
# 2 jobs - it's so that it's not possible to take over a job that | |
# has permissions. | |
permissions: {} | |
timeout-minutes: 30 | |
outputs: | |
exitcode: ${{ steps.semver-pr-check.outputs.exitcode }} | |
output: ${{ steps.semver-pr-check.outputs.output }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: "2" | |
ref: "refs/pull/${{ env.PR_ID }}/merge" | |
# Check if there was another push before this job started. | |
# If there was, wrong commit would be checked out. | |
- name: Sanity check | |
run: | | |
[[ "$(git rev-parse 'HEAD^2')" == "$PR_HEAD" ]] | |
# I don't know any way to do this using checkout action | |
- name: Fetch PR base | |
run: git fetch origin "$PR_BASE" | |
- name: Install semver-checks | |
# Official action uses binary releases fetched from GitHub | |
# If this pipeline becomes too slow, we should do this too | |
run: cargo install cargo-semver-checks --no-default-features | |
- name: Verify the API compatibilty with PR base | |
id: semver-pr-check | |
run: | | |
set +e | |
echo "output<<SEMVER_STDOUT_EOF" >> $GITHUB_OUTPUT | |
make semver-rev rev="$PR_BASE" |& tee -a $GITHUB_OUTPUT | |
exitcode=${PIPESTATUS[0]} | |
echo "SEMVER_STDOUT_EOF" >> $GITHUB_OUTPUT | |
echo "exitcode=$exitcode" >> $GITHUB_OUTPUT | |
exit "$exitcode" | |
continue-on-error: true | |
semver-pull-request-label: | |
runs-on: ubuntu-latest | |
if: github.event_name == 'pull_request_target' | |
permissions: | |
pull-requests: write | |
needs: semver-pull-request-check | |
timeout-minutes: 3 | |
steps: | |
- name: Remove breaking label on success | |
run: gh pr edit "$PR_ID" --remove-label semver-checks-breaking | |
if: needs.semver-pull-request-check.outputs.exitcode == '0' | |
env: | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
GH_REPO: ${{ github.repository }} | |
- name: Add breaking label on failure | |
run: gh pr edit "$PR_ID" --add-label semver-checks-breaking | |
if: needs.semver-pull-request-check.outputs.exitcode != '0' | |
env: | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
GH_REPO: ${{ github.repository }} | |
- name: Post report on semver break | |
run: | | |
gh pr comment "$PR_ID" --body "\ | |
\`cargo semver-checks\` detected some API incompatibilities in this PR. | |
See the following report for details: | |
<details> | |
<summary>cargo semver-checks output</summary> | |
\`\`\` | |
$SEMVER_OUTPUT | |
\`\`\` | |
</details> | |
" | |
if: needs.semver-pull-request-check.outputs.exitcode != '0' | |
env: | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
GH_REPO: ${{ github.repository }} | |
SEMVER_OUTPUT: ${{ needs.semver-pull-request-check.outputs.output }} | |
semver-push-tag: | |
runs-on: ubuntu-latest | |
if: github.event_name == 'push' | |
timeout-minutes: 30 | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Install semver-checks | |
run: cargo install cargo-semver-checks --no-default-features | |
- name: Verify that's it's safe to publish the version. | |
run: make semver-version |