Skip to content

[Snyk] Security upgrade node from 16.2.0-alpine to 16.20.2-alpine #401

[Snyk] Security upgrade node from 16.2.0-alpine to 16.20.2-alpine

[Snyk] Security upgrade node from 16.2.0-alpine to 16.20.2-alpine #401

name: Check for unallowed internal changes
# **What it does**: If someone changes app.json or search indexes, we fail the check.
# **Why we have it**: app.json should rarely be edited, so we'll require an admin merge if the file really needs to be changed. The search indexes are synced every 4 hours, so changes should not need to be made.
# **Who does it impact**: Docs engineering and content writers.
on:
pull_request:
types:
- labeled
- unlabeled
- opened
- reopened
- synchronize
jobs:
check-internal-changes:
if: github.repository == 'github/docs-internal' && github.event.pull_request.user.login != 'Octomerger'
runs-on: ubuntu-latest
outputs:
notAllowed: ${{ steps.filter.outputs.notAllowed }}
notAllowedSearchSyncLabel: ${{ steps.filter.outputs.notAllowedSearchSyncLabel }}
count: 0
steps:
- name: Get files changed
uses: dorny/paths-filter@eb75a1edc117d3756a18ef89958ee59f9500ba58
id: filter
with:
# Base branch used to get changed files
base: ${{ github.event.pull_request.base.ref }}
# Enables setting an output in the format in `${FILTER_NAME}_files
# with the names of the matching files formatted as JSON array
list-files: json
# Returns list of changed files matching each filter
filters: |
notAllowed:
- 'app.json'
notAllowedSearchSyncLabel:
- 'lib/search/indexes/**'
notAllowed:
needs: check-internal-changes
if: ${{ needs.check-internal-changes.outputs.notAllowed == 'true' }}
runs-on: ubuntu-latest
steps:
- name: Fail if unallowed changes were made
run: |
echo "Please admin merge if you really need to update app.json!"
exit 1
notAllowedSearchSyncLabel:
needs: check-internal-changes
if: ${{ needs.check-internal-changes.outputs.notAllowedSearchSyncLabel == 'true' }}
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
with:
ref: ${{ github.head_ref }}
token: ${{ secrets.DOCUBOT_REPO_PAT }}
- name: Setup Node
uses: actions/setup-node@04c56d2f954f1e4c69436aa54cfef261a018f458
with:
node-version: 16.13.x
cache: npm
- name: Install dependencies
run: npm ci
- name: Check to see if the search label exists - will return version if it does
id: labelExists
run: $GITHUB_WORKSPACE/.github/actions-scripts/enterprise-search-label.js
- name: Fail if unallowed changes were made outside of the Search Sync label added
if: false == steps.labelExists.outputs.versionToSync && false == contains(github.event.pull_request.labels.*.name, 'deprecate-lunr-index')
run: |
echo "Search indices are updated automatically every 4 hours. Please revert any changes you have made to the search indexes before you merge this PR. If you need to update the search indices directly after you merge your PR, you can manually run the search sync workflow: Sync search indexes. See the docs/contributing/search.md for more details. If you have any other questions, please ping us in #docs-engineering."
exit 1