From 0c5d8e34ee3bfac6ca1b945ab967f4df610b0de3 Mon Sep 17 00:00:00 2001 From: Tim te Beek Date: Mon, 8 Jul 2024 11:27:35 +0200 Subject: [PATCH 1/4] Bump GitHub Actions for Gradle and set `build-root-directory` --- .github/workflows/ci.yml | 5 +++-- .github/workflows/receive-pr.yml | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8f0f3c7d..44202e00 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -32,9 +32,10 @@ jobs: with: fetch-depth: 0 show-progress: false - - uses: gradle/wrapper-validation-action@v1 + - uses: gradle/actions/wrapper-validation@v3 - name: build - uses: gradle/gradle-build-action@v2 + uses: gradle/actions/setup-gradle@v3 + build-root-directory: rewrite-csharp with: arguments: ${{ env.GRADLE_SWITCHES }} build diff --git a/.github/workflows/receive-pr.yml b/.github/workflows/receive-pr.yml index bd494b15..68202c59 100644 --- a/.github/workflows/receive-pr.yml +++ b/.github/workflows/receive-pr.yml @@ -27,7 +27,7 @@ jobs: with: ref: ${{github.event.pull_request.head.ref}} repository: ${{github.event.pull_request.head.repo.full_name}} - - uses: gradle/wrapper-validation-action@v2 + - uses: gradle/actions/wrapper-validation@v3 - uses: actions/setup-java@v4 with: java-version: '21' From d891010ae174ec46bcc8de0438f9d847ffeda637 Mon Sep 17 00:00:00 2001 From: Tim te Beek Date: Mon, 8 Jul 2024 11:40:27 +0200 Subject: [PATCH 2/4] Set build-root-directory argument correctly twice --- .github/workflows/ci.yml | 2 +- .github/workflows/receive-pr.yml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 44202e00..3dbfe147 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -35,9 +35,9 @@ jobs: - uses: gradle/actions/wrapper-validation@v3 - name: build uses: gradle/actions/setup-gradle@v3 - build-root-directory: rewrite-csharp with: arguments: ${{ env.GRADLE_SWITCHES }} build + build-root-directory: rewrite-csharp - name: publish-snapshots if: github.event_name != 'pull_request' diff --git a/.github/workflows/receive-pr.yml b/.github/workflows/receive-pr.yml index 68202c59..b814e1e9 100644 --- a/.github/workflows/receive-pr.yml +++ b/.github/workflows/receive-pr.yml @@ -49,6 +49,7 @@ jobs: uses: gradle/actions/setup-gradle@v3 with: arguments: ${{ env.GRADLE_SWITCHES }} licenseFormat rewriteRun -Drewrite.activeRecipe=org.openrewrite.recipes.OpenRewriteBestPractices + build-root-directory: rewrite-csharp # Capture the diff - name: Create patch From ac25c4bc33ebd01907535d7e1ea50d5662c0f202 Mon Sep 17 00:00:00 2001 From: Tim te Beek Date: Mon, 8 Jul 2024 11:47:43 +0200 Subject: [PATCH 3/4] Set working directory for receive-pr instead --- .github/workflows/receive-pr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/receive-pr.yml b/.github/workflows/receive-pr.yml index b814e1e9..e079a18e 100644 --- a/.github/workflows/receive-pr.yml +++ b/.github/workflows/receive-pr.yml @@ -47,9 +47,9 @@ jobs: # Execute recipes - name: Apply OpenRewrite best practices uses: gradle/actions/setup-gradle@v3 + working-directory: rewrite-csharp with: arguments: ${{ env.GRADLE_SWITCHES }} licenseFormat rewriteRun -Drewrite.activeRecipe=org.openrewrite.recipes.OpenRewriteBestPractices - build-root-directory: rewrite-csharp # Capture the diff - name: Create patch From 8b8a1093af872bc41cff46b3bff8c75e5e6a9a62 Mon Sep 17 00:00:00 2001 From: Tim te Beek Date: Mon, 8 Jul 2024 11:54:36 +0200 Subject: [PATCH 4/4] Drop broken comment/receive workflows, as subdir prevents reuse for now --- .github/workflows/comment-pr.yml | 59 ------------------------------ .github/workflows/receive-pr.yml | 61 -------------------------------- 2 files changed, 120 deletions(-) delete mode 100644 .github/workflows/comment-pr.yml delete mode 100644 .github/workflows/receive-pr.yml diff --git a/.github/workflows/comment-pr.yml b/.github/workflows/comment-pr.yml deleted file mode 100644 index 71d28c31..00000000 --- a/.github/workflows/comment-pr.yml +++ /dev/null @@ -1,59 +0,0 @@ -# Description: This workflow is triggered when the `receive-pr` workflow completes to post suggestions on the PR. -# Since this pull request has write permissions on the target repo, we should **NOT** execute any untrusted code. -# https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ ---- -name: comment-pr - -on: - workflow_run: - workflows: ["receive-pr"] - types: - - completed - -jobs: - post-suggestions: - # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#running-a-workflow-based-on-the-conclusion-of-another-workflow - if: ${{ github.event.workflow_run.conclusion == 'success' }} - runs-on: ubuntu-latest - permissions: - actions: read - pull-requests: write - env: - # https://docs.github.com/en/actions/reference/authentication-in-a-workflow#permissions-for-the-github_token - ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }} - timeout-minutes: 10 - steps: - - uses: actions/checkout@v4 - with: - ref: ${{github.event.workflow_run.head_branch}} - repository: ${{github.event.workflow_run.head_repository.full_name}} - - # Download the patch - - uses: actions/download-artifact@v4 - with: - name: patch - github-token: ${{ secrets.GITHUB_TOKEN }} - run-id: ${{ github.event.workflow_run.id }} - - name: Apply patch - run: | - git apply git-diff.patch --allow-empty - rm git-diff.patch - - # Download the PR number - - uses: actions/download-artifact@v4 - with: - name: pr_number - github-token: ${{ secrets.GITHUB_TOKEN }} - run-id: ${{ github.event.workflow_run.id }} - - name: Read pr_number.txt - run: | - PR_NUMBER=$(cat pr_number.txt) - echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_ENV - rm pr_number.txt - - # Post suggestions as a comment on the PR - - uses: googleapis/code-suggester@v4 - with: - command: review - pull_number: ${{ env.PR_NUMBER }} - git_dir: '.' diff --git a/.github/workflows/receive-pr.yml b/.github/workflows/receive-pr.yml deleted file mode 100644 index e079a18e..00000000 --- a/.github/workflows/receive-pr.yml +++ /dev/null @@ -1,61 +0,0 @@ -# Description: This workflow runs OpenRewrite recipes against opened pull request and upload the patch. -# Since this pull request receives untrusted code, we should **NOT** have any secrets in the environment. -# https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ ---- -name: receive-pr - -on: - pull_request: - types: [opened, synchronize] - branches: - - main - -concurrency: - group: '${{ github.workflow }} @ ${{ github.ref }}' - cancel-in-progress: true - -env: - GRADLE_OPTS: '-Dorg.gradle.jvmargs="-Xmx2048m -XX:+HeapDumpOnOutOfMemoryError"' - GRADLE_SWITCHES: '--console=plain --info --stacktrace' - -jobs: - upload-patch: - runs-on: ubuntu-latest - timeout-minutes: 10 - steps: - - uses: actions/checkout@v4 - with: - ref: ${{github.event.pull_request.head.ref}} - repository: ${{github.event.pull_request.head.repo.full_name}} - - uses: gradle/actions/wrapper-validation@v3 - - uses: actions/setup-java@v4 - with: - java-version: '21' - distribution: 'temurin' - - # Capture the PR number - # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#using-data-from-the-triggering-workflow - - name: Create pr_number.txt - run: echo "${{ github.event.number }}" > pr_number.txt - - uses: actions/upload-artifact@v4 - with: - name: pr_number - path: pr_number.txt - - name: Remove pr_number.txt - run: rm -f pr_number.txt - - # Execute recipes - - name: Apply OpenRewrite best practices - uses: gradle/actions/setup-gradle@v3 - working-directory: rewrite-csharp - with: - arguments: ${{ env.GRADLE_SWITCHES }} licenseFormat rewriteRun -Drewrite.activeRecipe=org.openrewrite.recipes.OpenRewriteBestPractices - - # Capture the diff - - name: Create patch - run: | - git diff | tee git-diff.patch - - uses: actions/upload-artifact@v4 - with: - name: patch - path: git-diff.patch