-
Notifications
You must be signed in to change notification settings - Fork 1
58 lines (52 loc) · 2.45 KB
/
Copy pathbumpy-check.yaml
File metadata and controls
58 lines (52 loc) · 2.45 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# 🐸 Bumpy CI check
# checks for missing bump files and posts/updates a PR comment with the release plan
# ⚠️ NOTE - DO NOT COPY THIS FILE
# instead look at the recommended workflow in the docs
# ➡️ https://bumpy.varlock.dev/blob/main/docs/github-actions.md ⬅️
#
# This repo splits the check into two mutually-exclusive jobs so it can dogfood its
# OWN unreleased CLI on internal PRs while staying safe for fork PRs. A normal project
# only needs the single `bunx @varlock/bumpy@latest ci check` job (the fork-safe one).
name: Bumpy Check
on: pull_request_target # < necessary so it can post comments on fork PRs
permissions:
pull-requests: write
contents: read
jobs:
# Fork PRs (untrusted): run the PUBLISHED bumpy and never execute the PR's code.
# pull_request_target carries a write token + secrets, so building/running fork
# code here would be a privilege-escalation hole. `ci check` reads json/yaml only.
check-published:
if: github.event.pull_request.head.repo.full_name != github.repository
runs-on: ubuntu-latest
steps:
# Check out the PR head so bumpy can read the PR's bump files, config, and package.json.
# We never execute this code!
- uses: actions/checkout@v6
with:
ref: ${{ github.event.pull_request.head.sha }}
- uses: oven-sh/setup-bun@v2
- run: bunx @varlock/bumpy@latest ci check
env:
GH_TOKEN: ${{ github.token }}
# Internal (non-fork) PRs: build and run THIS repo's local bumpy so we dogfood the
# unreleased CLI (e.g. channel-aware comments before they're published to @latest).
# ⚠️ DO NOT COPY — only safe because the PR head lives in this same repo, so no
# untrusted code runs with the privileged token. Forks fall through to check-published.
check-local:
if: github.event.pull_request.head.repo.full_name == github.repository
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
with:
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 0 # need history to diff bump files against the PR base branch
- uses: oven-sh/setup-bun@v2
- run: bun install
# Build first since we run the local built version of bumpy instead of the published one
- run: bun run --filter @varlock/bumpy build
# run bun install again to make the now-built CLI available
- run: bun install
- run: bunx @varlock/bumpy ci check
env:
GH_TOKEN: ${{ github.token }}