getsentry · vaind · Sep 22, 2025 · Sep 22, 2025 · Sep 22, 2025 · Sep 22, 2025
diff --git a/.craft.yml b/.craft.yml
@@ -1,6 +1,6 @@
 minVersion: 0.23.1
 changelogPolicy: auto
-preReleaseCommand: pwsh -cwa ''
+preReleaseCommand: pwsh scripts/update-version.ps1
 artifactProvider:
   name: none
 targets:

diff --git a/.github/workflows/danger-workflow-tests.yml b/.github/workflows/danger-workflow-tests.yml
@@ -8,6 +8,8 @@ on:
 jobs:
   danger:
     uses: ./.github/workflows/danger.yml
+    with:
+      _workflow_version: ${{ github.sha }}
 
   test-outputs:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/danger.yml b/.github/workflows/danger.yml
@@ -1,6 +1,12 @@
 # Runs DangerJS with a pre-configured set of rules on a Pull Request.
 on:
   workflow_call:
+    inputs:
+      _workflow_version:
+        description: 'Internal: specify github-workflows (this repo) revision to use when checking out scripts.'
+        type: string
+        required: false
+        default: '2.14.1' # Note: this is updated during release process
     outputs:
       outcome:
         description: Whether the Danger run finished successfully. Possible values are success, failure, cancelled, or skipped.
@@ -18,10 +24,8 @@ jobs:
 
       - name: Download dangerfile.js and utilities
         run: |
-          # Extract the ref from GITHUB_WORKFLOW_REF (e.g., getsentry/github-workflows/.github/workflows/danger.yml@refs/pull/109/merge -> refs/pull/109/merge)
-          WORKFLOW_REF=$(echo "${{ github.workflow_ref }}" | sed 's/.*@//')
-          wget https://raw.githubusercontent.com/getsentry/github-workflows/${WORKFLOW_REF}/danger/dangerfile.js -P ${{ runner.temp }}
-          wget https://raw.githubusercontent.com/getsentry/github-workflows/${WORKFLOW_REF}/danger/dangerfile-utils.js -P ${{ runner.temp }}
+          wget https://raw.githubusercontent.com/getsentry/github-workflows/${{ inputs._workflow_version }}/danger/dangerfile.js -P ${{ runner.temp }}
+          wget https://raw.githubusercontent.com/getsentry/github-workflows/${{ inputs._workflow_version }}/danger/dangerfile-utils.js -P ${{ runner.temp }}
 
       # Using a pre-built docker image in GitHub container registry instaed of NPM to reduce possible attack vectors.
       - name: Run DangerJS

diff --git a/.github/workflows/updater.yml b/.github/workflows/updater.yml
@@ -38,6 +38,11 @@ on:
         type: string
         required: false
         default: create
+      _workflow_version:
+        description: 'Internal: specify github-workflows (this repo) revision to use when checking out scripts.'
+        type: string
+        required: false
+        default: '2.14.1' # Note: this is updated during release process
     secrets:
       api-token:
         required: true
@@ -136,13 +141,11 @@ jobs:
         # Note: cannot use `actions/checkout` at the moment because you can't clone outside of the repo root.
         #       Follow https://github.com/actions/checkout/issues/197
         run: |
-          # Extract the ref from GITHUB_WORKFLOW_REF (e.g., getsentry/github-workflows/.github/workflows/updater.yml@refs/pull/109/merge -> refs/pull/109/merge)
-          $workflowRef = '${{ github.workflow_ref }}' -replace '.*@', ''
-          New-Item -ItemType Directory -Force -Path '${{ runner.temp }}/ghwf'
-          Set-Location '${{ runner.temp }}/ghwf'
+          mkdir -p ${{ runner.temp }}/ghwf
+          cd ${{ runner.temp }}/ghwf
           git init
           git remote add origin https://github.com/getsentry/github-workflows.git
-          git fetch --depth 1 origin $workflowRef
+          git fetch --depth 1 origin ${{ inputs._workflow_version }}
           git checkout FETCH_HEAD
 
       - name: Update to the latest version

diff --git a/.github/workflows/workflow-tests.yml b/.github/workflows/workflow-tests.yml
@@ -12,6 +12,7 @@ jobs:
       name: WORKFLOW-TEST-DEPENDENCY-DO-NOT-MERGE
       pattern: '^2\.0\.'
       pr-strategy: update
+      _workflow_version: ${{ github.sha }}
     secrets:
       api-token: ${{ github.token }}
 
@@ -22,6 +23,7 @@ jobs:
       name: Workflow args test script
       runs-on: macos-latest
       pattern: '.*'
+      _workflow_version: ${{ github.sha }}
     secrets:
       api-token: ${{ github.token }}
 

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,11 @@
 # Changelog
 
+## Unreleased
+
+### Fixes
+
+- Danger and updater download script URLs cannot use GITHUB_WORKFLOW_REF ([#111](https://github.com/getsentry/github-workflows/pull/111))
+
 ## 2.14.1
 
 ### Fixes

diff --git a/scripts/update-version.ps1 b/scripts/update-version.ps1
@@ -0,0 +1,44 @@
+#!/usr/bin/env pwsh
+
+param(
+    [Parameter(Mandatory=$true, Position=0)]
+    [string]$OldVersion,
+
+    [Parameter(Mandatory=$true, Position=1)]
+    [string]$NewVersion
+)
+
+Set-StrictMode -Version Latest
+$ErrorActionPreference = "Stop"
+$PSNativeCommandUseErrorActionPreference = $true
+
+Write-Host "Updating version from $OldVersion to $NewVersion"
+
+# Update specific workflow files with _workflow_version inputs
+Write-Host "Updating workflow files..."
+$workflowFiles = @(
+    ".github/workflows/updater.yml",
+    ".github/workflows/danger.yml"
+)
+
+foreach ($filePath in $workflowFiles) {
+    $content = Get-Content -Path $filePath -Raw
+
+    # Check if this file has _workflow_version input with a default value
+    if ($content -match '(?ms)_workflow_version:.*?default:\s*([^\s#]+)') {
+        Write-Host "Updating $filePath..."
+        $oldDefault = $Matches[1]
+
+        # Replace the default value for _workflow_version
+        $newContent = $content -replace '((?ms)_workflow_version:.*?default:\s*)([^\s#]+)', "`${1}'$NewVersion'"
+
+        # Write the updated content back to the file
+        $newContent | Out-File -FilePath $filePath -Encoding utf8 -NoNewline
+
+        Write-Host "  Updated default from '$oldDefault' to '$NewVersion'"
+    } else {
+        Write-Error "No _workflow_version default found in $filePath"
+    }
+}
+
+Write-Host "Version update completed successfully!"