# Copyright 2024 The Janus IDP Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: PR Bundle Manifests Validator
on:
# pull_request_target needed to be able to commit and push bundle diffs to external fork PRs.
# But we included a manual authorization safeguard to prevent PWN requests. See the 'authorize' job below.
pull_request_target:
branches:
- main
- rhdh-1.[0-9]+
- 1.[0-9]+.x
concurrency:
group: ${{ github.workflow }}-${{ github.event.number }}
cancel-in-progress: true
jobs:
authorize:
# The 'external' environment is configured with the maintainers team as required reviewers.
# All the subsequent jobs in this workflow 'need' this job, which will require manual approval for PRs coming from external forks.
# see list of approvers in OWNERS file
environment:
${{ (github.event.pull_request.head.repo.full_name == github.repository ||
contains(fromJSON('["gazarenkov","jianrongzhang89","kadel","nickboldt","rm3l","kim-tsao","openshift-cherrypick-robot"]'), github.actor)) && 'internal' || 'external' }}
runs-on: ubuntu-latest
steps:
- name: approved
run: echo "✓"
pr-bundle-diff-checks:
name: PR Bundle Diff
runs-on: ubuntu-latest
needs: authorize
permissions:
contents: write
pull-requests: write
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
with:
fetch-depth: 0
repository: ${{github.event.pull_request.head.repo.full_name}}
ref: ${{ github.event.pull_request.head.ref }}
- name: Setup Go
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5
with:
go-version-file: 'go.mod'
- name: Check for outdated bundle
id: bundle-diff-checker
run: |
make bundle
git status --porcelain
# Since operator-sdk 1.26.0, `make bundle` changes the `createdAt` field from the bundle every time we run it.
# The `git diff` below checks if only the createdAt field has changed. If is the only change, it is ignored.
# Inspired from https://github.com/operator-framework/operator-sdk/issues/6285#issuecomment-1415350333
echo "MANIFESTS_CHANGED=$(if git diff --quiet -I'^ createdAt: ' bundle; then echo "false"; else echo "true"; fi)" >> $GITHUB_OUTPUT
- name: Commit any manifest changes
if: ${{ steps.bundle-diff-checker.outputs.MANIFESTS_CHANGED == 'true' }}
run: |
git config user.name 'github-actions[bot]'
git config user.email 'github-actions[bot]@users.noreply.github.com'
git fetch --prune
git pull --rebase --autostash
git add -A .
git commit \
-m "Regenerate bundle manifests" \
-m "Co-authored-by: $GITHUB_ACTOR <$GITHUB_ACTOR@users.noreply.github.com>"
git push
- name: Comment on PR if bundle manifests were updated
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
if: ${{ !cancelled() && steps.bundle-diff-checker.outputs.MANIFESTS_CHANGED == 'true' }}
continue-on-error: true
env:
GH_BLOB_VIEWER_BASE_URL: ${{github.event.pull_request.head.repo.html_url}}/blob/${{github.event.pull_request.head.ref}}
with:
script: |
await github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: '⚠️ Files changed in bundle generation!
Those changes to the operator bundle manifests should have been pushed automatically to your PR branch.
You might also need to manually update the [`.rhdh/bundle/manifests/rhdh-operator.csv.yaml`](${{ env.GH_BLOB_VIEWER_BASE_URL }}/.rhdh/bundle/manifests/rhdh-operator.csv.yaml) CSV file accordingly.'
})