mirror of
https://github.com/coder/coder.git
synced 2026-06-02 20:48:20 +00:00
dependabot[bot]
334a2e59d8
Bumps the github-actions group with 14 updates in the / directory: | Package | From | To | | --- | --- | --- | | [step-security/harden-runner](https://github.com/step-security/harden-runner) | `2.17.0` | `2.19.4` | | [chromaui/action](https://github.com/chromaui/action) | `16.3.0` | `17.0.1` | | [docker/login-action](https://github.com/docker/login-action) | `4.1.0` | `4.2.0` | | [actions/create-github-app-token](https://github.com/actions/create-github-app-token) | `3.1.1` | `3.2.0` | | [dependabot/fetch-metadata](https://github.com/dependabot/fetch-metadata) | `3.0.0` | `3.1.0` | | [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials) | `6.1.0` | `6.1.2` | | [fluxcd/flux2](https://github.com/fluxcd/flux2) | `2.8.5` | `2.8.8` | | [depot/build-push-action](https://github.com/depot/build-push-action) | `1.17.0` | `1.18.0` | | [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) | `4.0.0` | `4.1.0` | | [linear/linear-release-action](https://github.com/linear/linear-release-action) | `0.7.0` | `0.14.0` | | [toshimaru/auto-author-assign](https://github.com/toshimaru/auto-author-assign) | `3.0.1` | `3.0.2` | | [benc-uk/workflow-dispatch](https://github.com/benc-uk/workflow-dispatch) | `1.3.1` | `1.3.2` | | [github/codeql-action](https://github.com/github/codeql-action) | `4.35.1` | `4.36.0` | | [actions/stale](https://github.com/actions/stale) | `10.2.0` | `10.3.0` | Updates `step-security/harden-runner` from 2.17.0 to 2.19.4 - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/f808768d1510423e83855289c910610ca9b43176...9af89fc71515a100421586dfdb3dc9c984fbf411) Updates `chromaui/action` from 16.3.0 to 17.0.1 - [Release notes](https://github.com/chromaui/action/releases) - [Changelog](https://github.com/chromaui/action/blob/main/CHANGELOG.md) - [Commits](https://github.com/chromaui/action/compare/5c6ec06f45a2117a25f07b1bf2b2f3009233fac8...0b8c883861c1663076150cf1f4592b19d1ff6a54) Updates `docker/login-action` from 4.1.0 to 4.2.0 - [Release notes](https://github.com/docker/login-action/releases) - [Commits](https://github.com/docker/login-action/compare/4907a6ddec9925e35a0a9e82d7399ccc52663121...650006c6eb7dba73a995cc03b0b2d7f5ca915bee) Updates `actions/create-github-app-token` from 3.1.1 to 3.2.0 - [Release notes](https://github.com/actions/create-github-app-token/releases) - [Changelog](https://github.com/actions/create-github-app-token/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/create-github-app-token/compare/1b10c78c7865c340bc4f6099eb2f838309f1e8c3...bcd2ba49218906704ab6c1aa796996da409d3eb1) Updates `dependabot/fetch-metadata` from 3.0.0 to 3.1.0 - [Release notes](https://github.com/dependabot/fetch-metadata/releases) - [Commits](https://github.com/dependabot/fetch-metadata/compare/ffa630c65fa7e0ecfa0625b5ceda64399aea1b36...25dd0e34f4fe68f24cc83900b1fe3fe149efef98) Updates `aws-actions/configure-aws-credentials` from 6.1.0 to 6.1.2 - [Release notes](https://github.com/aws-actions/configure-aws-credentials/releases) - [Changelog](https://github.com/aws-actions/configure-aws-credentials/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws-actions/configure-aws-credentials/compare/ec61189d14ec14c8efccab744f656cffd0e33f37...acca2b1b2070338fb9fd1ca27ecee81d687e58e5) Updates `fluxcd/flux2` from 2.8.5 to 2.8.8 - [Release notes](https://github.com/fluxcd/flux2/releases) - [Commits](https://github.com/fluxcd/flux2/compare/5adad89dcce7b79f20274ae8e112bcec7bd46764...1fd61a06264d71cf445ed55c4f14d401d26a1c64) Updates `depot/build-push-action` from 1.17.0 to 1.18.0 - [Release notes](https://github.com/depot/build-push-action/releases) - [Commits](https://github.com/depot/build-push-action/compare/5f3b3c2e5a00f0093de47f657aeaefcedff27d18...98e78adca7817480b8185f474a400b451d74e287) Updates `docker/setup-buildx-action` from 4.0.0 to 4.1.0 - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd...d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5) Updates `linear/linear-release-action` from 0.7.0 to 0.14.0 - [Release notes](https://github.com/linear/linear-release-action/releases) - [Commits](https://github.com/linear/linear-release-action/compare/0353b5fa8c00326913966f00557d68f8f30b8b6b...ad7da502eec3a93dd17e2e249e6c1cd84e3ee588) Updates `toshimaru/auto-author-assign` from 3.0.1 to 3.0.2 - [Release notes](https://github.com/toshimaru/auto-author-assign/releases) - [Changelog](https://github.com/toshimaru/auto-author-assign/blob/main/CHANGELOG.md) - [Commits](https://github.com/toshimaru/auto-author-assign/compare/4d585cc37690897bd9015942ed6e766aa7cdb97f...bdd7688cbf9e6d5683f02f8c7d8ae4062a254b6d) Updates `benc-uk/workflow-dispatch` from 1.3.1 to 1.3.2 - [Release notes](https://github.com/benc-uk/workflow-dispatch/releases) - [Commits](https://github.com/benc-uk/workflow-dispatch/compare/7a027648b88c2413826b6ddd6c76114894dc5ec4...31e2b3319479a63f0ab15bf800eff9e913504e26) Updates `github/codeql-action` from 4.35.1 to 4.36.0 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/c10b8064de6f491fea524254123dbe5e09572f13...7211b7c8077ea37d8641b6271f6a365a22a5fbfa) Updates `actions/stale` from 10.2.0 to 10.3.0 - [Release notes](https://github.com/actions/stale/releases) - [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/stale/compare/b5d41d4e1d5dceea10e7104786b73624c18a190f...eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899) --- updated-dependencies: - dependency-name: actions/create-github-app-token dependency-version: 3.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: actions/stale dependency-version: 10.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: aws-actions/configure-aws-credentials dependency-version: 6.1.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: benc-uk/workflow-dispatch dependency-version: 1.3.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: chromaui/action dependency-version: 17.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: dependabot/fetch-metadata dependency-version: 3.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: depot/build-push-action dependency-version: 1.18.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: docker/login-action dependency-version: 4.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: docker/setup-buildx-action dependency-version: 4.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: fluxcd/flux2 dependency-version: 2.8.8 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: github/codeql-action dependency-version: 4.36.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: linear/linear-release-action dependency-version: 0.13.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: step-security/harden-runner dependency-version: 2.19.4 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: toshimaru/auto-author-assign dependency-version: 3.0.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>
334 lines
12 KiB
YAML
334 lines
12 KiB
YAML
name: contrib
|
|
|
|
on:
|
|
issue_comment:
|
|
types: [created, edited]
|
|
# zizmor: ignore[dangerous-triggers] We explicitly want to run on pull_request_target.
|
|
pull_request_target:
|
|
types:
|
|
- opened
|
|
- closed
|
|
- synchronize
|
|
- labeled
|
|
- unlabeled
|
|
- reopened
|
|
- edited
|
|
# For jobs that don't run on draft PRs.
|
|
- ready_for_review
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
# Only run one instance per PR to ensure in-order execution.
|
|
concurrency: pr-${{ github.ref }}
|
|
|
|
jobs:
|
|
community-label:
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
pull-requests: write
|
|
if: >-
|
|
${{
|
|
github.event_name == 'pull_request_target' &&
|
|
github.event.action == 'opened'
|
|
}}
|
|
steps:
|
|
- name: Generate app token
|
|
id: app-token
|
|
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
|
|
with:
|
|
app-id: ${{ vars.ORG_MEMBERSHIP_APP_ID }}
|
|
private-key: ${{ secrets.ORG_MEMBERSHIP_APP_PRIVATE_KEY }}
|
|
- name: Add community label
|
|
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
|
|
env:
|
|
APP_TOKEN: ${{ steps.app-token.outputs.token }}
|
|
with:
|
|
# Default GITHUB_TOKEN handles label writes via the
|
|
# `github` object (needs pull-requests: write). The App
|
|
# token is scoped to members: read only and used via a
|
|
# separate Octokit client for the membership check.
|
|
script: |
|
|
const orgClient = getOctokit(process.env.APP_TOKEN)
|
|
|
|
const params = {
|
|
issue_number: context.issue.number,
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
}
|
|
|
|
const labels = context.payload.pull_request.labels.map((label) => label.name)
|
|
if (labels.includes("community")) {
|
|
console.log('PR already has "community" label.')
|
|
return
|
|
}
|
|
|
|
// author_association can be unreliable: it returns
|
|
// CONTRIBUTOR instead of MEMBER when both apply, and
|
|
// returns NONE for members with private org visibility.
|
|
// Use the org membership API as the source of truth.
|
|
// See: https://github.com/actions/github-script/issues/643
|
|
const author = context.payload.pull_request.user.login
|
|
|
|
// Dependabot is not a community contributor.
|
|
if (author === 'dependabot[bot]') {
|
|
console.log('Author "%s" is a bot, skipping.', author)
|
|
return
|
|
}
|
|
|
|
try {
|
|
await orgClient.rest.orgs.checkMembershipForUser({
|
|
org: context.repo.owner,
|
|
username: author,
|
|
})
|
|
console.log('Author "%s" is an org member, skipping.', author)
|
|
return
|
|
} catch (error) {
|
|
if (error.status !== 404 && error.status !== 302) {
|
|
throw error
|
|
}
|
|
}
|
|
|
|
console.log('Adding "community" label for author "%s".', author)
|
|
// Uses the default GITHUB_TOKEN via the `github` object.
|
|
await github.rest.issues.addLabels({
|
|
...params,
|
|
labels: ["community"],
|
|
})
|
|
|
|
cla:
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
pull-requests: write
|
|
steps:
|
|
- name: cla
|
|
if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
|
|
uses: contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08 # v2.6.1
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
# the below token should have repo scope and must be manually added by you in the repository's secret
|
|
PERSONAL_ACCESS_TOKEN: ${{ secrets.CDRCI2_GITHUB_TOKEN }}
|
|
with:
|
|
remote-organization-name: "coder"
|
|
remote-repository-name: "cla"
|
|
path-to-signatures: "v2022-09-04/signatures.json"
|
|
path-to-document: "https://github.com/coder/cla/blob/main/README.md"
|
|
# branch should not be protected
|
|
branch: "main"
|
|
# Some users have signed a corporate CLA with Coder so are exempt from signing our community one.
|
|
allowlist: "coryb,aaronlehmann,dependabot*,blink-so*,blinkagent*"
|
|
|
|
title:
|
|
runs-on: ubuntu-latest
|
|
if: ${{ github.event_name == 'pull_request_target' }}
|
|
steps:
|
|
- name: Validate PR title
|
|
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
|
|
with:
|
|
script: |
|
|
const { pull_request } = context.payload;
|
|
const title = pull_request.title;
|
|
const repo = { owner: context.repo.owner, repo: context.repo.repo };
|
|
|
|
const allowedTypes = [
|
|
"feat", "fix", "docs", "style", "refactor",
|
|
"perf", "test", "build", "ci", "chore", "revert",
|
|
];
|
|
const expectedFormat = `"type(scope): description" or "type: description"`;
|
|
const guidelinesLink = `See: https://github.com/coder/coder/blob/main/docs/about/contributing/CONTRIBUTING.md#commit-messages`;
|
|
const scopeHint = (type) =>
|
|
`Use a broader scope or no scope (e.g., "${type}: ...") for cross-cutting changes.\n` +
|
|
guidelinesLink;
|
|
|
|
console.log("Title: %s", title);
|
|
|
|
// Parse conventional commit format: type(scope)!: description
|
|
const match = title.match(/^(\w+)(\(([^)]*)\))?(!)?\s*:\s*.+/);
|
|
if (!match) {
|
|
core.setFailed(
|
|
`PR title does not match conventional commit format.\n` +
|
|
`Expected: ${expectedFormat}\n` +
|
|
`Allowed types: ${allowedTypes.join(", ")}\n` +
|
|
guidelinesLink
|
|
);
|
|
return;
|
|
}
|
|
|
|
const type = match[1];
|
|
const scope = match[3]; // undefined if no parentheses
|
|
|
|
// Validate type.
|
|
if (!allowedTypes.includes(type)) {
|
|
core.setFailed(
|
|
`PR title has invalid type "${type}".\n` +
|
|
`Expected: ${expectedFormat}\n` +
|
|
`Allowed types: ${allowedTypes.join(", ")}\n` +
|
|
guidelinesLink
|
|
);
|
|
return;
|
|
}
|
|
|
|
// If no scope, we're done.
|
|
if (!scope) {
|
|
console.log("No scope provided, title is valid.");
|
|
return;
|
|
}
|
|
|
|
console.log("Scope: %s", scope);
|
|
|
|
// Fetch changed files.
|
|
const files = await github.paginate(github.rest.pulls.listFiles, {
|
|
...repo,
|
|
pull_number: pull_request.number,
|
|
per_page: 100,
|
|
});
|
|
const changedPaths = files.map(f => f.filename);
|
|
console.log("Changed files: %d", changedPaths.length);
|
|
|
|
// Derive scope type from the changed files. The diff is the
|
|
// source of truth: if files exist under the scope, the path
|
|
// exists on the PR branch. No need for Contents API calls.
|
|
const isDir = changedPaths.some(f => f.startsWith(scope + "/"));
|
|
const isFile = changedPaths.some(f => f === scope);
|
|
const isStem = changedPaths.some(f => f.startsWith(scope + "."));
|
|
|
|
if (!isDir && !isFile && !isStem) {
|
|
core.setFailed(
|
|
`PR title scope "${scope}" does not match any files changed in this PR.\n` +
|
|
`Scopes must reference a path (directory or file stem) that contains changed files.\n` +
|
|
scopeHint(type)
|
|
);
|
|
return;
|
|
}
|
|
|
|
// Verify all changed files fall under the scope.
|
|
const outsideFiles = changedPaths.filter(f => {
|
|
if (isDir && f.startsWith(scope + "/")) return false;
|
|
if (f === scope) return false;
|
|
if (isStem && f.startsWith(scope + ".")) return false;
|
|
return true;
|
|
});
|
|
|
|
if (outsideFiles.length > 0) {
|
|
const listed = outsideFiles.map(f => " - " + f).join("\n");
|
|
core.setFailed(
|
|
`PR title scope "${scope}" does not contain all changed files.\n` +
|
|
`Files outside scope:\n${listed}\n\n` +
|
|
scopeHint(type)
|
|
);
|
|
return;
|
|
}
|
|
|
|
console.log("PR title is valid.");
|
|
|
|
release-labels:
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
pull-requests: write
|
|
# Skip tagging for draft PRs.
|
|
if: ${{ github.event_name == 'pull_request_target' && !github.event.pull_request.draft }}
|
|
steps:
|
|
- name: release-labels
|
|
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
|
|
with:
|
|
# This script ensures PR title and labels are in sync:
|
|
#
|
|
# When release/breaking label is:
|
|
# - Added, rename PR title to include ! (e.g. feat!:)
|
|
# - Removed, rename PR title to strip ! (e.g. feat:)
|
|
#
|
|
# When title is:
|
|
# - Renamed (+!), add the release/breaking label
|
|
# - Renamed (-!), remove the release/breaking label
|
|
script: |
|
|
const releaseLabels = {
|
|
breaking: "release/breaking",
|
|
}
|
|
|
|
const { action, changes, label, pull_request } = context.payload
|
|
const { title } = pull_request
|
|
const labels = pull_request.labels.map((label) => label.name)
|
|
const isBreakingTitle = isBreaking(title)
|
|
|
|
// Debug information.
|
|
console.log("Action: %s", action)
|
|
console.log("Title: %s", title)
|
|
console.log("Labels: %s", labels.join(", "))
|
|
|
|
const params = {
|
|
issue_number: context.issue.number,
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
}
|
|
|
|
if (action === "opened" || action === "reopened" || action === "ready_for_review") {
|
|
if (isBreakingTitle && !labels.includes(releaseLabels.breaking)) {
|
|
console.log('Add "%s" label', releaseLabels.breaking)
|
|
await github.rest.issues.addLabels({
|
|
...params,
|
|
labels: [releaseLabels.breaking],
|
|
})
|
|
}
|
|
}
|
|
|
|
if (action === "edited" && changes.title) {
|
|
if (isBreakingTitle && !labels.includes(releaseLabels.breaking)) {
|
|
console.log('Add "%s" label', releaseLabels.breaking)
|
|
await github.rest.issues.addLabels({
|
|
...params,
|
|
labels: [releaseLabels.breaking],
|
|
})
|
|
}
|
|
|
|
if (!isBreakingTitle && labels.includes(releaseLabels.breaking)) {
|
|
const wasBreakingTitle = isBreaking(changes.title.from)
|
|
if (wasBreakingTitle) {
|
|
console.log('Remove "%s" label', releaseLabels.breaking)
|
|
await github.rest.issues.removeLabel({
|
|
...params,
|
|
name: releaseLabels.breaking,
|
|
})
|
|
} else {
|
|
console.log('Rename title from "%s" to "%s"', title, toBreaking(title))
|
|
await github.rest.issues.update({
|
|
...params,
|
|
title: toBreaking(title),
|
|
})
|
|
}
|
|
}
|
|
}
|
|
|
|
if (action === "labeled") {
|
|
if (label.name === releaseLabels.breaking && !isBreakingTitle) {
|
|
console.log('Rename title from "%s" to "%s"', title, toBreaking(title))
|
|
await github.rest.issues.update({
|
|
...params,
|
|
title: toBreaking(title),
|
|
})
|
|
}
|
|
}
|
|
|
|
if (action === "unlabeled") {
|
|
if (label.name === releaseLabels.breaking && isBreakingTitle) {
|
|
console.log('Rename title from "%s" to "%s"', title, fromBreaking(title))
|
|
await github.rest.issues.update({
|
|
...params,
|
|
title: fromBreaking(title),
|
|
})
|
|
}
|
|
}
|
|
|
|
function isBreaking(t) {
|
|
return t.split(" ")[0].endsWith("!:")
|
|
}
|
|
|
|
function toBreaking(t) {
|
|
const parts = t.split(" ")
|
|
return [parts[0].replace(/:$/, "!:"), ...parts.slice(1)].join(" ")
|
|
}
|
|
|
|
function fromBreaking(t) {
|
|
const parts = t.split(" ")
|
|
return [parts[0].replace(/!:$/, ":"), ...parts.slice(1)].join(" ")
|
|
}
|