From da916316cda5b9b91f6625a3b6c6a1c1147eae29 Mon Sep 17 00:00:00 2001 From: Chris Werner Rau Date: Wed, 18 Dec 2024 11:02:24 +0100 Subject: [PATCH] feat(ci): adjust scripts to run safely for external PRs --- .github/scripts/create-values-diff.sh | 37 ++++++++++++++++++-------- .github/workflows/check-licenses.yaml | 4 ++- .github/workflows/pr-comment-diff.yaml | 32 ++++++++++++++++++---- 3 files changed, 56 insertions(+), 17 deletions(-) diff --git a/.github/scripts/create-values-diff.sh b/.github/scripts/create-values-diff.sh index 1190d8f3b..d74b9f0e7 100755 --- a/.github/scripts/create-values-diff.sh +++ b/.github/scripts/create-values-diff.sh @@ -6,21 +6,34 @@ set -eu set -o pipefail -issue=${1?You need to provide the issue ID} -chart=${2?You need to provide the chart name} -if [[ -v 3 ]]; then - case "$3" in +parsed="$(getopt --options '' --longoptions "body:,dry-run" --name "$0" -- "$@")" + +eval set -- "$parsed" +unset parsed + +dryRun=false + +while [[ "$#" -gt 0 ]]; do + case "$1" in --dry-run) dryRun=true ;; - *) - echo "Option '$3' not supported" >&2 - exit 1 + --body) + shift + body="${1}" + if [[ ! -f "$body" ]]; then + echo "input file '$body' does not exist" >&2 + exit 3 + fi + ;; + --) # positional arguments + shift + issue=${1?You need to provide the issue ID} + chart=${2?You need to provide the chart name} ;; esac -else - dryRun=false -fi + shift +done if yq -e '.type == "library"' "$chart/Chart.yaml" >/dev/null; then echo "Skipping library chart '$chart'" >&2 @@ -131,7 +144,9 @@ function updateComment() { -d @- } -body=$(generateComment "$chart") +if [[ ! -v body ]]; then + body=$(generateComment "$chart") +fi if [[ "$dryRun" == false ]]; then # cannot use `gh pr/issue view --json comments` as the returned id is incorrect diff --git a/.github/workflows/check-licenses.yaml b/.github/workflows/check-licenses.yaml index 785b451ac..bc0a65f94 100644 --- a/.github/workflows/check-licenses.yaml +++ b/.github/workflows/check-licenses.yaml @@ -1,7 +1,7 @@ name: Check used licenses on: - pull_request: + pull_request_target: types: - opened - edited @@ -35,6 +35,8 @@ jobs: needs: getChangedChart steps: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + ref: ${{ github.event.pull_request.head.sha }} - run: pip install yq - env: chart: ${{ needs.getChangedChart.outputs.chart }} diff --git a/.github/workflows/pr-comment-diff.yaml b/.github/workflows/pr-comment-diff.yaml index 7075c3551..ef5967618 100644 --- a/.github/workflows/pr-comment-diff.yaml +++ b/.github/workflows/pr-comment-diff.yaml @@ -4,7 +4,7 @@ concurrency: cancel-in-progress: true on: - pull_request: + pull_request_target: paths: - charts/** branches-ignore: @@ -15,16 +15,38 @@ jobs: uses: ./.github/workflows/get-changed-chart.yaml with: pr_number: ${{ github.event.pull_request.number }} - postDiffComment: + generateDiffCommentBody: runs-on: ubuntu-latest needs: getChangedChart + permissions: + contents: read + pull-requests: read env: CT_TARGET_BRANCH: ${{ github.event.pull_request.base.ref || github.event.repository.default_branch }} - GITHUB_TOKEN: ${{ secrets.ACTIONS_BOT_TOKEN }} steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + ref: ${{ github.event.pull_request.head.sha }} - run: pip install yq - name: Install sponge run: sudo apt-get -yq install moreutils - - run: ./.github/scripts/prepare-values.sh "charts/${{ needs.getChangedChart.outputs.chart }}" - - run: ./.github/scripts/create-values-diff.sh ${{ github.event.number }} "charts/${{ needs.getChangedChart.outputs.chart }}" + - run: ./.github/scripts/prepare-values.sh "pr/charts/${{ needs.getChangedChart.outputs.chart }}" + - run: ./.github/scripts/create-values-diff.sh ${{ github.event.number }} "pr/charts/${{ needs.getChangedChart.outputs.chart }}" --dry-run > comment_body.md + - uses: actions/upload-artifact@v4 + with: + name: comment_body + path: comment_body.md + if-no-files-found: error + retention-days: 1 + postDiffComment: + runs-on: ubuntu-latest + needs: + - getChangedChart + - generateDiffCommentBody + env: + GITHUB_TOKEN: ${{ secrets.ACTIONS_BOT_TOKEN }} + steps: + - uses: actions/download-artifact@v4 + with: + name: comment_body + - run: ./.github/scripts/create-values-diff.sh ${{ github.event.number }} "charts/${{ needs.getChangedChart.outputs.chart }}" --body comment_body.md