Merge branch 'main' into cat/version-bump-comment-fix

chore: address copilot comments
feat: enhance version bump script and workflow for forked PRs
2026-06-03 04:58:15 +00:00 · 2026-01-08 14:12:28 -06:00 · 2026-01-08 14:10:43 -06:00 · 2026-01-07 15:49:44 -06:00
2 changed files with 43 additions and 11 deletions
@@ -1,26 +1,29 @@
 #!/bin/bash

 # Version Bump Script
-# Usage: ./version-bump.sh [--ci] <bump_type> [base_ref]
+# Usage: ./version-bump.sh [--ci] <bump_type> [base_ref] [head_ref]
 #   --ci: CI mode - run bump, check for changes, exit 1 if changes needed
 #   bump_type: patch, minor, or major
 #   base_ref: base reference for diff (default: origin/main)
+#   head_ref: head reference for diff (default: HEAD)

 set -euo pipefail

 CI_MODE=false

 usage() {
-  echo "Usage: $0 [--ci] <bump_type> [base_ref]"
+  echo "Usage: $0 [--ci] <bump_type> [base_ref] [head_ref]"
  echo "  --ci: CI mode - validates versions are already bumped (exits 1 if not)"
  echo "  bump_type: patch, minor, or major"
  echo "  base_ref: base reference for diff (default: origin/main)"
+  echo "  head_ref: head reference for diff (default: HEAD, used for fork PRs)"
  echo ""
  echo "Examples:"
  echo "  $0 patch                    # Update versions with patch bump"
  echo "  $0 minor                    # Update versions with minor bump"
  echo "  $0 major                    # Update versions with major bump"
  echo "  $0 --ci patch               # CI check: verify patch bump has been applied"
+  echo "  $0 --ci patch base_sha head_sha  # CI check with explicit refs (for fork PRs)"
  exit 1
 }

@@ -125,12 +128,13 @@ main() {
    shift
  fi

-  if [ $# -lt 1 ] || [ $# -gt 2 ]; then
+  if [ $# -lt 1 ] || [ $# -gt 3 ]; then
    usage
  fi

  local bump_type="$1"
  local base_ref="${2:-origin/main}"
+  local head_ref="${3:-HEAD}"

  case "$bump_type" in
    "patch" | "minor" | "major") ;;
@@ -144,7 +148,7 @@ main() {
  echo "🔍 Detecting modified modules..."

  local changed_files
-  changed_files=$(git diff --name-only "${base_ref}"...HEAD)
+  changed_files=$(git diff --name-only "${base_ref}".."${head_ref}")
  local modules
  modules=$(echo "$changed_files" | grep -E '^registry/[^/]+/modules/[^/]+/' | cut -d'/' -f1-4 | sort -u)

@@ -1,13 +1,14 @@
 name: Version Bump

+# Using pull_request_target to allow commenting on PRs from forks.
+# SECURITY: Executable code (scripts, package.json) comes from the BASE branch only.
+# Only the registry/ directory (data files) is checked out from the PR for version checking.
 on:
-  pull_request:
+  pull_request_target:
    types: [labeled]
-    paths:
-      - "registry/**/modules/**"

 concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
  cancel-in-progress: true

 jobs:
@@ -19,24 +20,50 @@ jobs:
      pull-requests: write
      issues: write
    steps:
-      - name: Checkout code
+      - name: Checkout base branch
        uses: actions/checkout@v6
        with:
+          ref: ${{ github.event.pull_request.base.sha }}
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}

+      - name: Fetch PR head
+        run: |
+          git fetch origin refs/pull/${{ github.event.pull_request.number }}/head:pr-head
+          echo "PR_HEAD_SHA=$(git rev-parse pr-head)" >> $GITHUB_ENV
+
+      - name: Check for module changes
+        id: check-modules
+        run: |
+          CHANGED_FILES=$(git diff --name-only ${{ github.event.pull_request.base.sha }}..pr-head)
+          if echo "$CHANGED_FILES" | grep -qE '^registry/[^/]+/modules/'; then
+            echo "has_module_changes=true" >> $GITHUB_OUTPUT
+            echo "✅ PR contains module changes"
+          else
+            echo "has_module_changes=false" >> $GITHUB_OUTPUT
+            echo "ℹ️ PR does not contain module changes, skipping version bump check"
+          fi
+
+      - name: Checkout PR module files
+        if: steps.check-modules.outputs.has_module_changes == 'true'
+        run: git checkout pr-head -- registry/
+
      - name: Set up Bun
+        if: steps.check-modules.outputs.has_module_changes == 'true'
        uses: oven-sh/setup-bun@v2
        with:
          bun-version: latest

      - name: Set up Terraform
+        if: steps.check-modules.outputs.has_module_changes == 'true'
        uses: coder/coder/.github/actions/setup-tf@main

      - name: Install dependencies
+        if: steps.check-modules.outputs.has_module_changes == 'true'
        run: bun install

      - name: Extract bump type from label
+        if: steps.check-modules.outputs.has_module_changes == 'true'
        id: bump-type
        run: |
          case "${{ github.event.label.name }}" in
@@ -56,10 +83,11 @@ jobs:
          esac

      - name: Check version bump
-        run: ./.github/scripts/version-bump.sh --ci "${{ steps.bump-type.outputs.type }}" origin/main
+        if: steps.check-modules.outputs.has_module_changes == 'true'
+        run: ./.github/scripts/version-bump.sh --ci "${{ steps.bump-type.outputs.type }}" ${{ github.event.pull_request.base.sha }} ${{ env.PR_HEAD_SHA }}

      - name: Comment on PR - Version bump required
-        if: failure()
+        if: failure() && steps.check-modules.outputs.has_module_changes == 'true'
        uses: actions/github-script@v8
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
Author	SHA1	Message	Date
DevCats	fac76efbfe	Merge branch 'main' into cat/version-bump-comment-fix	2026-01-08 14:12:28 -06:00
DevelopmentCats	a5ebd5e14b	chore: address copilot comments	2026-01-08 14:10:43 -06:00
DevelopmentCats	21fc9618a7	feat: enhance version bump script and workflow for forked PRs	2026-01-07 15:49:44 -06:00