More secure

Author: trask

.github/workflows/auto-spotless-part-1.yml

@@ -0,0 +1,56 @@
+name: Auto spotless, part 1
+on:
+  pull_request:
+    types:
+      - opened
+      - synchronize
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Free disk space
+        run: .github/scripts/gha-free-disk-space.sh
+
+      - name: Set up JDK for running Gradle
+        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
+        with:
+          distribution: temurin
+          java-version-file: .java-version
+
+      - name: Set up gradle
+        uses: gradle/actions/setup-gradle@06832c7b30a0129d7fb559bcc6e43d26f6374244 # v4.3.1
+        with:
+          cache-read-only: true
+
+      - name: Check out PR branch
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: gh pr checkout ${{ github.event.pull_request.number }}
+
+      - name: Spotless
+        run: ./gradlew spotlessApply
+
+      - id: create-patch-file
+        name: Create patch file
+        run: |
+          git diff > patch
+          if [ -s patch ]; then
+            echo "non-empty=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Upload patch file
+        if: steps.create-patch-file.outputs.non-empty == 'true'
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          path: patch
+          name: patch-${{ github.event.pull_request.number }}

.github/workflows/auto-spotless-part-2.yml

@@ -0,0 +1,106 @@
+name: Auto spotless, part 2
+on:
+  workflow_run:
+    workflows:
+      - "Auto spotless, part 1"
+    types:
+      - completed
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  apply:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - id: download-patch
+        name: Download patch
+        uses: actions/github-script@v7.0.1
+        with:
+          # this script copied from
+          # https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#using-data-from-the-triggering-workflow
+          script: |
+            let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               run_id: context.payload.workflow_run.id
+            });
+            let patchArtifact = allArtifacts.data.artifacts.filter((artifact) => {
+              return artifact.name.startsWith("patch-")
+            })[0];
+            if (!patchArtifact) {
+              core.info('No patch to apply.');
+              return;
+            }
+            let download = await github.rest.actions.downloadArtifact({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               artifact_id: patchArtifact.id,
+               archive_format: 'zip'
+            });
+            const fs = require('fs');
+            const path = require('path');
+            const temp = '${{ runner.temp }}/artifacts';
+            if (!fs.existsSync(temp)){
+              fs.mkdirSync(temp);
+            }
+            fs.writeFileSync(path.join(temp, 'patch.zip'), Buffer.from(download.data));
+            core.setOutput("exists", "true");
+            core.setOutput("pr-number", patchArtifact.name.substring("patch-".length));
+
+      - name: Unzip patch
+        if: steps.download-patch.outputs.exists == 'true'
+        working-directory: ${{ runner.temp }}/artifacts
+        run: unzip patch.zip
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        if: steps.download-patch.outputs.exists == 'true'
+
+      - name: Check out PR branch
+        if: steps.download-patch.outputs.exists == 'true'
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: gh pr checkout ${{ steps.download-patch.outputs.pr-number }}
+
+      - name: Use CLA approved github bot
+        if: steps.download-patch.outputs.exists == 'true'
+        # IMPORTANT do not call the .github/scripts/use-cla-approved-bot.sh
+        # since that script could have been compromised in the PR branch
+        run: |
+          git config user.name otelbot
+          git config user.email 197425009+otelbot@users.noreply.github.com
+
+      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
+        if: steps.download-patch.outputs.exists == 'true'
+        id: otelbot-token
+        with:
+          app-id: ${{ vars.OTELBOT_APP_ID }}
+          private-key: ${{ secrets.OTELBOT_PRIVATE_KEY }}
+
+      - name: Apply patch and push
+        if: steps.download-patch.outputs.exists == 'true'
+        env:
+          GH_TOKEN: ${{ steps.otelbot-token.outputs.token }}
+        run: |
+          git apply "${{ runner.temp }}/artifacts/patch"
+          git commit -a -m "./gradlew spotlessApply"
+          git push
+
+      - if: steps.download-patch.outputs.exists == 'true' && success()
+        env:
+          GH_TOKEN: ${{ steps.otelbot-token.outputs.token }}
+        run: |
+          gh pr comment ${{ steps.download-patch.outputs.pr-number }} --body "🔧 The result from \`./gradlew spotlessApply\` was committed to the PR branch."
+
+      - if: steps.download-patch.outputs.exists == 'true' && failure()
+        env:
+          GH_TOKEN: ${{ steps.otelbot-token.outputs.token }}
+        run: |
+          gh pr comment ${{ steps.download-patch.outputs.pr-number }} --body "❌ The result from \`./gradlew spotlessApply\` could not be committed to the PR branch, see logs: $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID."