mirror of
https://github.com/Frooodle/Stirling-PDF.git
synced 2025-01-19 00:07:17 +01:00
702433d4c5
# Description changes the permission https://github.com/Stirling-Tools/Stirling-PDF/security/code-scanning/104 ## Checklist - [x] I have read the [Contribution Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md) - [x] I have performed a self-review of my own code - [ ] I have attached images of the change if it is UI based - [ ] I have commented my code, particularly in hard-to-understand areas - [ ] If my code has heavily changed functionality I have updated relevant docs on [Stirling-PDFs doc repo](https://github.com/Stirling-Tools/Stirling-Tools.github.io/blob/main/docs/) - [ ] My changes generate no new warnings - [ ] I have read the section [Add New Translation Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/HowToAddNewLanguage.md#add-new-translation-tags) (for new translation tags only)
168 lines
7.1 KiB
YAML
168 lines
7.1 KiB
YAML
name: Check Properties Files on PR
|
|
|
|
on:
|
|
pull_request_target:
|
|
types: [opened, synchronize, reopened]
|
|
paths:
|
|
- "src/main/resources/messages_*.properties"
|
|
|
|
permissions:
|
|
contents: read # Allow read access to repository content
|
|
issues: write # Allow posting comments on issues/PRs
|
|
|
|
jobs:
|
|
check-files:
|
|
if: github.event_name == 'pull_request_target'
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- name: Checkout main branch first
|
|
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
|
|
- name: Set up Python
|
|
uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
|
|
with:
|
|
python-version: "3.x"
|
|
|
|
- name: Fetch PR changed files
|
|
id: fetch-pr-changes
|
|
env:
|
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
run: |
|
|
echo "Fetching PR changed files..."
|
|
|
|
gh repo set-default ${{ github.event.pull_request.head.repo.full_name }} # Set the fork repository as default
|
|
|
|
# Fetch the list of changed files in the PR
|
|
echo "Getting list of changed files from PR..."
|
|
gh pr view ${{ github.event.pull_request.number }} --json files -q ".files[].path" | grep -E '^src/main/resources/messages_[a-zA-Z_]+\.properties$' > changed_files.txt # Filter only matching property files
|
|
|
|
- name: Determine reference file
|
|
id: determine-file
|
|
env:
|
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
run: |
|
|
echo "Determining reference file..."
|
|
REPO_OWNER=$(gh pr view ${{ github.event.pull_request.number }} --json author -q '.author.login') # Get PR author's username
|
|
REPO_NAME=$(gh pr view ${{ github.event.pull_request.number }} --json headRepository -q '.headRepository.name') # Get PR repository name
|
|
BRANCH=$(gh pr view ${{ github.event.pull_request.number }} --json headRefName -q '.headRefName') # Get PR branch name
|
|
|
|
mkdir -p pr-branch # Create a directory for PR files
|
|
|
|
# Download the content of each changed file
|
|
while IFS= read -r file; do
|
|
mkdir -p "pr-branch/$(dirname "$file")" # Create directories for files
|
|
gh api repos/$REPO_OWNER/$REPO_NAME/contents/$file?ref=$BRANCH --jq '.content' | base64 -d > "pr-branch/src/main/resources/$(basename "$file")" # Save decoded file content
|
|
done < changed_files.txt
|
|
|
|
# Generate a list of files without the "pr-branch/" prefix
|
|
find pr-branch/ -type f | awk -F'pr-branch/' '{print $2}' > file_list.txt
|
|
|
|
mapfile -t FILES_LIST < file_list.txt # Read the file list into an array
|
|
FILES_LIST_STR="${FILES_LIST[*]}" # Join array into a space-separated string
|
|
echo "FILES_LIST=${FILES_LIST_STR}" >> $GITHUB_ENV # Export the file list to the environment
|
|
echo "Changed files: ${FILES_LIST_STR}"
|
|
|
|
cat file_list.txt # Display the file list
|
|
|
|
# Determine which reference file to use
|
|
if grep -Fxq "src/main/resources/messages_en_GB.properties" changed_files.txt; then
|
|
echo "Using PR branch reference file"
|
|
REFERENCE_FILE="pr-branch-messages_en_GB.properties"
|
|
gh api repos/$REPO_OWNER/$REPO_NAME/contents/src/main/resources/messages_en_GB.properties?ref=${{ github.event.pull_request.head.ref }} \
|
|
--jq '.content' | base64 -d > $REFERENCE_FILE # Save PR branch reference file
|
|
else
|
|
echo "Using main branch reference file"
|
|
REFERENCE_FILE="main-branch-messages_en_GB.properties"
|
|
gh api repos/Ludy87/test_java/contents/src/main/resources/messages_en_GB.properties?ref=main \
|
|
--jq '.content' | base64 -d > $REFERENCE_FILE # Save main branch reference file
|
|
fi
|
|
|
|
echo "REFERENCE_FILE=$REFERENCE_FILE" >> $GITHUB_ENV # Export reference file path to the environment
|
|
|
|
- name: Run Python script to check files
|
|
id: run-check
|
|
run: |
|
|
echo "Running Python script to check files..."
|
|
python .github/scripts/check_language_properties.py \
|
|
--actor ${{ github.event.pull_request.user.login }} \
|
|
--reference-file "${REFERENCE_FILE}" \
|
|
--branch "pr-branch" \
|
|
--files "${FILES_LIST[@]}" > result.txt || true
|
|
|
|
- name: Capture output
|
|
id: capture-output
|
|
run: |
|
|
if [ -f result.txt ] && [ -s result.txt ]; then
|
|
echo "Test, capturing output..."
|
|
SCRIPT_OUTPUT=$(cat result.txt)
|
|
echo "SCRIPT_OUTPUT<<EOF" >> $GITHUB_ENV
|
|
echo "$SCRIPT_OUTPUT" >> $GITHUB_ENV
|
|
echo "EOF" >> $GITHUB_ENV
|
|
echo "${SCRIPT_OUTPUT}"
|
|
|
|
# Determine job failure based on script output
|
|
if [[ "$SCRIPT_OUTPUT" == *"❌"* ]]; then
|
|
echo "FAIL_JOB=true" >> $GITHUB_ENV
|
|
else
|
|
echo "FAIL_JOB=false" >> $GITHUB_ENV
|
|
fi
|
|
else
|
|
echo "No update found."
|
|
echo "SCRIPT_OUTPUT=" >> $GITHUB_ENV
|
|
echo "FAIL_JOB=false" >> $GITHUB_ENV
|
|
fi
|
|
|
|
- name: Post comment on PR
|
|
if: env.SCRIPT_OUTPUT != ''
|
|
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
|
|
with:
|
|
script: |
|
|
const { GITHUB_REPOSITORY, SCRIPT_OUTPUT } = process.env;
|
|
const [repoOwner, repoName] = GITHUB_REPOSITORY.split('/');
|
|
const prNumber = context.issue.number;
|
|
|
|
// Find existing comment
|
|
const comments = await github.rest.issues.listComments({
|
|
owner: repoOwner,
|
|
repo: repoName,
|
|
issue_number: prNumber
|
|
});
|
|
|
|
const comment = comments.data.find(c => c.body.includes("## 🚀 Translation Verification Summary"));
|
|
|
|
// Only update or create comments by the action user
|
|
const expectedActor = "github-actions[bot]";
|
|
|
|
if (comment && comment.user.login === expectedActor) {
|
|
// Update existing comment
|
|
await github.rest.issues.updateComment({
|
|
owner: repoOwner,
|
|
repo: repoName,
|
|
comment_id: comment.id,
|
|
body: `## 🚀 Translation Verification Summary\n\n\n${SCRIPT_OUTPUT}\n`
|
|
});
|
|
console.log("Updated existing comment.");
|
|
} else if (!comment) {
|
|
// Create new comment if no existing comment is found
|
|
await github.rest.issues.createComment({
|
|
owner: repoOwner,
|
|
repo: repoName,
|
|
issue_number: prNumber,
|
|
body: `## 🚀 Translation Verification Summary\n\n\n${SCRIPT_OUTPUT}\n`
|
|
});
|
|
console.log("Created new comment.");
|
|
} else {
|
|
console.log("Comment update attempt denied. Actor does not match.");
|
|
}
|
|
|
|
- name: Fail job if errors found
|
|
if: env.FAIL_JOB == 'true'
|
|
run: |
|
|
echo "Failing the job because errors were detected."
|
|
exit 1
|