Comments (3)
Heyo! I'm going to go ahead and close this issue out for now. If you have any questions please feel free to reopen!
from hello-world-javascript-action.
Hmmm...I think you're correct. This comment doesn't make sense in the context of the script being run. There's nothing to indicate the PR author.
That does raise the question of how Dependabot PRs should be handled in general. Currently, the check-dist
workflow will fail if a Dependabot update results in the transpiled JavaScript needing to be rebuilt. Doing some digging around other repos in this org, it seems that many of them either have the same workflow or call a reusable workflow that does the same thing. In either case, it looks like Dependabot PRs are still not really being handled, so developers would need to check out the Dependabot PR branch, run npm run all
or npm run bundle
, commit and push the rebuilt dist/
directory.
I'm sure there's a cleaner way to handle this. My initial thought is to update this workflow to check if the PR did originate from Dependabot and, if so, rebuild the action code. I'll dig into this a bit and let you know how it goes!
from hello-world-javascript-action.
I was able to hack together an update that would make this work, however it does require additional configuration that I feel may be out of scope for this repo. I'll add it in here though so it can be found by anyone who might need it :)
First, I would highly recommend not triggering this workflow on push
events to main
, as that could result in writing directly to your default branch. Similarly, the check-dist
workflow will need additional permissions to be able to write to the repository.
name: Check Transpiled JavaScript
on:
pull_request:
permissions:
contents: write
Second, it is also important to check if the PR is originating from a fork. Otherwise, there are a bunch of potential security risks in letting a workflow run with write access to your repository contents. Though Dependabot doesn't work through fork PRs, it's a good idea to add as a safety check either way :) For example, you can set this as an environment variable using the following conditional statement.
env:
# github.repository - This repository
# github.event.pull_request.head.repo.full_name - The fork repository
IS_FORK: ${{ github.repository != github.event.pull_request.head.repo.full_name }}
Combining these and a couple extra steps in the shell script, you can optionally commit the rebuilt dist/
directory on Dependabot PRs:
- name: Compare Directories
id: diff
env:
# Check if this is a PR event (in case this workflow is being triggered on other events)
IS_PR: ${{ github.event_name == 'pull_request' }}
# Check if this is a fork PR
IS_FORK: ${{ github.repository != github.event.pull_request.head.repo.full_name }}
run: |
echo "${{ github.event.pull_request.head.repo.full_name }}"
echo "${{ github.repository }}"
if [ "$(git diff --ignore-space-at-eol --text dist/ | wc -l)" -gt "0" ]; then
echo "Detected uncommitted changes! See status below:"
git diff --ignore-space-at-eol --text dist/
# Fail the workflow on fork PRs where dist/ does not match
if [ "$IS_FORK" == true]; then
echo "Fork PR...Failing workflow due to uncommitted changes."
exit 1
fi
# Fail the workflow run on non-PR events
if [ "$IS_PR" == false ]; then
echo "Non-PR Event...Failing workflow due to uncommitted changes."
exit 1
fi
# Fail the workflow run on non-Dependabot PRs
if [ "${{ github.actor }}" != "dependabot[bot]" ]; then
echo "Non-Dependabot PR...Failing workflow due to uncommitted changes."
exit 1
fi
# Commit and push dist/ on Dependabot PRs and pass the workflow run
if [ "${{ github.actor }}" == "dependabot[bot]" ]; then
echo "Dependabot Update...Committing changes to PR branch."
git config --global user.email "<>"
git config --global user.name "${{ github.actor }}"
git add dist/
git commit -m "Rebuild dist/ directory"
git push origin $GITHUB_HEAD_REF
exit 0
fi
# Catch-all
exit 1
fi
The above should work, however there is one big issue that will occur. Using the built-in GITHUB_TOKEN
created for this workflow run will not trigger any additional events. For example, this repo's CI workflow runs on any updates to a PR branch. However, when this step runs and updates Dependabot's branch, the CI workflow will not be triggered. This is by design to prevent recursive workflow calls.
If you did want to re-trigger CI, you would need to use a personal access token or GitHub App token so that the event does not originate from the workflow token.
I hope this info helps! I know it was probably a long-winded non-answer to your question, but I hope the extra context helps. To answer directly, those comments are incorrect and I will remove them shortly ;)
from hello-world-javascript-action.
Related Issues (11)
- Absolute joke from a security perspective HOT 2
- node_modules for real? HOT 15
- .
- Rename default branch
- inputs.who-to-greet.required should be set to false since the parameter has a default value HOT 2
- Github Actions uses invalid environment variables. HOT 5
- JavaScript 01
- The `set-output` command is deprecated
- hello-world-javascript-action
- حل
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hello-world-javascript-action.