removed actions/checkout for PR branch, use gh (#2567)

# Description changes the permission https://github.com/Stirling-Tools/Stirling-PDF/security/code-scanning/104 ## Checklist - [x] I have read the [Contribution Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md) - [x] I have performed a self-review of my own code - [ ] I have attached images of the change if it is UI based - [ ] I have commented my code, particularly in hard-to-understand areas - [ ] If my code has heavily changed functionality I have updated relevant docs on [Stirling-PDFs doc repo](https://github.com/Stirling-Tools/Stirling-Tools.github.io/blob/main/docs/) - [ ] My changes generate no new warnings - [ ] I have read the section [Add New Translation Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/HowToAddNewLanguage.md#add-new-translation-tags) (for new translation tags only)
2025-02-02 00:16:34 +01:00 · 2024-12-29 15:44:50 +01:00 · 2024-12-29 15:44:50 +01:00 · 702433d4c5
commit 702433d4c5
parent 0e824005c3
1 changed files with 45 additions and 42 deletions
--- a/.github/workflows/check_properties.yml
+++ b/.github/workflows/check_properties.yml
@ -6,16 +6,14 @@ on:
    paths:
      - "src/main/resources/messages_*.properties"

-permissions: read-all
+permissions:
+  contents: read # Allow read access to repository content
+  issues: write # Allow posting comments on issues/PRs

 jobs:
  check-files:
    if: github.event_name == 'pull_request_target'
    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      pull-requests: write
-      issues: write
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
@ -24,72 +22,77 @@ jobs:

      - name: Checkout main branch first
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: main
-          path: main-branch
-          fetch-depth: 0
-
-      - name: Checkout PR branch
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          repository: ${{ github.event.pull_request.head.repo.full_name }}
-          ref: ${{ github.event.pull_request.head.ref }}
-          path: pr-branch
-          fetch-depth: 0

      - name: Set up Python
        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
        with:
          python-version: "3.x"

-      - name: Install GitHub CLI
-        run: sudo apt-get update && sudo apt-get install -y gh
-
      - name: Fetch PR changed files
        id: fetch-pr-changes
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          echo "Fetching PR changed files..."
-          cd pr-branch
-          gh repo set-default ${{ github.repository }}
-          # Store files in a safe way, only allowing valid properties files
+
+          gh repo set-default ${{ github.event.pull_request.head.repo.full_name }} # Set the fork repository as default
+
+          # Fetch the list of changed files in the PR
          echo "Getting list of changed files from PR..."
-          gh pr view ${{ github.event.pull_request.number }} --json files -q ".files[].path" | grep -E '^src/main/resources/messages_[a-zA-Z_]+\.properties$' > ../changed_files.txt
-          cd ..
-
-          echo "Processing changed files..."
-          mapfile -t CHANGED_FILES < changed_files.txt
-
-          CHANGED_FILES_STR="${CHANGED_FILES[*]}"
-          echo "CHANGED_FILES=${CHANGED_FILES_STR}" >> $GITHUB_ENV
-
-          echo "Changed files: ${CHANGED_FILES_STR}"
+          gh pr view ${{ github.event.pull_request.number }} --json files -q ".files[].path" | grep -E '^src/main/resources/messages_[a-zA-Z_]+\.properties$' > changed_files.txt # Filter only matching property files

      - name: Determine reference file
        id: determine-file
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          echo "Determining reference file..."
+          REPO_OWNER=$(gh pr view ${{ github.event.pull_request.number }} --json author -q '.author.login') # Get PR author's username
+          REPO_NAME=$(gh pr view ${{ github.event.pull_request.number }} --json headRepository -q '.headRepository.name') # Get PR repository name
+          BRANCH=$(gh pr view ${{ github.event.pull_request.number }} --json headRefName -q '.headRefName') # Get PR branch name
+
+          mkdir -p pr-branch # Create a directory for PR files
+
+          # Download the content of each changed file
+          while IFS= read -r file; do
+            mkdir -p "pr-branch/$(dirname "$file")" # Create directories for files
+            gh api repos/$REPO_OWNER/$REPO_NAME/contents/$file?ref=$BRANCH --jq '.content' | base64 -d > "pr-branch/src/main/resources/$(basename "$file")" # Save decoded file content
+          done < changed_files.txt
+
+          # Generate a list of files without the "pr-branch/" prefix
+          find pr-branch/ -type f | awk -F'pr-branch/' '{print $2}' > file_list.txt
+
+          mapfile -t FILES_LIST < file_list.txt # Read the file list into an array
+          FILES_LIST_STR="${FILES_LIST[*]}" # Join array into a space-separated string
+          echo "FILES_LIST=${FILES_LIST_STR}" >> $GITHUB_ENV # Export the file list to the environment
+          echo "Changed files: ${FILES_LIST_STR}"
+
+          cat file_list.txt # Display the file list
+
+          # Determine which reference file to use
          if grep -Fxq "src/main/resources/messages_en_GB.properties" changed_files.txt; then
              echo "Using PR branch reference file"
-              echo "REFERENCE_FILE=pr-branch/src/main/resources/messages_en_GB.properties" >> $GITHUB_ENV
+              REFERENCE_FILE="pr-branch-messages_en_GB.properties"
+              gh api repos/$REPO_OWNER/$REPO_NAME/contents/src/main/resources/messages_en_GB.properties?ref=${{ github.event.pull_request.head.ref }} \
+                --jq '.content' | base64 -d > $REFERENCE_FILE # Save PR branch reference file
          else
              echo "Using main branch reference file"
-              echo "REFERENCE_FILE=main-branch/src/main/resources/messages_en_GB.properties" >> $GITHUB_ENV
+              REFERENCE_FILE="main-branch-messages_en_GB.properties"
+              gh api repos/Ludy87/test_java/contents/src/main/resources/messages_en_GB.properties?ref=main \
+                --jq '.content' | base64 -d > $REFERENCE_FILE # Save main branch reference file
          fi

-      - name: Show REFERENCE_FILE
-        run: echo "Reference file is set to ${REFERENCE_FILE}"
+          echo "REFERENCE_FILE=$REFERENCE_FILE" >> $GITHUB_ENV # Export reference file path to the environment

      - name: Run Python script to check files
        id: run-check
        run: |
          echo "Running Python script to check files..."
-          python main-branch/.github/scripts/check_language_properties.py \
+          python .github/scripts/check_language_properties.py \
            --actor ${{ github.event.pull_request.user.login }} \
            --reference-file "${REFERENCE_FILE}" \
-            --branch pr-branch \
-            --files "${CHANGED_FILES[@]}" > result.txt || true
+            --branch "pr-branch" \
+            --files "${FILES_LIST[@]}" > result.txt || true

      - name: Capture output
        id: capture-output
@ -102,7 +105,7 @@ jobs:
            echo "EOF" >> $GITHUB_ENV
            echo "${SCRIPT_OUTPUT}"

-            # Set FAIL_JOB to true if SCRIPT_OUTPUT contains ❌
+            # Determine job failure based on script output
            if [[ "$SCRIPT_OUTPUT" == *"❌"* ]]; then
              echo "FAIL_JOB=true" >> $GITHUB_ENV
            else
@ -132,7 +135,7 @@ jobs:

            const comment = comments.data.find(c => c.body.includes("## 🚀 Translation Verification Summary"));

-            // Only allow the action user to update comments
+            // Only update or create comments by the action user
            const expectedActor = "github-actions[bot]";

            if (comment && comment.user.login === expectedActor) {