From 9a2c8b8ea19d43bc466f0ddf30cfe138554bf600 Mon Sep 17 00:00:00 2001 From: Ludy87 Date: Wed, 3 Sep 2025 08:31:59 +0200 Subject: [PATCH] Update PR-Auto-Deploy-V2.yml --- .github/workflows/PR-Auto-Deploy-V2.yml | 168 ++++++++++++------------ 1 file changed, 81 insertions(+), 87 deletions(-) diff --git a/.github/workflows/PR-Auto-Deploy-V2.yml b/.github/workflows/PR-Auto-Deploy-V2.yml index 926612921..ae2235cc4 100644 --- a/.github/workflows/PR-Auto-Deploy-V2.yml +++ b/.github/workflows/PR-Auto-Deploy-V2.yml @@ -3,6 +3,15 @@ name: Auto PR V2 Deployment on: pull_request: types: [opened, synchronize, reopened, closed] + workflow_dispatch: + inputs: + pr: + description: "PR number to deploy" + required: true + allow_fork: + description: "Allow deploying fork PR?" + required: false + default: "false" permissions: contents: read @@ -11,112 +20,96 @@ permissions: jobs: check-pr: - if: github.event.action != 'closed' + if: (github.event_name == 'pull_request' && github.event.action != 'closed') || github.event_name == 'workflow_dispatch' runs-on: ubuntu-latest outputs: - should_deploy: ${{ steps.check-conditions.outputs.should_deploy }} - is_fork: ${{ steps.detect-fork.outputs.is_fork }} - pr_number: ${{ github.event.number }} - pr_repository: ${{ steps.get-pr-info.outputs.repository }} - pr_ref: ${{ steps.get-pr-info.outputs.ref }} + should_deploy: ${{ steps.decide.outputs.should_deploy }} + is_fork: ${{ steps.resolve.outputs.is_fork }} + allow_fork: ${{ steps.decide.outputs.allow_fork }} + pr_number: ${{ steps.resolve.outputs.pr_number }} + pr_repository: ${{ steps.resolve.outputs.repository }} + pr_ref: ${{ steps.resolve.outputs.ref }} steps: - name: Harden Runner uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2 with: egress-policy: audit - - name: Detect fork - id: detect-fork - run: | - echo "is_fork=${{ github.event.pull_request.head.repo.fork }}" >> $GITHUB_OUTPUT + - name: Resolve PR info + id: resolve + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + script: | + const { context, core, github } = require('@actions/github'); + const { owner, repo } = context.repo; + let prNumber; + if (context.eventName === 'workflow_dispatch') { + prNumber = parseInt(process.env.INPUT_PR, 10); + if (!Number.isInteger(prNumber)) { core.setFailed('Invalid PR number'); return; } + } else { + prNumber = context.payload.number; + } + const { data: pr } = await github.rest.pulls.get({ owner, repo, pull_number: prNumber }); + core.setOutput('pr_number', String(prNumber)); + core.setOutput('repository', pr.head.repo.full_name); + core.setOutput('ref', pr.head.ref); + core.setOutput('is_fork', String(pr.head.repo.fork)); + core.setOutput('base_ref', pr.base.ref); + core.setOutput('author', pr.user.login); + core.setOutput('state', pr.state); - - name: Check deployment conditions - id: check-conditions + - name: Decide deploy + id: decide + shell: bash env: + EVENT_NAME: ${{ github.event_name }} + STATE: ${{ steps.resolve.outputs.state }} + IS_FORK: ${{ steps.resolve.outputs.is_fork }} + # nur bei workflow_dispatch gesetzt: + ALLOW_FORK_INPUT: ${{ inputs.allow_fork }} + # für Auto-PR-Logik: PR_TITLE: ${{ github.event.pull_request.title }} - PR_AUTHOR: ${{ github.event.pull_request.user.login }} PR_BRANCH: ${{ github.event.pull_request.head.ref }} - PR_BASE_BRANCH: ${{ github.event.pull_request.base.ref }} - IS_FORK: ${{ steps.detect-fork.outputs.is_fork }} + PR_BASE: ${{ steps.resolve.outputs.base_ref }} + PR_AUTHOR: ${{ steps.resolve.outputs.author }} run: | - echo "PR Title: $PR_TITLE" - echo "PR Author: $PR_AUTHOR" - echo "PR Branch: $PR_BRANCH" - echo "PR Base Branch: $PR_BASE_BRANCH" - echo "Is Fork: $IS_FORK" + set -e + # Standard: nichts deployen + should=false + allow_fork="$(echo "${ALLOW_FORK_INPUT:-false}" | tr '[:upper:]' '[:lower:]')" - if [ "$IS_FORK" = "true" ]; then - echo "❌ Fork PR detected -> skip deployment" - echo "should_deploy=false" >> $GITHUB_OUTPUT - exit 0 - fi - - # Define authorized users - authorized_users=( - "Frooodle" - "sf298" - "Ludy87" - "LaserKaspar" - "sbplat" - "reecebrowne" - "DarioGii" - "ConnorYoh" - "EthanHealy01" - "jbrunton96" - ) - - # Check if author is in the authorized list - is_authorized=false - for user in "${authorized_users[@]}"; do - if [[ "$PR_AUTHOR" == "$user" ]]; then - is_authorized=true - break + if [ "$EVENT_NAME" = "workflow_dispatch" ]; then + if [ "$STATE" != "open" ]; then + echo "PR not open -> skip" + else + if [ "$IS_FORK" = "true" ] && [ "$allow_fork" != "true" ]; then + echo "Fork PR and allow_fork=false -> skip" + else + should=true + fi fi - done - - # If PR is targeting V2 and user is authorized, deploy unconditionally - if [[ "$PR_BASE_BRANCH" == "V2" && "$is_authorized" == "true" ]]; then - echo "✅ Deployment forced: PR targets V2 and author is authorized." - echo "should_deploy=true" >> $GITHUB_OUTPUT - exit 0 - fi - - # Otherwise, continue with original keyword checks - has_v2_keyword=false - [[ "$PR_TITLE" =~ [Vv]2|[Vv]ersion.?2|[Vv]ersion.?[Tt]wo ]] && has_v2_keyword=true - - has_branch_keyword=false - [[ "$PR_BRANCH" =~ [Vv]2|[Rr]eact ]] && has_branch_keyword=true - - if [[ "$is_authorized" == "true" && ( "$has_v2_keyword" == "true" || "$has_branch_keyword" == "true" ) ]]; then - echo "✅ Deployment conditions met" - echo "should_deploy=true" >> $GITHUB_OUTPUT else - echo "❌ Deployment conditions not met" - echo " - Authorized user: $is_authorized" - echo " - Has V2 keyword in title: $has_v2_keyword" - echo " - Has V2/React keyword in branch: $has_branch_keyword" - echo "should_deploy=false" >> $GITHUB_OUTPUT + auth_users=("Frooodle" "sf298" "Ludy87" "LaserKaspar" "sbplat" "reecebrowne" "DarioGii" "ConnorYoh" "EthanHealy01" "jbrunton96") + is_auth=false; for u in "${auth_users[@]}"; do [ "$u" = "$PR_AUTHOR" ] && is_auth=true && break; done + if [ "$PR_BASE" = "V2" ] && [ "$is_auth" = true ]; then + should=true + else + title_has_v2=false; echo "$PR_TITLE" | grep -qiE 'v2|version.?2|version.?two' && title_has_v2=true + branch_has_kw=false; echo "$PR_BRANCH" | grep -qiE 'v2|react' && branch_has_kw=true + if [ "$is_auth" = true ] && { [ "$title_has_v2" = true ] || [ "$branch_has_kw" = true ]; }; then + should=true + fi + fi fi - - name: Get PR repository and ref - id: get-pr-info - if: steps.check-conditions.outputs.should_deploy == 'true' - run: | - # For forks, use the full repository name, for internal PRs use the current repo - if [[ "${{ github.event.pull_request.head.repo.fork }}" == "true" ]]; then - repository="${{ github.event.pull_request.head.repo.full_name }}" - else - repository="${{ github.repository }}" - fi - - echo "repository=$repository" >> $GITHUB_OUTPUT - echo "ref=${{ github.event.pull_request.head.ref }}" >> $GITHUB_OUTPUT + echo "should_deploy=$should" >> $GITHUB_OUTPUT + echo "allow_fork=${allow_fork:-false}" >> $GITHUB_OUTPUT deploy-v2-pr: needs: check-pr runs-on: ubuntu-latest - if: needs.check-pr.outputs.should_deploy == 'true' && needs.check-pr.outputs.is_fork == 'false' + if: needs.check-pr.outputs.should_deploy == 'true' && (needs.check-pr.outputs.is_fork == 'false' || needs.check-pr.outputs.allow_fork == 'true') + # Concurrency control - only one deployment per PR at a time concurrency: group: v2-deploy-pr-${{ needs.check-pr.outputs.pr_number }} cancel-in-progress: true @@ -201,8 +194,8 @@ jobs: - name: Get version number id: versionNumber run: | - VERSION=$(grep "^version =" build.gradle | awk -F'"' '{print $2}' || true) - echo "versionNumber=${VERSION:-unknown}" >> $GITHUB_OUTPUT + VERSION=$(grep "^version =" build.gradle | awk -F'"' '{print $2}') + echo "versionNumber=$VERSION" >> $GITHUB_OUTPUT - name: Login to Docker Hub uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 @@ -417,6 +410,7 @@ jobs: contents: read issues: write pull-requests: write + steps: - name: Harden Runner uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2 @@ -506,4 +500,4 @@ jobs: if: always() run: | rm -f ../private.key - continue-on-error: true + continue-on-error: true \ No newline at end of file