github/codeql-action
0
0
Fork 0
mirror of https://github.com/github/codeql-action.git synced 2026-04-17 04:23:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Use "Rebuild" workflow instead of "Update dependencies"

Browse Source
This commit is contained in:
Henry Mercer
2025-08-20 16:42:13 +01:00
parent 88d8b86edd
commit 6d34e4e857
7 changed files with 9 additions and 112 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
.github/workflows/post-release-mergeback.yml vendored
View File

@@ -3,7 +3,7 @@
# tag
# 2. Updates the `vN` tag to refer to this merge commit.
# 3. Iff vN == vLatest, merges any changes from the release back into the main branch.
# Typically, this is two commits one to update the version number and one to update dependencies.
# Typically, this is two commits one to update the version number and one to rebuild.
name: Tag release and merge back
on:
@@ -138,8 +138,8 @@ jobs:
Please do the following:
- [ ] Remove and re-add the "Update dependencies" label to the PR to trigger just this workflow.
- [ ] Wait for the "Update dependencies" workflow to push a commit updating the dependencies.
- [ ] Remove and re-add the "Rebuild" label to the PR to trigger just this workflow.
- [ ] Wait for the "Rebuild" workflow to push a commit updating the distribution files.
- [ ] Mark the PR as ready for review to trigger the full set of PR checks.
- [ ] Approve and merge the PR. When merging the PR, make sure "Create a merge commit" is
selected rather than "Squash and merge" or "Rebase and merge".
@@ -162,7 +162,7 @@ jobs:
--head "${NEW_BRANCH}" \
--base "${BASE_BRANCH}" \
--title "${pr_title}" \
--label "Update dependencies" \
--label "Rebuild" \
--body "${pr_body}" \
--assignee "${GITHUB_ACTOR}" \
--draft

17
.github/workflows/pr-checks.yml vendored
View File

@@ -17,9 +17,6 @@ jobs:
contents: read
security-events: write # needed to upload ESLint results
strategy:
fail-fast: false
steps:
- name: Checkout
uses: actions/checkout@v5
@@ -37,19 +34,6 @@ jobs:
- name: Check generated JS
run: .github/workflows/script/check-js.sh
check-node-modules:
if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v')
name: Check modules up to date
permissions:
contents: read
runs-on: macos-latest
timeout-minutes: 45
steps:
- uses: actions/checkout@v5
- name: Check node modules up to date
run: .github/workflows/script/check-node-modules.sh
check-file-contents:
if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v')
name: Check file contents
@@ -74,7 +58,6 @@ jobs:
npm-test:
if: github.event_name != 'push' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/releases/v')
name: Unit Test
needs: [check-js, check-node-modules]
strategy:
fail-fast: false
matrix:

20
.github/workflows/script/check-node-modules.sh vendored
View File

@@ -1,20 +0,0 @@
#!/bin/bash
set -eu
# Sanity check that repo is clean to start with
if [ ! -z "$(git status --porcelain)" ]; then
# If we get a fail here then this workflow needs attention...
>&2 echo "Failed: Repo should be clean before testing!"
exit 1
fi
"$(dirname "$0")/update-node-modules.sh" check-only
# Check that repo is still clean
if [ ! -z "$(git status --porcelain)" ]; then
# If we get a fail here then the PR needs attention
>&2 echo "Failed: node_modules are not up to date. Add the 'Update dependencies' label to your PR to update them. Note it is important that node modules are updated on macOS and not any other operating system as there is one dependency (fsevents) that is needed for macOS and may not be installed if dependencies are updated on a Windows or Linux machine."
git status
exit 1
fi
echo "Success: node_modules are up to date"

21
.github/workflows/script/update-node-modules.sh vendored
View File

@@ -1,21 +0,0 @@
#!/bin/bash
set -eu
if [ "$1" != "update" ] && [ "$1" != "check-only" ]; then
>&2 echo "Failed: Invalid argument. Must be 'update' or 'check-only'"
exit 1
fi
npm install --force -g npm@9.2.0
# clean the npm cache to ensure we don't have any files owned by root
sudo npm cache clean --force
if [ "$1" = "update" ]; then
npm install
fi
# Reinstall modules and then clean to remove absolute paths
# Use 'npm ci' instead of 'npm install' as this is intended to be reproducible
npm ci
npm run removeNPMAbsolutePaths

45
.github/workflows/update-dependencies.yml vendored
View File

@@ -1,45 +0,0 @@
name: Update dependencies
on:
pull_request_target:
types: [opened, synchronize, reopened, ready_for_review, labeled]
jobs:
update:
name: Update dependencies
timeout-minutes: 45
runs-on: macos-latest
if: contains(github.event.pull_request.labels.*.name, 'Update dependencies') && (github.event.pull_request.head.repo.full_name == 'github/codeql-action')
permissions:
contents: write # needed to push the updated dependencies
pull-requests: write # needed to comment on the PR
steps:
- name: Checkout repository
uses: actions/checkout@v5
- name: Remove PR label
env:
GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
REPOSITORY: '${{ github.repository }}'
PR_NUMBER: '${{ github.event.pull_request.number }}'
run: |
gh api "repos/$REPOSITORY/issues/$PR_NUMBER/labels/Update%20dependencies" -X DELETE
- name: Push updated dependencies
env:
BRANCH: '${{ github.head_ref }}'
GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
run: |
git fetch origin "$BRANCH" --depth=1
git checkout "origin/$BRANCH"
.github/workflows/script/update-node-modules.sh update
if [ ! -z "$(git status --porcelain)" ]; then
git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
git config --global user.name "github-actions[bot]"
git add node_modules
git commit -am "Update checked-in dependencies"
git push origin "HEAD:$BRANCH"
echo "Pushed a commit to update the checked-in dependencies." \
"Please mark the PR as ready for review to trigger PR checks." |
gh pr comment --body-file - --repo github/codeql-action "${{ github.event.pull_request.number }}"
gh pr ready --undo --repo github/codeql-action "${{ github.event.pull_request.number }}"
fi