Cookiecutter update #157
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Workflow Changes Warnings | |
| on: | |
| # Note: potential security risk from this action using pull_request_target. | |
| # Do not add actions in here which need a checkout of the repo, and do not use any caching in here. | |
| # See: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target | |
| pull_request_target: | |
| types: | |
| - opened | |
| - reopened | |
| - synchronize | |
| paths: | |
| - .github/workflows/*.yml | |
| permissions: | |
| contents: read | |
| jobs: | |
| comment-concerning-workflow-changes: | |
| name: Comment Concerning Workflow Changes | |
| runs-on: ubuntu-latest | |
| if: | | |
| (github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name) | |
| permissions: | |
| pull-requests: write | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 | |
| with: | |
| disable-sudo: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| - name: Manage Warning / Note Comments | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| APPROVED: ${{ contains(github.event.pull_request.labels.*.name, 'approved') }} | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| REPO: ${{ github.repository }} | |
| run: | | |
| WARNING_TEXT="This Pull Request modifies GitHub workflows and is coming from a fork." | |
| NOTE_TEXT="Workflow changes in this Pull Request have been approved!" | |
| # Fetch existing comments | |
| COMMENTS=$(gh api repos/$REPO/issues/$PR_NUMBER/comments) | |
| # Find warning comment ID | |
| WARNING_COMMENT_ID=$(echo "$COMMENTS" | jq -r \ | |
| '.[] | select(.user.login=="github-actions[bot]") | select(.body | contains("'"$WARNING_TEXT"'")) | .id' | head -n 1) | |
| # Find note comment ID | |
| NOTE_COMMENT_ID=$(echo "$COMMENTS" | jq -r \ | |
| '.[] | select(.user.login=="github-actions[bot]") | select(.body | contains("'"$NOTE_TEXT"'")) | .id' | head -n 1) | |
| if [ "$APPROVED" = "true" ]; then | |
| BODY="> [!NOTE] | |
| > Workflow changes in this Pull Request have been approved!" | |
| if [ -n "$NOTE_COMMENT_ID" ] && [ "$NOTE_COMMENT_ID" != "null" ]; then | |
| # Append to existing note comment | |
| EXISTING=$(gh api repos/$REPO/issues/comments/$NOTE_COMMENT_ID --jq .body) | |
| gh api \ | |
| --method PATCH \ | |
| repos/$REPO/issues/comments/$NOTE_COMMENT_ID \ | |
| -f body="$EXISTING | |
| $BODY" | |
| else | |
| # Create new note comment | |
| gh pr comment "$PR_NUMBER" --body "$BODY" | |
| fi | |
| # Add reaction (hooray) | |
| if [ -n "$NOTE_COMMENT_ID" ] && [ "$NOTE_COMMENT_ID" != "null" ]; then | |
| gh api \ | |
| --method POST \ | |
| repos/$REPO/issues/comments/$NOTE_COMMENT_ID/reactions \ | |
| -f content='hooray' \ | |
| -H "Accept: application/vnd.github+json" | |
| fi | |
| else | |
| BODY="> [!WARNING] | |
| > This Pull Request modifies GitHub Workflows and is coming from a fork. | |
| **It is very important for the reviewer to ensure that the workflow changes are appropriate.**" | |
| if [ -z "$WARNING_COMMENT_ID" ] || [ "$WARNING_COMMENT_ID" = "null" ]; then | |
| gh pr comment "$PR_NUMBER" --body "$BODY" | |
| fi | |
| fi |