[Question] How does check-dist handle dependabot PRs? #96
Comments
|
Hmmm...I think you're correct. This comment doesn't make sense in the context of the script being run. There's nothing to indicate the PR author. That does raise the question of how Dependabot PRs should be handled in general. Currently, the I'm sure there's a cleaner way to handle this. My initial thought is to update this workflow to check if the PR did originate from Dependabot and, if so, rebuild the action code. I'll dig into this a bit and let you know how it goes! |
|
I was able to hack together an update that would make this work, however it does require additional configuration that I feel may be out of scope for this repo. I'll add it in here though so it can be found by anyone who might need it :) First, I would highly recommend not triggering this workflow on name: Check Transpiled JavaScript
on:
pull_request:
permissions:
contents: writeSecond, it is also important to check if the PR is originating from a fork. Otherwise, there are a bunch of potential security risks in letting a workflow run with write access to your repository contents. Though Dependabot doesn't work through fork PRs, it's a good idea to add as a safety check either way :) For example, you can set this as an environment variable using the following conditional statement. env:
# github.repository - This repository
# github.event.pull_request.head.repo.full_name - The fork repository
IS_FORK: ${{ github.repository != github.event.pull_request.head.repo.full_name }}Combining these and a couple extra steps in the shell script, you can optionally commit the rebuilt - name: Compare Directories
id: diff
env:
# Check if this is a PR event (in case this workflow is being triggered on other events)
IS_PR: ${{ github.event_name == 'pull_request' }}
# Check if this is a fork PR
IS_FORK: ${{ github.repository != github.event.pull_request.head.repo.full_name }}
run: |
echo "${{ github.event.pull_request.head.repo.full_name }}"
echo "${{ github.repository }}"
if [ "$(git diff --ignore-space-at-eol --text dist/ | wc -l)" -gt "0" ]; then
echo "Detected uncommitted changes! See status below:"
git diff --ignore-space-at-eol --text dist/
# Fail the workflow on fork PRs where dist/ does not match
if [ "$IS_FORK" == true]; then
echo "Fork PR...Failing workflow due to uncommitted changes."
exit 1
fi
# Fail the workflow run on non-PR events
if [ "$IS_PR" == false ]; then
echo "Non-PR Event...Failing workflow due to uncommitted changes."
exit 1
fi
# Fail the workflow run on non-Dependabot PRs
if [ "${{ github.actor }}" != "dependabot[bot]" ]; then
echo "Non-Dependabot PR...Failing workflow due to uncommitted changes."
exit 1
fi
# Commit and push dist/ on Dependabot PRs and pass the workflow run
if [ "${{ github.actor }}" == "dependabot[bot]" ]; then
echo "Dependabot Update...Committing changes to PR branch."
git config --global user.email "<>"
git config --global user.name "${{ github.actor }}"
git add dist/
git commit -m "Rebuild dist/ directory"
git push origin $GITHUB_HEAD_REF
exit 0
fi
# Catch-all
exit 1
fiThe above should work, however there is one big issue that will occur. Using the built-in If you did want to re-trigger CI, you would need to use a personal access token or GitHub App token so that the event does not originate from the workflow token. I hope this info helps! I know it was probably a long-winded non-answer to your question, but I hope the extra context helps. To answer directly, those comments are incorrect and I will remove them shortly ;) |
|
Heyo! I'm going to go ahead and close this issue out for now. If you have any questions please feel free to reopen! |
Hi there,
I'm struggling to understand how the check-dist workflow handles dependabot pull requests in a different way as the comment is mentioning =>
hello-world-javascript-action/.github/workflows/check-dist.yml
Line 46 in e3f181d
Could you explain where the dependabot magic is happening?
The text was updated successfully, but these errors were encountered: