Skip to content

GitHub Actions workflow hardening #75

GitHub Actions workflow hardening

GitHub Actions workflow hardening #75

Workflow file for this run

# yaml-language-server: $schema=https://json.schemastore.org/github-workflow
name: Test Plugins
on:
pull_request:
workflow_dispatch:
inputs:
PR_NUMBER:
description: The PR number to test
required: true
permissions:
pull-requests: write
jobs:
get-plugins:
name: Get plugins
runs-on: ubuntu-24.04
outputs:
matrix: ${{ steps.plugins.outputs.matrix }}
source-pr-data: ${{ steps.source-pr-data.outputs.result }}
steps:
- name: Get the list of plugins to test
id: plugins
run: | #shell
echo matrix='{"plugin":["extended-cpts","query-monitor","user-switching","wp-crontrol"]}' >> "$GITHUB_OUTPUT"
- name: Fetch the source PR data
uses: actions/github-script@v7
id: source-pr-data
with:
script: | #js
const pr = await github.rest.pulls.get({
owner: 'johnbillion',
repo: 'plugin-infrastructure',
pull_number: process.env.SOURCE_PR_NUMBER,
});
return {
head_repo: pr.data.head.repo.full_name,
head_branch: pr.data.head.ref,
head_sha: pr.data.head.sha,
pr_number: pr.data.number,
pr_link: pr.data.html_url,
};
github-token: ${{ secrets.PLUGINS_PUSH_TOKEN }}
env:
SOURCE_PR_NUMBER: ${{ github.event_name == 'pull_request' && github.event.pull_request.number || github.event.inputs.PR_NUMBER }}
open-pr:
name: PR / ${{ matrix.plugin }}
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'johnbillion/plugin-infrastructure' || github.event_name == 'workflow_dispatch'
needs:
- get-plugins
strategy:
matrix: ${{ fromJSON( needs.get-plugins.outputs.matrix ) }}
fail-fast: false
runs-on: ubuntu-24.04
timeout-minutes: 5
steps:
- name: Dump GitHub context
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT"
- name: Checkout repository
uses: actions/checkout@v4
with:
repository: johnbillion/${{ matrix.plugin }}
token: ${{ secrets.PLUGINS_PUSH_TOKEN }}
- name: Update tests references
run: | #shell
if [ -f .github/workflows/acceptance-tests.yml ]; then
sed -i "s|johnbillion/plugin-infrastructure/.github/workflows/reusable-acceptance-tests.yml@trunk|${HEAD_REPO}/.github/workflows/reusable-acceptance-tests.yml@${SHA_REF}|g" .github/workflows/acceptance-tests.yml
fi
if [ -f .github/workflows/coding-standards.yml ]; then
sed -i "s|johnbillion/plugin-infrastructure/.github/workflows/reusable-coding-standards.yml@trunk|${HEAD_REPO}/.github/workflows/reusable-coding-standards.yml@${SHA_REF}|g" .github/workflows/coding-standards.yml
fi
if [ -f .github/workflows/integration-tests.yml ]; then
sed -i "s|johnbillion/plugin-infrastructure/.github/workflows/reusable-integration-tests.yml@trunk|${HEAD_REPO}/.github/workflows/reusable-integration-tests.yml@${SHA_REF}|g" .github/workflows/integration-tests.yml
fi
if [ "${HEAD_REPO}" == "johnbillion/plugin-infrastructure" ]; then
sed -i "s|\"johnbillion/plugin-infrastructure\": \"dev-trunk\"|\"johnbillion/plugin-infrastructure\": \"dev-${HEAD_BRANCH}\"|g" composer.json
fi
env:
HEAD_BRANCH: ${{ fromJson( needs.get-plugins.outputs.source-pr-data ).head_branch }}
HEAD_REPO: ${{ fromJson( needs.get-plugins.outputs.source-pr-data ).head_repo }}
SHA_REF: ${{ fromJson( needs.get-plugins.outputs.source-pr-data ).head_sha }}
- name: Check the changed files
run: | #shell
git diff
git status
- name: Open PR
uses: peter-evans/create-pull-request@v6
id: cpr
with:
token: ${{ secrets.PLUGINS_PUSH_TOKEN }}
commit-message: Update Plugin Infrastructure to ${{ env.SHA_REF }}
title: Test with ${{ env.HEAD_REPO }}@${{ env.BRANCH_REF }}
body: | #markdown
This PR updates [Plugin Infrastructure](https://github.com/johnbillion/plugin-infrastructure) to `${{ env.HEAD_REPO }}@${{ env.BRANCH_REF }}` for testing purposes. This PR should not be merged.
See ${{ env.PR_LINK }} for more details.
This is an automated PR created by [the Test Plugins workflow](https://github.com/johnbillion/plugin-infrastructure/actions/workflows/test-plugins.yml).
branch: update-plugin-infrastructure/${{ env.HEAD_REPO }}/${{ env.BRANCH_REF }}
draft: true
env:
HEAD_REPO: ${{ fromJson( needs.get-plugins.outputs.source-pr-data ).head_repo }}
SHA_REF: ${{ fromJson( needs.get-plugins.outputs.source-pr-data ).head_sha }}
BRANCH_REF: ${{ fromJson( needs.get-plugins.outputs.source-pr-data ).head_branch }}
PR_LINK: ${{ fromJson( needs.get-plugins.outputs.source-pr-data ).pr_link }}
- name: Add PR link to the summary
run: | #shell
echo "${URL}" >> $GITHUB_STEP_SUMMARY
env:
URL: ${{ steps.cpr.outputs.pull-request-url }}
- name: Set labels
run: | #shell
gh --repo johnbillion/plugin-infrastructure label create "pr:${PLUGIN}:${PLUGIN_PR_NUMBER}" --force --color FEF2C0
gh --repo johnbillion/plugin-infrastructure pr edit "${SOURCE_PR_NUMBER}" --add-label "pr:${PLUGIN}:${PLUGIN_PR_NUMBER}"
env:
GH_TOKEN: ${{ github.token }}
SOURCE_PR_NUMBER: ${{ fromJson( needs.get-plugins.outputs.source-pr-data ).pr_number }}
PLUGIN: ${{ matrix.plugin }}
PLUGIN_PR_NUMBER: ${{ steps.cpr.outputs.pull-request-number }}
- name: Write plugin PR data to JSON file
run: | #shell
echo "${PR_DATA}" > plugin-pr-data.json
env:
PR_DATA: ${{ toJson(steps.cpr.outputs) }}
- name: Save plugin PR data as an artifact
uses: actions/upload-artifact@v4
with:
name: plugin-pr-data-${{ matrix.plugin }}
path: plugin-pr-data.json
check-status:
name: Check / ${{ matrix.plugin }}
needs:
- get-plugins
- open-pr
strategy:
matrix: ${{ fromJSON( needs.get-plugins.outputs.matrix ) }}
fail-fast: false
runs-on: ubuntu-24.04
timeout-minutes: 30
steps:
- name: Download plugin PR data artifact
uses: actions/download-artifact@v4
with:
name: plugin-pr-data-${{ matrix.plugin }}
- name: Read the plugin PR data
id: plugin-pr-data
run: | #shell
echo pr_data="$(jq -c . plugin-pr-data.json)" >> "$GITHUB_OUTPUT"
- name: Check the status of workflows
run: | #shell
echo "ℹ️ See the checks at https://github.com/johnbillion/${PLUGIN}/pull/${PLUGIN_PR_NUMBER}/checks"
while true; do
gh api "repos/johnbillion/${PLUGIN}/actions/runs?head_sha=${PLUGIN_HEAD_SHA}" --jq '[.workflow_runs[]]' > workflow_runs.json
failed=$(jq 'map(select(.conclusion == "failure")) | length' workflow_runs.json)
cancelled=$(jq 'map(select(.conclusion == "cancelled")) | length' workflow_runs.json)
in_progress=$(jq 'map(select(.status != "completed")) | length' workflow_runs.json)
total=$(jq 'length' workflow_runs.json)
if [ $failed -gt 0 ]; then
echo "❌ Some workflows failed."
exit 1
elif [ $cancelled -gt 0 ]; then
echo "❌ Some workflows were cancelled."
exit 1
elif [ $in_progress -gt 0 ]; then
echo "ℹ️ ${in_progress}/${total} workflows are still in progress. Waiting..."
sleep 20
else
echo "✅ ${total}/${total} workflows passed."
break
fi
done
env:
GH_TOKEN: ${{ github.token }}
PLUGIN_PR_NUMBER: ${{ fromJson( steps.plugin-pr-data.outputs.pr_data ).pull-request-number }}
PLUGIN_HEAD_SHA: ${{ fromJson( steps.plugin-pr-data.outputs.pr_data ).pull-request-head-sha }}
PLUGIN: ${{ matrix.plugin }}