-
Notifications
You must be signed in to change notification settings - Fork 186
226 lines (194 loc) · 7.66 KB
/
pull-request.yml
File metadata and controls
226 lines (194 loc) · 7.66 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
##############################################################################
##############################################################################
#
# NOTE!
#
# Please read the README.md file in this directory that defines what should
# be placed in this file
#
##############################################################################
##############################################################################
name: Checking workflow files
on:
pull_request:
branches:
- '**'
permissions:
contents: read
issues: write
pull-requests: write
jobs:
Code-Quality-Checks:
name: Performs linting, formatting, type-checking, checking for different source and target branch
runs-on: ubuntu-latest
strategy:
matrix:
node-version: ['24.x']
steps:
- name: Checkout the Repository
uses: actions/checkout@v4
with:
fetch-depth: 0 # Fetch all history for all branches and tags
- uses: pnpm/action-setup@v4
name: Install pnpm
with:
run_install: false
- name: Install Node.js
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
cache: 'pnpm'
- name: Install dependencies
run: pnpm install
- name: Check formatting
if: steps.changed-files.outputs.only_changed != 'true'
run: pnpm run format:check
- name: Run formatting if check fails
if: failure()
run: pnpm run format:fix
- name: Type-checking
run: pnpm run typecheck
- name: checking linting
run: pnpm run lint:check
- name: check for unused files,exports and dependencies
run: pnpm run knip:check
- name: Check if the source and target branches are different
if: ${{ github.event.pull_request.base.ref == github.event.pull_request.head.ref }}
run: |
echo "Source Branch ${{ github.event.pull_request.head.ref }}"
echo "Target Branch ${{ github.event.pull_request.base.ref }}"
echo "Error: Source and Target Branches are the same. Please ensure they are different."
echo "Error: Close this PR and try again."
exit 1
Check-Sensitive-Files:
if: ${{ github.actor != 'dependabot[bot]' }}
name: Checks if sensitive files have been changed without authorization
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0 # Fetch all history for all branches and tags
- name: Checkout centralized CI/CD scripts
uses: actions/checkout@v4
with:
repository: PalisadoesFoundation/.github
ref: main
path: .github-central
- name: Get PR labels
id: check-labels
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
if [ -z "${{ github.event.pull_request.number }}" ]; then
echo "skip=false" >> $GITHUB_OUTPUT
exit 0
fi
LABELS="$(gh api repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels --jq '.[].name' | tr '\n' ' ')"
if echo "$LABELS" | grep -qw "ignore-sensitive-files-pr"; then
echo "::notice::Skipping sensitive files check due to 'ignore-sensitive-files-pr' label."
echo "skip=true" >> $GITHUB_OUTPUT
else
echo "skip=false" >> $GITHUB_OUTPUT
fi
- name: Set up Python
if: steps.check-labels.outputs.skip != 'true'
uses: actions/setup-python@v5
with:
python-version: 3.11
- name: Check for sensitive file changes
if: steps.check-labels.outputs.skip != 'true'
run: |
# Skip if not in PR context
if [ -z "${{ github.event.pull_request.base.sha }}" ]; then
echo "any_changed=false" >> $GITHUB_OUTPUT
exit 0
fi
# Determine base and head commits for comparison
HEAD_SHA="${{ github.event.pull_request.head.sha || github.sha }}"
BASE_SHA=$(git merge-base "${{ github.event.pull_request.base.sha }}" "$HEAD_SHA")
# Get all changed files between base and head
DIFF_OUTPUT=$(git diff --name-only -z --diff-filter=ACMR "$BASE_SHA" "$HEAD_SHA") || exit 1
if [ -z "$DIFF_OUTPUT" ]; then
echo "No changed files detected."
exit 0
fi
mapfile -d '' ALL_CHANGED_FILES < <(printf '%s' "$DIFF_OUTPUT")
# Check for sensitive files using the python script
if [ ${#ALL_CHANGED_FILES[@]} -gt 0 ]; then
python3 .github-central/.github/workflows/scripts/sensitive_file_check.py --config .github/workflows/config/sensitive_files.txt --files "${ALL_CHANGED_FILES[@]}"
fi
Count-Changed-Files:
if: ${{ github.actor != 'dependabot[bot]' }}
name: Checks if number of files changed is acceptable
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Get changed files
id: changed-files
run: |
FILES_COUNT=$(git diff --name-only --diff-filter=ACMRT ${{ github.event.pull_request.base.sha }} ${{ github.event.pull_request.head.sha }} | wc -l)
echo "all_changed_files_count=$FILES_COUNT" >> $GITHUB_OUTPUT
- name: Echo number of changed files
env:
CHANGED_FILES_COUNT: ${{ steps.changed-files.outputs.all_changed_files_count }}
run: |
echo "Number of files changed: $CHANGED_FILES_COUNT"
- name: Check if the number of changed files is less than 100
if: ${{ steps.changed-files.outputs.all_changed_files_count > 100 }}
env:
CHANGED_FILES_COUNT: ${{ steps.changed-files.outputs.all_changed_files_count }}
run: |
echo "Error: Too many files (greater than 100) changed in the pull request."
echo "Possible issues:"
echo "- Contributor may be merging into an incorrect branch."
echo "- Source branch may be incorrect please use develop as source branch."
exit 1
Test-Docusaurus-Deployment:
name: Test Deployment to https://docs.talawa.io
runs-on: ubuntu-latest
needs: [Code-Quality-Checks]
strategy:
matrix:
node-version: ['24.x']
# Run only if the develop branch and not dependabot
# if: ${{ github.actor != 'dependabot[bot]' && github.event.pull_request.base.ref == 'develop' }}
if: ${{ github.event.pull_request.base.ref == 'develop' }}
steps:
- name: Checkout the Repository
uses: actions/checkout@v4
with:
fetch-depth: 0 # Fetch all history for all branches and tags
- uses: pnpm/action-setup@v4
name: Install pnpm
with:
run_install: false
cache: pnpm
cache-dependency-path: |
pnpm-lock.yaml
package.json
- name: Install Node.js
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
cache: 'pnpm'
# Run Docusaurus in the ./docs directory
- name: Install dependencies
working-directory: ./
run: pnpm install --frozen-lockfile
- name: Test building the website
working-directory: ./
run: pnpm build
Check-Target-Branch:
if: ${{ github.actor != 'dependabot[bot]' }}
name: Check Target Branch
runs-on: ubuntu-latest
steps:
- name: Check if the target branch is develop
if: github.event.pull_request.base.ref != 'develop'
run: |
echo "Error: Pull request target branch must be 'develop'. Please refer PR_GUIDELINES.md"
exit 1