From f978012f255a6aafaab2367a7d19099d74c62960 Mon Sep 17 00:00:00 2001 From: Zac Clifton <43915749+Cliftonz@users.noreply.github.com> Date: Tue, 4 Jun 2024 10:01:55 -0400 Subject: [PATCH 1/8] Rename test workflow and clean up code The test workflow file has been renamed to 'on-pr.yml' to better reflect its usage. Extra space within the workflow file has also been removed for neatness and readability. --- .github/workflows/{test.yml => on-pr.yml} | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) rename .github/workflows/{test.yml => on-pr.yml} (99%) diff --git a/.github/workflows/test.yml b/.github/workflows/on-pr.yml similarity index 99% rename from .github/workflows/test.yml rename to .github/workflows/on-pr.yml index 288f1e200e3..ab554cb466d 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/on-pr.yml @@ -8,6 +8,7 @@ on: workflow_dispatch: jobs: + dependency-review: name: Dependency review runs-on: ubuntu-latest @@ -174,7 +175,7 @@ jobs: - uses: actions/checkout@v3 - uses: ./.github/actions/setup-project - + - name: Run Lint, Build, Test uses: mansagroup/nrwl-nx-action@v3 with: From 2349867090090f53cb9b92d8ee71c1ffbcaf3870 Mon Sep 17 00:00:00 2001 From: Zac Clifton <43915749+Cliftonz@users.noreply.github.com> Date: Tue, 4 Jun 2024 10:18:44 -0400 Subject: [PATCH 2/8] Add Github action to validate PR source branch This commit introduces a new Github Action workflow that checks the source branch of pull requests. The action ensures that only changes from the "next" branch can enter the "prod" branch. --- .github/workflows/on-pr-change.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 .github/workflows/on-pr-change.yml diff --git a/.github/workflows/on-pr-change.yml b/.github/workflows/on-pr-change.yml new file mode 100644 index 00000000000..1c789ad05b1 --- /dev/null +++ b/.github/workflows/on-pr-change.yml @@ -0,0 +1,18 @@ +name: Check pull request source branch +on: + pull_request_target: + types: + - opened + - reopened + - synchronize + - edited +jobs: + check-branches: + runs-on: ubuntu-latest + steps: + - name: Check branches + run: | + if [ ${{ github.head_ref }} != "next" ] && [ ${{ github.base_ref }} == "prod" ]; then + echo "Merge requests to prod branch are only allowed from next branch." + exit 1 + fi From f83dbaf56ee71cf29edba8989bf4fb146380b5f1 Mon Sep 17 00:00:00 2001 From: Zac Clifton <43915749+Cliftonz@users.noreply.github.com> Date: Tue, 4 Jun 2024 10:46:06 -0400 Subject: [PATCH 3/8] Add validation for branch names in Github action In the "on-pr-change" Github action, additional validation checks have been added to ensure the HEAD_REF and BASE_REF branch names do not contain invalid characters. Now, the script checks for invalid characters in branch names and restricts merge requests to the prod branch only from the next branch. --- .github/workflows/on-pr-change.yml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/.github/workflows/on-pr-change.yml b/.github/workflows/on-pr-change.yml index 1c789ad05b1..66629c3543d 100644 --- a/.github/workflows/on-pr-change.yml +++ b/.github/workflows/on-pr-change.yml @@ -11,8 +11,19 @@ jobs: runs-on: ubuntu-latest steps: - name: Check branches + env: + HEAD_REF: ${{ github.head_ref }} + BASE_REF: ${{ github.base_ref }} run: | - if [ ${{ github.head_ref }} != "next" ] && [ ${{ github.base_ref }} == "prod" ]; then + if [[ "${{ env.HEAD_REF }}" =~ [^a-zA-Z0-9-_] ]]; then + echo "head_ref has invalid characters." + exit 1 + fi + if [[ "${{ env.BASE_REF }}" =~ [^a-zA-Z0-9-_] ]]; then + echo "base_ref has invalid characters." + exit 1 + fi + if [ ${{ env.HEAD_REF }} != "next" ] && [ ${{ env.BASE_REF }} == "prod" ]; then echo "Merge requests to prod branch are only allowed from next branch." exit 1 fi From 5a52c000668a7396959ee1e9f4bc97ebac373c00 Mon Sep 17 00:00:00 2001 From: Zac Clifton <43915749+Cliftonz@users.noreply.github.com> Date: Tue, 4 Jun 2024 11:07:14 -0400 Subject: [PATCH 4/8] Refactor branch character check in workflow file Removed the previously defined environmental variables for checking branch names in the .github/workflows/on-pr-change.yml file. The branch character validation has been removed as this is already done by Github. The same check was simplified using Github context variables directly. --- .github/workflows/on-pr-change.yml | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/.github/workflows/on-pr-change.yml b/.github/workflows/on-pr-change.yml index 66629c3543d..1c789ad05b1 100644 --- a/.github/workflows/on-pr-change.yml +++ b/.github/workflows/on-pr-change.yml @@ -11,19 +11,8 @@ jobs: runs-on: ubuntu-latest steps: - name: Check branches - env: - HEAD_REF: ${{ github.head_ref }} - BASE_REF: ${{ github.base_ref }} run: | - if [[ "${{ env.HEAD_REF }}" =~ [^a-zA-Z0-9-_] ]]; then - echo "head_ref has invalid characters." - exit 1 - fi - if [[ "${{ env.BASE_REF }}" =~ [^a-zA-Z0-9-_] ]]; then - echo "base_ref has invalid characters." - exit 1 - fi - if [ ${{ env.HEAD_REF }} != "next" ] && [ ${{ env.BASE_REF }} == "prod" ]; then + if [ ${{ github.head_ref }} != "next" ] && [ ${{ github.base_ref }} == "prod" ]; then echo "Merge requests to prod branch are only allowed from next branch." exit 1 fi From 62008366270015f971d894d5b31d4df1eaa2771b Mon Sep 17 00:00:00 2001 From: Zac Clifton <43915749+Cliftonz@users.noreply.github.com> Date: Tue, 4 Jun 2024 11:18:45 -0400 Subject: [PATCH 5/8] Update branch check logic in Github Actions workflow The commit adds environment variables to store HEAD_REF and BASE_REF in the Github Actions workflow for checking branches in .github/workflows/on-pr-change.yml file. Using these variables should improve the readability and maintainability of the branch comparison logic. --- .github/workflows/on-pr-change.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/on-pr-change.yml b/.github/workflows/on-pr-change.yml index 1c789ad05b1..09b4caae8f7 100644 --- a/.github/workflows/on-pr-change.yml +++ b/.github/workflows/on-pr-change.yml @@ -11,8 +11,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Check branches + env: + HEAD_REF: ${{ github.head_ref }} + BASE_REF: ${{ github.base_ref }} run: | - if [ ${{ github.head_ref }} != "next" ] && [ ${{ github.base_ref }} == "prod" ]; then + if [ "${{ env.HEAD_REF }}" != "next" ] && [ "${{ env.BASE_REF }}" == "prod" ]; then echo "Merge requests to prod branch are only allowed from next branch." exit 1 fi From a9793708685f2547a12ad0553ae4fb4a43e83d9f Mon Sep 17 00:00:00 2001 From: Zac Clifton <43915749+Cliftonz@users.noreply.github.com> Date: Tue, 4 Jun 2024 11:32:56 -0400 Subject: [PATCH 6/8] Refactored GitHub Actions workflow conditions The commit refactors the conditional check in the on-pr-change.yml GitHub Actions workflow. It introduces new variables: HEAD and BASE to replace the direct usage of env.HEAD_REF and env.BASE_REF in the condition check, enhancing readability and maintainability. --- .github/workflows/on-pr-change.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/on-pr-change.yml b/.github/workflows/on-pr-change.yml index 09b4caae8f7..729d7c9e790 100644 --- a/.github/workflows/on-pr-change.yml +++ b/.github/workflows/on-pr-change.yml @@ -15,7 +15,9 @@ jobs: HEAD_REF: ${{ github.head_ref }} BASE_REF: ${{ github.base_ref }} run: | - if [ "${{ env.HEAD_REF }}" != "next" ] && [ "${{ env.BASE_REF }}" == "prod" ]; then + HEAD="${{ env.HEAD_REF }}" + BASE="${{ env.BASE_REF }}" + if [ $HEAD != "next" ] && [ $BASE == "prod" ]; then echo "Merge requests to prod branch are only allowed from next branch." exit 1 fi From 22fe95c4ffdde615747bbd35aff3705c2384495b Mon Sep 17 00:00:00 2001 From: Zac Clifton <43915749+Cliftonz@users.noreply.github.com> Date: Tue, 4 Jun 2024 11:43:14 -0400 Subject: [PATCH 7/8] Simplify conditional statement in GitHub Action This commit streamlines the conditional statement in the on-pr-change.yml GitHub Action script. The previous version unnecessarily assigned HEAD_REF and BASE_REF environment variables to local variables, which were subsequently used in the branch comparison checks. The updated version directly uses these environment variables. --- .github/workflows/on-pr-change.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/on-pr-change.yml b/.github/workflows/on-pr-change.yml index 729d7c9e790..eddcb8fd727 100644 --- a/.github/workflows/on-pr-change.yml +++ b/.github/workflows/on-pr-change.yml @@ -15,9 +15,7 @@ jobs: HEAD_REF: ${{ github.head_ref }} BASE_REF: ${{ github.base_ref }} run: | - HEAD="${{ env.HEAD_REF }}" - BASE="${{ env.BASE_REF }}" - if [ $HEAD != "next" ] && [ $BASE == "prod" ]; then + if [ $HEAD_REF != "next" ] && [ $BASE_REF == "prod" ]; then echo "Merge requests to prod branch are only allowed from next branch." exit 1 fi From 7d88718803ace328a508116ea9cc9bd16c478ded Mon Sep 17 00:00:00 2001 From: Richard Fontein <32132657+rifont@users.noreply.github.com> Date: Tue, 4 Jun 2024 20:24:22 +0100 Subject: [PATCH 8/8] Update .github/workflows/on-pr.yml --- .github/workflows/on-pr.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/on-pr.yml b/.github/workflows/on-pr.yml index ab554cb466d..d1d0caeff43 100644 --- a/.github/workflows/on-pr.yml +++ b/.github/workflows/on-pr.yml @@ -8,7 +8,6 @@ on: workflow_dispatch: jobs: - dependency-review: name: Dependency review runs-on: ubuntu-latest