Workflow security issue #110
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Preview Theme Changes | |
on: | |
pull_request: | |
types: [opened, synchronize] | |
permissions: | |
pull-requests: write | |
jobs: | |
check-for-changes-to-themes: | |
runs-on: ubuntu-latest | |
outputs: | |
HAS_THEME_CHANGES: ${{ steps.check-for-changes.outputs.HAS_THEME_CHANGES }} | |
CHANGED_THEMES: ${{ steps.check-for-changes.outputs.CHANGED_THEMES }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v2 | |
with: | |
ref: ${{ github.event.pull_request.head.sha }} | |
- name: Retrieved Theme Changes | |
id: check-for-changes | |
run: | | |
# Retrieve list of all changed files | |
git fetch origin | |
changed_files=$(git diff --name-only HEAD origin/trunk) | |
# Loop through changed files and identify parent directories | |
declare -A unique_dirs | |
for file in $changed_files; do | |
dir_name=$(dirname "$file") | |
while [[ "$dir_name" != "." ]]; do | |
if [[ -f "$dir_name/style.css" ]]; then # Check if the parent directory contains a theme | |
# Save only the basename | |
unique_dirs[$dir_name]=$(basename $dir_name) | |
break | |
fi | |
dir_name=$(dirname "$dir_name") | |
done | |
done | |
# Check if themes have changed | |
if [[ ${#unique_dirs[@]} -eq 0 ]]; then | |
echo "No theme changes detected" | |
echo "HAS_THEME_CHANGES=false" >> $GITHUB_OUTPUT | |
exit 0 | |
fi | |
# Output list of theme slugs with changes | |
echo "HAS_THEME_CHANGES=true" >> $GITHUB_OUTPUT | |
echo "CHANGED_THEMES=$(echo ${unique_dirs[@]})" >> $GITHUB_OUTPUT | |
echo "Theme directories with changes: $CHANGED_THEMES" | |
handle-pr-comment: | |
runs-on: ubuntu-latest | |
needs: check-for-changes-to-themes | |
steps: | |
- name: Checkout create-preview-links script from trunk | |
uses: actions/checkout@v3 | |
with: | |
repository: Automattic/themes | |
sparse-checkout: .github/scripts/create-preview-links ${{ needs.check-for-changes-to-themes.outputs.CHANGED_THEMES }} | |
ref: trunk | |
- name: Add Preview Links comment | |
id: comment-on-pr | |
if: ${{ needs.check-for-changes-to-themes.outputs.HAS_THEME_CHANGES == 'true' }} | |
uses: actions/github-script@v7 | |
env: | |
CHANGED_THEMES: ${{ needs.check-for-changes-to-themes.outputs.CHANGED_THEMES }} | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
script: | | |
const createPreviewLinks = require('.github/scripts/create-preview-links'); | |
createPreviewLinks(github, context, process.env.CHANGED_THEMES); | |
- name: Remove comment if no changes are detected | |
if: ${{ needs.check-for-changes-to-themes.outputs.HAS_THEME_CHANGES == 'false' }} | |
uses: actions/github-script@v7 | |
with: | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
script: | | |
const { data: comments } = await github.rest.issues.listComments({ | |
issue_number: context.payload.pull_request.number, | |
owner: context.repo.owner, | |
repo: context.repo.repo | |
}); | |
const existingComment = comments.find(comment => comment.user.login === 'github-actions[bot]' && comment.body.startsWith('### Preview changes')); | |
if (existingComment) { | |
await github.rest.issues.deleteComment({ | |
comment_id: existingComment.id, | |
owner: context.repo.owner, | |
repo: context.repo.repo | |
}); | |
} | |