fix(git-id-switcher): replace broken Snyk badge with static shield #153
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # nullvariant-mimi[bot] - The keen listener | |
| # "バリデーターを通してくださいね" | |
| name: 🐰 Mimi Bot | |
| permissions: {} | |
| on: | |
| pull_request_target: | |
| types: [opened, synchronize] | |
| workflow_dispatch: | |
| inputs: | |
| message: | |
| description: 'What did Mimi hear? (optional)' | |
| required: false | |
| default: 'I heard something...' | |
| jobs: | |
| validation-review: | |
| name: 🐰 Validation Review | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'pull_request_target' | |
| env: | |
| GH_REPO: ${{ github.repository }} | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| checks: read | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 | |
| with: | |
| egress-policy: audit | |
| - name: 🔑 Get App Token | |
| id: app-token | |
| uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2 | |
| with: | |
| app_id: ${{ secrets.MIMI_BOT_APP_ID }} | |
| private_key: ${{ secrets.MIMI_BOT_PRIVATE_KEY }} | |
| # SECURITY: No code checkout. All reads via GitHub API. | |
| - name: 🐰 Check CI status | |
| id: analyze | |
| env: | |
| GH_TOKEN: ${{ steps.app-token.outputs.token }} | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| HEAD_SHA: ${{ github.event.pull_request.head.sha }} | |
| run: | | |
| set -euo pipefail | |
| : > /tmp/mimi-findings.md | |
| FOUND_ISSUES=false | |
| # === Check CI check runs for the HEAD commit === | |
| CHECK_RUNS=$(gh api "repos/${GITHUB_REPOSITORY}/commits/${HEAD_SHA}/check-runs" \ | |
| --jq '.check_runs[] | {name: .name, status: .status, conclusion: .conclusion}' 2>/dev/null || true) | |
| if [ -z "$CHECK_RUNS" ]; then | |
| printf '⏳ CI checks have not started yet. I will wait patiently!\n' >> /tmp/mimi-findings.md | |
| echo "should_comment=true" >> "$GITHUB_OUTPUT" | |
| echo "has_issues=false" >> "$GITHUB_OUTPUT" | |
| exit 0 | |
| fi | |
| # Find failed checks | |
| FAILED=$(echo "$CHECK_RUNS" | jq -s '[.[] | select(.conclusion == "failure")] | length' 2>/dev/null || echo "0") | |
| FAILED_NAMES=$(echo "$CHECK_RUNS" | jq -rs '[.[] | select(.conclusion == "failure") | .name] | join("`, `")' 2>/dev/null || true) | |
| if [ "$FAILED" -gt 0 ]; then | |
| { | |
| printf '🔴 **VALIDATION FAILED**: %s check(s) did not pass.\n\n' "$FAILED" | |
| printf 'Failed: `%s`\n\n' "$FAILED_NAMES" | |
| printf 'Please fix the issues and push again. I believe in you!\n\n' | |
| } >> /tmp/mimi-findings.md | |
| FOUND_ISSUES=true | |
| fi | |
| # Check for pending/in-progress | |
| PENDING=$(echo "$CHECK_RUNS" | jq -s '[.[] | select(.status != "completed")] | length' 2>/dev/null || echo "0") | |
| if [ "$PENDING" -gt 0 ] && [ "$FOUND_ISSUES" = false ]; then | |
| printf '⏳ Some checks are still running. I will keep watching!\n' >> /tmp/mimi-findings.md | |
| fi | |
| echo "should_comment=true" >> "$GITHUB_OUTPUT" | |
| if [ "$FOUND_ISSUES" = true ]; then | |
| echo "has_issues=true" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "has_issues=false" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: 📬 Post review comment | |
| if: steps.analyze.outputs.should_comment == 'true' | |
| env: | |
| GH_TOKEN: ${{ steps.app-token.outputs.token }} | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| HAS_ISSUES: ${{ steps.analyze.outputs.has_issues }} | |
| run: | | |
| set -euo pipefail | |
| { | |
| if [ "$HAS_ISSUES" = "true" ]; then | |
| printf '## 🐰 Mimi'"'"'s Validation Report 🚨\n\n' | |
| printf '*...ears twitching... something failed validation!*\n\n' | |
| cat /tmp/mimi-findings.md | |
| else | |
| printf '## 🐰 Mimi'"'"'s Validation Report ✅\n\n' | |
| printf 'All checks are looking good! Great job! 🎉\n' | |
| if [ -s /tmp/mimi-findings.md ]; then | |
| printf '\n' | |
| cat /tmp/mimi-findings.md | |
| fi | |
| fi | |
| printf '\n---\n\n' | |
| printf '> バリデーターを通してくださいね\n\n' | |
| printf '*This report was carefully prepared by nullvariant-mimi[bot]*\n' | |
| } > /tmp/mimi-comment.md | |
| EXISTING_ID=$(gh api --paginate "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" \ | |
| --jq '.[] | select(.user.login == "nullvariant-mimi[bot]") | select(.body | contains("Mimi\u0027s Validation Report")) | .id' 2>/dev/null | head -1 || true) | |
| if [ -n "$EXISTING_ID" ]; then | |
| gh api "repos/${GITHUB_REPOSITORY}/issues/comments/${EXISTING_ID}" \ | |
| -X PATCH -F body=@/tmp/mimi-comment.md | |
| else | |
| gh pr comment "$PR_NUMBER" --body-file /tmp/mimi-comment.md | |
| fi | |
| - name: 🐰 Done checking | |
| run: echo "Validation complete! Stay thorough! 🐰" | |
| mimi-commit: | |
| name: 🐰 Listen carefully | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'workflow_dispatch' | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 | |
| with: | |
| egress-policy: audit | |
| - name: 🐰 Perk up ears | |
| run: | | |
| echo "🐰 *ears twitching*" | |
| echo "Shh... I'm listening..." | |
| echo "Did someone forget to validate their input?" | |
| - name: 🔑 Get App Token | |
| id: app-token | |
| uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2 | |
| with: | |
| app_id: ${{ secrets.MIMI_BOT_APP_ID }} | |
| private_key: ${{ secrets.MIMI_BOT_PRIVATE_KEY }} | |
| - name: 📥 Checkout (quietly) | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| token: ${{ steps.app-token.outputs.token }} | |
| # SECURITY: Use environment variable to prevent script injection | |
| - name: 📝 Leave a whispered note | |
| env: | |
| USER_MESSAGE: ${{ github.event.inputs.message }} | |
| run: | | |
| mkdir -p docs | |
| cat > docs/MIMI.md << 'EOF' | |
| # 🐰 Mimi's Listening Post | |
| > "These ears don't miss a thing." | |
| ## Today's Whisper | |
| EOF | |
| printf '%s\n' "${USER_MESSAGE}" >> docs/MIMI.md | |
| cat >> docs/MIMI.md << 'EOF' | |
| ### Reminder | |
| Always validate your inputs! | |
| Mimi's ears can hear unvalidated data from miles away... | |
| --- | |
| EOF | |
| echo "*Last heard: $(date -u +"%Y-%m-%d %H:%M:%S UTC")*" >> docs/MIMI.md | |
| cat >> docs/MIMI.md << 'EOF' | |
| > バリデーターを通してくださいね | |
| EOF | |
| - name: 📬 Create PR with verified commit | |
| env: | |
| USER_MESSAGE: ${{ github.event.inputs.message }} | |
| uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1 | |
| with: | |
| token: ${{ steps.app-token.outputs.token }} | |
| sign-commits: true | |
| author: nullvariant-mimi[bot] <2610795+nullvariant-mimi[bot]@users.noreply.github.com> | |
| committer: nullvariant-mimi[bot] <2610795+nullvariant-mimi[bot]@users.noreply.github.com> | |
| commit-message: | | |
| 🐰 Heard something important | |
| ${{ env.USER_MESSAGE }} | |
| *ears still listening* | |
| branch: mimi/whisper-${{ github.run_number }} | |
| delete-branch: true | |
| title: "🐰 Mimi's listening post update" | |
| body: | | |
| ## 🐰 *whispers* | |
| ${{ env.USER_MESSAGE }} | |
| --- | |
| > バリデーターを通してくださいね | |
| *This PR was quietly delivered by nullvariant-mimi[bot]* | |
| - name: 👂 Keep listening | |
| run: | | |
| echo "*ears still perked*" | |
| echo "Always listening for unvalidated inputs..." | |
| echo "🐰 Stay safe out there!" |