derberg · pull · Apr 4, 2023 · Apr 13, 2023 · Apr 13, 2023 · Jun 26, 2023
@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Add label
-        uses: actions/github-script@v5
+        uses: actions/github-script@v7
         with:
           github-token: ${{ secrets.GH_TOKEN }}
           script: |

@@ -26,7 +26,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Add ready-to-merge label
-        uses: actions/github-script@v5
+        uses: actions/github-script@v7
+        env:
+          GITHUB_ACTOR: ${{ github.actor }}
         with:
           github-token: ${{ secrets.GH_TOKEN }}
           script: |
@@ -56,10 +58,12 @@ jobs:
                 issue_number: context.issue.number,
                 owner: context.repo.owner,
                 repo: context.repo.repo,
-                body: `Hello, @${{ github.actor }}! 👋🏼
+                body: `Hello, @${process.env.GITHUB_ACTOR}! 👋🏼
                        This PR is not up to date with the base branch and can't be merged.
                        Please update your branch manually with the latest version of the base branch.
-                       PRO-TIP: Add a comment to your PR with the text: \`/au\` or \`/autoupdate\` and our bot will take care of updating the branch in the future. The only requirement for this to work is to enable [Allow edits from maintainers](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/allowing-changes-to-a-pull-request-branch-created-from-a-fork) option in your PR.
+                       PRO-TIP: To request an update from the upstream branch, simply comment \`/u\` or \`/update\` and our bot will handle the update operation promptly.
+
+                       The only requirement for this to work is to enable [Allow edits from maintainers](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/allowing-changes-to-a-pull-request-branch-created-from-a-fork) option in your PR. Also the update will not work if your fork is located in an organization, not under your personal profile.
                        Thanks 😄`
               })
             }
@@ -76,7 +80,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Add do-not-merge label
-        uses: actions/github-script@v5
+        uses: actions/github-script@v7
         with:
           github-token: ${{ secrets.GH_TOKEN }}
           script: |
@@ -98,7 +102,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Add autoupdate label
-        uses: actions/github-script@v5
+        uses: actions/github-script@v7
         with:
           github-token: ${{ secrets.GH_TOKEN }}
           script: |

@@ -18,38 +18,83 @@ on:
 
 jobs:
   automerge-for-humans:
-    if: github.event.pull_request.draft == false && (github.event.pull_request.user.login != 'asyncapi-bot' || github.event.pull_request.user.login != 'dependabot[bot]' || github.event.pull_request.user.login != 'dependabot-preview[bot]') #it runs only if PR actor is not a bot, at least not a bot that we know
+    # it runs only if PR actor is not a bot, at least not a bot that we know
+    if: |
+      github.event.pull_request.draft == false && 
+      (github.event.pull_request.user.login != 'asyncapi-bot' || 
+      github.event.pull_request.user.login != 'dependabot[bot]' || 
+      github.event.pull_request.user.login != 'dependabot-preview[bot]') 
     runs-on: ubuntu-latest
     steps:
-      - name: Get list of authors
-        uses: sergeysova/jq-action@v2
+      - name: Get PR authors
         id: authors
+        uses: actions/github-script@v7
         with:
-          # This cmd does following (line by line):
-          # 1. CURL querying the list of commits of the current PR via GH API. Why? Because the current event payload does not carry info about the commits.
-          # 2. Iterates over the previous returned payload, and creates an array with the filtered results (see below) so we can work wit it later. An example of payload can be found in https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#webhook-payload-example-34.
-          # 3. Grabs the data we need for adding the `Co-authored-by: ...` lines later and puts it into objects to be used later on.
-          # 4. Filters the results by excluding the current PR sender. We don't need to add it as co-author since is the PR creator and it will become by default the main author.
-          # 5. Removes repeated authors (authors can have more than one commit in the PR).
-          # 6. Builds the `Co-authored-by: ...` lines with actual info.
-          # 7. Transforms the array into plain text. Thanks to this, the actual stdout of this step can be used by the next Workflow step (wich is basically the automerge).
-          cmd: | 
-            curl -H "Accept: application/vnd.github+json" -H "Authorization: Bearer ${{ secrets.GH_TOKEN }}" "${{github.event.pull_request._links.commits.href}}?per_page=100" | 
-              jq -r '[.[] 
-                | {name: .commit.author.name, email: .commit.author.email, login: .author.login}] 
-                | map(select(.login != "${{github.event.pull_request.user.login}}")) 
-                | unique 
-                | map("Co-authored-by: " + .name + " <" + .email + ">") 
-                | join("\n")'
-          multiline: true
+          script: |
+            // Get paginated list of all commits in the PR
+            try {
+              const commitOpts = github.rest.pulls.listCommits.endpoint.merge({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                pull_number: context.issue.number
+              });
+
+              const commits = await github.paginate(commitOpts);
+
+              if (commits.length === 0) {
+                core.setFailed('No commits found in the PR');
+                return '';
+              }
+
+              // Get unique authors from the commits list
+              const authors = commits.reduce((acc, commit) => {
+                const username = commit.author?.login || commit.commit.author?.name;
+                if (username && !acc[username]) {
+                  acc[username] = {
+                    name: commit.commit.author?.name,
+                    email: commit.commit.author?.email,
+                  }
+                }
+
+                return acc;
+              }, {});
+
+              return authors;
+            } catch (error) {
+              core.setFailed(error.message);
+              return [];
+            }
+
+      - name: Create commit message
+        id: create-commit-message
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const authors = ${{ steps.authors.outputs.result }};
+
+            if (Object.keys(authors).length === 0) {
+              core.setFailed('No authors found in the PR');
+              return '';
+            }
+
+            // Create a string of the form "Co-authored-by: Name <email>"
+            // ref: https://docs.github.com/en/pull-requests/committing-changes-to-your-project/creating-and-editing-commits/creating-a-commit-with-multiple-authors
+            const coAuthors = Object.values(authors).map(author => {
+              return `Co-authored-by: ${author.name} <${author.email}>`;
+            }).join('\n');
+
+            core.debug(coAuthors);;
+
+            return coAuthors;
+
       - name: Automerge PR
-        uses: pascalgn/automerge-action@v0.14.3
+        uses: pascalgn/automerge-action@22948e0bc22f0aa673800da838595a3e7347e584 #v0.15.6 https://github.com/pascalgn/automerge-action/releases/tag/v0.15.6
         env:
           GITHUB_TOKEN: "${{ secrets.GH_TOKEN }}"
           MERGE_LABELS: "!do-not-merge,ready-to-merge"
           MERGE_METHOD: "squash"
           # Using the output of the previous step (`Co-authored-by: ...` lines) as commit description.
           # Important to keep 2 empty lines as https://docs.github.com/en/pull-requests/committing-changes-to-your-project/creating-and-editing-commits/creating-a-commit-with-multiple-authors#creating-co-authored-commits-on-the-command-line mentions
-          MERGE_COMMIT_MESSAGE: "{pullRequest.title} (#{pullRequest.number})\n\n\n${{ steps.authors.outputs.value }}" 
+          MERGE_COMMIT_MESSAGE: "{pullRequest.title} (#{pullRequest.number})\n\n\n${{ fromJSON(steps.create-commit-message.outputs.result) }}"
           MERGE_RETRIES: "20"
           MERGE_RETRY_SLEEP: "30000"
@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Remove label
-        uses: actions/github-script@v5
+        uses: actions/github-script@v7
         with:
           github-token: ${{ secrets.GH_TOKEN }}
           script: |

@@ -13,8 +13,10 @@ jobs:
     name: Find orphans and notify
     runs-on: ubuntu-latest
     steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
       - name: Get list of orphans
-        uses: actions/github-script@v3
+        uses: actions/github-script@v7
         id: orphans
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
@@ -50,13 +52,14 @@ jobs:
             }
       - if: steps.orphans.outputs.found == 'true'
         name: Convert markdown to slack markdown
-        uses: LoveToKnow/slackify-markdown-action@v1.0.0
+        # This workflow is from our own org repo and safe to reference by 'master'.
+        uses: asyncapi/.github/.github/actions/slackify-markdown@master # //NOSONAR
         id: issuemarkdown
         with:
-          text: "-> [${{steps.orphans.outputs.title}}](${{steps.orphans.outputs.url}})"
+          markdown: "-> [${{steps.orphans.outputs.title}}](${{steps.orphans.outputs.url}})"
       - if: steps.orphans.outputs.found == 'true'
         name: Send info about orphan to slack
-        uses: rtCamp/action-slack-notify@v2
+        uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 # Using v2.3.2
         env:
           SLACK_WEBHOOK: ${{secrets.SLACK_CI_FAIL_NOTIFY}}
           SLACK_TITLE: 🚨 Not merged PR that should be automerged 🚨

@@ -1,7 +1,7 @@
 # This action is centrally managed in https://github.com/asyncapi/.github/
 # Don't make changes to this file in this repo as they will be overwritten with changes made to the same file in above mentioned repo.
 
-name: Automerge release bump PR
+name: Automerge PRs from bots
 
 on:
   pull_request_target:
@@ -19,12 +19,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Autoapproving
-        uses: hmarr/auto-approve-action@v2
+        uses: hmarr/auto-approve-action@44888193675f29a83e04faf4002fa8c0b537b1e4   # v3.2.1 is used https://github.com/hmarr/auto-approve-action/releases/tag/v3.2.1
         with:
           github-token: "${{ secrets.GH_TOKEN_BOT_EVE }}"
 
       - name: Label autoapproved
-        uses: actions/github-script@v5
+        uses: actions/github-script@v7
         with:
           github-token: ${{ secrets.GH_TOKEN }}
           script: |
@@ -41,11 +41,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Automerging
-        uses: pascalgn/automerge-action@v0.13.0
+        uses: pascalgn/automerge-action@22948e0bc22f0aa673800da838595a3e7347e584 #v0.15.6 https://github.com/pascalgn/automerge-action/releases/tag/v0.15.6
         env:
           GITHUB_TOKEN: "${{ secrets.GH_TOKEN }}"
           GITHUB_LOGIN: asyncapi-bot
-          MERGE_LABELS: ""
+          MERGE_LABELS: "!do-not-merge"
           MERGE_METHOD: "squash"
           MERGE_COMMIT_MESSAGE: "{pullRequest.title} (#{pullRequest.number})"
           MERGE_RETRIES: "20"

@@ -1,34 +1,34 @@
-# This action is centrally managed in https://github.com/asyncapi/.github/
-# Don't make changes to this file in this repo as they will be overwritten with changes made to the same file in above mentioned repo
-
-# This workflow is designed to work with:
-# - autoapprove and automerge workflows for dependabot and asyncapibot.
-# - special release branches that we from time to time create in upstream repos. If we open up PRs for them from the very beginning of the release, the release branch will constantly update with new things from the destination branch they are opened against
-
-# It uses GitHub Action that auto-updates pull requests branches, whenever changes are pushed to their destination branch.
-# Autoupdating to latest destination branch works only in the context of upstream repo and not forks
-
-name: autoupdate
-
-on:
-  push:
-    branches-ignore:  
-      - 'version-bump/**'
-      - 'dependabot/**'
-      - 'bot/**'
-      - 'all-contributors/**'
-
-jobs:
-  autoupdate-for-bot:
-    if: startsWith(github.repository, 'asyncapi/')
-    name: Autoupdate autoapproved PR created in the upstream
-    runs-on: ubuntu-latest
-    steps:
-      - name: Autoupdating
-        uses: docker://chinthakagodawita/autoupdate-action:v1
-        env:
-          GITHUB_TOKEN: '${{ secrets.GH_TOKEN_BOT_EVE }}'
-          PR_FILTER: "labelled"
-          PR_LABELS: "autoupdate"
-          PR_READY_STATE: "ready_for_review"
-          MERGE_CONFLICT_ACTION: "ignore"
+# This action is centrally managed in https://github.com/asyncapi/.github/
+# Don't make changes to this file in this repo as they will be overwritten with changes made to the same file in above mentioned repo
+
+# This workflow is designed to work with:
+# - autoapprove and automerge workflows for dependabot and asyncapibot.
+# - special release branches that we from time to time create in upstream repos. If we open up PRs for them from the very beginning of the release, the release branch will constantly update with new things from the destination branch they are opened against
+
+# It uses GitHub Action that auto-updates pull requests branches, whenever changes are pushed to their destination branch.
+# Autoupdating to latest destination branch works only in the context of upstream repo and not forks
+
+name: autoupdate
+
+on:
+  push:
+    branches-ignore:  
+      - 'version-bump/**'
+      - 'dependabot/**'
+      - 'bot/**'
+      - 'all-contributors/**'
+
+jobs:
+  autoupdate-for-bot:
+    if: startsWith(github.repository, 'asyncapi/')
+    name: Autoupdate autoapproved PR created in the upstream
+    runs-on: ubuntu-latest
+    steps:
+      - name: Autoupdating
+        uses: docker://chinthakagodawita/autoupdate-action:v1
+        env:
+          GITHUB_TOKEN: '${{ secrets.GH_TOKEN_BOT_EVE }}'
+          PR_FILTER: "labelled"
+          PR_LABELS: "autoupdate"
+          PR_READY_STATE: "ready_for_review"
+          MERGE_CONFLICT_ACTION: "ignore"