11name : check-generated-files
22on :
3- # pull_request_target needed to be able to commit and push bundle diffs to external fork PRs.
4- # But we included a manual authorization safeguard to prevent PWN requests. See the 'authorize' job below.
5- pull_request_target :
6- branches :
3+ pull_request :
4+ branches :
75 - main
86
97concurrency :
108 group : ${{ github.workflow }}-${{ github.event.number }}
119 cancel-in-progress : true
1210
13- jobs :
14- authorize :
15- # The 'external' environment is configured with the odo-maintainers team as required reviewers.
16- # All the subsequent jobs in this workflow 'need' this job, which will require manual approval for PRs coming from external forks.
17- # TODO(rm3l): list of authorized users that do not require manual review comes from the maintainers team and various robot accounts that handle automation in the repo => find a better way not to hardcode this list!
18- environment :
19- ${{ (github.event.pull_request.head.repo.full_name == github.repository ||
20- contains(fromJSON('["odo-robot[bot]", "dependabot[bot]", "openshift-ci[bot]", "openshift-merge-robot", "openshift-ci-robot", "kadel", "rm3l"]'), github.event.pull_request.user.login)) &&
21- ' internal' || 'external' }}
22- runs-on : ubuntu-latest
23- steps :
24- - run : echo ✓
11+ # SECURITY: Enforce least privilege.
12+ # This workflow only needs to checkout code; it does not need write access.
13+ permissions :
14+ contents : read
2515
16+ jobs :
2617 check-ui-static-files :
27- needs : authorize
2818 runs-on : ubuntu-22.04
29- permissions :
30- contents : write
31- pull-requests : write
3219 steps :
3320 - name : Checkout
3421 uses : actions/checkout@v4
35- with :
36- repository : ${{github.event.pull_request.head.repo.full_name}}
37- ref : ${{ github.event.pull_request.head.sha }}
3822
3923 - name : Generate static files for UI
4024 run : make ui-static
@@ -45,30 +29,20 @@ jobs:
4529 - name : Verify Changed files
4630 uses : tj-actions/verify-changed-files@eb6d385c0e52fb28e2f6b70e15c835cb3cbfff17
4731 id : verify-changed-files
48-
49- - name : Some files have changed
50- if : ${{ !cancelled() && steps.verify-changed-files.outputs.files_changed == 'true' }}
51- run : |
52- echo "::warning Changed files: ${{ steps.verify-changed-files.outputs.changed_files }} -- Regenerating with make ui-static / make prebuild"
53- git config user.name 'github-actions[bot]'
54- git config user.email 'github-actions[bot]@users.noreply.github.com'
55- git fetch --prune
56- git pull --rebase --autostash
57- git add -A .
58- git commit \
59- -m "Regenerate static UI files" \
60- -m "Co-authored-by: $GITHUB_ACTOR <$GITHUB_ACTOR@users.noreply.github.com>"
61- git push
6232
63- name : Comment on PR if bundle manifests were updated
64- uses : actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
65- if : ${{ !cancelled() && steps.verify-changed-files.outputs.files_changed == 'true' }}
66- continue-on-error : true
67- with :
68- script : |
69- await github.rest.issues.createComment({
70- issue_number: context.issue.number,
71- owner: context.repo.owner,
72- repo: context.repo.repo,
73- body: '⚠️ <b>Static UI files regenerated!</b><br/><br/>Those changes should have been pushed automatically to your PR branch.'
74- })
33+ - name : Fail if generated files are out of sync
34+ if : steps.verify-changed-files.outputs.files_changed == 'true'
35+ # SECURITY: Map untrusted input to an environment variable.
36+ # This prevents the shell from interpreting special characters in filenames as commands.
37+ env :
38+ CHANGED_FILES : ${{ steps.verify-changed-files.outputs.changed_files }}
39+ run : |
40+ echo "::error::Generated files are out of sync!"
41+ echo ""
42+ echo "The following files need to be regenerated:"
43+ echo "$CHANGED_FILES"
44+ echo ""
45+ echo "Please run the following commands locally and commit the changes:"
46+ echo " make ui-static"
47+ echo " make prebuild"
48+ exit 1
0 commit comments