GitHub Actions workflow hardening #75
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow | |
name: Test Plugins | |
on: | |
pull_request: | |
workflow_dispatch: | |
inputs: | |
PR_NUMBER: | |
description: The PR number to test | |
required: true | |
permissions: | |
pull-requests: write | |
jobs: | |
get-plugins: | |
name: Get plugins | |
runs-on: ubuntu-24.04 | |
outputs: | |
matrix: ${{ steps.plugins.outputs.matrix }} | |
source-pr-data: ${{ steps.source-pr-data.outputs.result }} | |
steps: | |
- name: Get the list of plugins to test | |
id: plugins | |
run: | #shell | |
echo matrix='{"plugin":["extended-cpts","query-monitor","user-switching","wp-crontrol"]}' >> "$GITHUB_OUTPUT" | |
- name: Fetch the source PR data | |
uses: actions/github-script@v7 | |
id: source-pr-data | |
with: | |
script: | #js | |
const pr = await github.rest.pulls.get({ | |
owner: 'johnbillion', | |
repo: 'plugin-infrastructure', | |
pull_number: process.env.SOURCE_PR_NUMBER, | |
}); | |
return { | |
head_repo: pr.data.head.repo.full_name, | |
head_branch: pr.data.head.ref, | |
head_sha: pr.data.head.sha, | |
pr_number: pr.data.number, | |
pr_link: pr.data.html_url, | |
}; | |
github-token: ${{ secrets.PLUGINS_PUSH_TOKEN }} | |
env: | |
SOURCE_PR_NUMBER: ${{ github.event_name == 'pull_request' && github.event.pull_request.number || github.event.inputs.PR_NUMBER }} | |
open-pr: | |
name: PR / ${{ matrix.plugin }} | |
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'johnbillion/plugin-infrastructure' || github.event_name == 'workflow_dispatch' | |
needs: | |
- get-plugins | |
strategy: | |
matrix: ${{ fromJSON( needs.get-plugins.outputs.matrix ) }} | |
fail-fast: false | |
runs-on: ubuntu-24.04 | |
timeout-minutes: 5 | |
steps: | |
- name: Dump GitHub context | |
env: | |
GITHUB_CONTEXT: ${{ toJson(github) }} | |
run: echo "$GITHUB_CONTEXT" | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
with: | |
repository: johnbillion/${{ matrix.plugin }} | |
token: ${{ secrets.PLUGINS_PUSH_TOKEN }} | |
- name: Update tests references | |
run: | #shell | |
if [ -f .github/workflows/acceptance-tests.yml ]; then | |
sed -i "s|johnbillion/plugin-infrastructure/.github/workflows/reusable-acceptance-tests.yml@trunk|${HEAD_REPO}/.github/workflows/reusable-acceptance-tests.yml@${SHA_REF}|g" .github/workflows/acceptance-tests.yml | |
fi | |
if [ -f .github/workflows/coding-standards.yml ]; then | |
sed -i "s|johnbillion/plugin-infrastructure/.github/workflows/reusable-coding-standards.yml@trunk|${HEAD_REPO}/.github/workflows/reusable-coding-standards.yml@${SHA_REF}|g" .github/workflows/coding-standards.yml | |
fi | |
if [ -f .github/workflows/integration-tests.yml ]; then | |
sed -i "s|johnbillion/plugin-infrastructure/.github/workflows/reusable-integration-tests.yml@trunk|${HEAD_REPO}/.github/workflows/reusable-integration-tests.yml@${SHA_REF}|g" .github/workflows/integration-tests.yml | |
fi | |
if [ "${HEAD_REPO}" == "johnbillion/plugin-infrastructure" ]; then | |
sed -i "s|\"johnbillion/plugin-infrastructure\": \"dev-trunk\"|\"johnbillion/plugin-infrastructure\": \"dev-${HEAD_BRANCH}\"|g" composer.json | |
fi | |
env: | |
HEAD_BRANCH: ${{ fromJson( needs.get-plugins.outputs.source-pr-data ).head_branch }} | |
HEAD_REPO: ${{ fromJson( needs.get-plugins.outputs.source-pr-data ).head_repo }} | |
SHA_REF: ${{ fromJson( needs.get-plugins.outputs.source-pr-data ).head_sha }} | |
- name: Check the changed files | |
run: | #shell | |
git diff | |
git status | |
- name: Open PR | |
uses: peter-evans/create-pull-request@v6 | |
id: cpr | |
with: | |
token: ${{ secrets.PLUGINS_PUSH_TOKEN }} | |
commit-message: Update Plugin Infrastructure to ${{ env.SHA_REF }} | |
title: Test with ${{ env.HEAD_REPO }}@${{ env.BRANCH_REF }} | |
body: | #markdown | |
This PR updates [Plugin Infrastructure](https://github.com/johnbillion/plugin-infrastructure) to `${{ env.HEAD_REPO }}@${{ env.BRANCH_REF }}` for testing purposes. This PR should not be merged. | |
See ${{ env.PR_LINK }} for more details. | |
This is an automated PR created by [the Test Plugins workflow](https://github.com/johnbillion/plugin-infrastructure/actions/workflows/test-plugins.yml). | |
branch: update-plugin-infrastructure/${{ env.HEAD_REPO }}/${{ env.BRANCH_REF }} | |
draft: true | |
env: | |
HEAD_REPO: ${{ fromJson( needs.get-plugins.outputs.source-pr-data ).head_repo }} | |
SHA_REF: ${{ fromJson( needs.get-plugins.outputs.source-pr-data ).head_sha }} | |
BRANCH_REF: ${{ fromJson( needs.get-plugins.outputs.source-pr-data ).head_branch }} | |
PR_LINK: ${{ fromJson( needs.get-plugins.outputs.source-pr-data ).pr_link }} | |
- name: Add PR link to the summary | |
run: | #shell | |
echo "${URL}" >> $GITHUB_STEP_SUMMARY | |
env: | |
URL: ${{ steps.cpr.outputs.pull-request-url }} | |
- name: Set labels | |
run: | #shell | |
gh --repo johnbillion/plugin-infrastructure label create "pr:${PLUGIN}:${PLUGIN_PR_NUMBER}" --force --color FEF2C0 | |
gh --repo johnbillion/plugin-infrastructure pr edit "${SOURCE_PR_NUMBER}" --add-label "pr:${PLUGIN}:${PLUGIN_PR_NUMBER}" | |
env: | |
GH_TOKEN: ${{ github.token }} | |
SOURCE_PR_NUMBER: ${{ fromJson( needs.get-plugins.outputs.source-pr-data ).pr_number }} | |
PLUGIN: ${{ matrix.plugin }} | |
PLUGIN_PR_NUMBER: ${{ steps.cpr.outputs.pull-request-number }} | |
- name: Write plugin PR data to JSON file | |
run: | #shell | |
echo "${PR_DATA}" > plugin-pr-data.json | |
env: | |
PR_DATA: ${{ toJson(steps.cpr.outputs) }} | |
- name: Save plugin PR data as an artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: plugin-pr-data-${{ matrix.plugin }} | |
path: plugin-pr-data.json | |
check-status: | |
name: Check / ${{ matrix.plugin }} | |
needs: | |
- get-plugins | |
- open-pr | |
strategy: | |
matrix: ${{ fromJSON( needs.get-plugins.outputs.matrix ) }} | |
fail-fast: false | |
runs-on: ubuntu-24.04 | |
timeout-minutes: 30 | |
steps: | |
- name: Download plugin PR data artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: plugin-pr-data-${{ matrix.plugin }} | |
- name: Read the plugin PR data | |
id: plugin-pr-data | |
run: | #shell | |
echo pr_data="$(jq -c . plugin-pr-data.json)" >> "$GITHUB_OUTPUT" | |
- name: Check the status of workflows | |
run: | #shell | |
echo "ℹ️ See the checks at https://github.com/johnbillion/${PLUGIN}/pull/${PLUGIN_PR_NUMBER}/checks" | |
while true; do | |
gh api "repos/johnbillion/${PLUGIN}/actions/runs?head_sha=${PLUGIN_HEAD_SHA}" --jq '[.workflow_runs[]]' > workflow_runs.json | |
failed=$(jq 'map(select(.conclusion == "failure")) | length' workflow_runs.json) | |
cancelled=$(jq 'map(select(.conclusion == "cancelled")) | length' workflow_runs.json) | |
in_progress=$(jq 'map(select(.status != "completed")) | length' workflow_runs.json) | |
total=$(jq 'length' workflow_runs.json) | |
if [ $failed -gt 0 ]; then | |
echo "❌ Some workflows failed." | |
exit 1 | |
elif [ $cancelled -gt 0 ]; then | |
echo "❌ Some workflows were cancelled." | |
exit 1 | |
elif [ $in_progress -gt 0 ]; then | |
echo "ℹ️ ${in_progress}/${total} workflows are still in progress. Waiting..." | |
sleep 20 | |
else | |
echo "✅ ${total}/${total} workflows passed." | |
break | |
fi | |
done | |
env: | |
GH_TOKEN: ${{ github.token }} | |
PLUGIN_PR_NUMBER: ${{ fromJson( steps.plugin-pr-data.outputs.pr_data ).pull-request-number }} | |
PLUGIN_HEAD_SHA: ${{ fromJson( steps.plugin-pr-data.outputs.pr_data ).pull-request-head-sha }} | |
PLUGIN: ${{ matrix.plugin }} |