mirror of
https://github.com/shaka-project/shaka-player.git
synced 2026-06-24 17:35:10 +03:00
Joey Parrish
7da1698e9b
See https://github.com/actions/checkout/issues/485 and https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/ In short, it is a terrible idea to persist even our default credentials after checkout. There's no call for that, so we will now set `persist-credentials: false` on all checkout actions. The only exceptions are for the release job, which wants to push a tag and create a branch, each of which explicitly persist credentials now and explain why in a comment.
63 lines
2.2 KiB
YAML
63 lines
2.2 KiB
YAML
name: Report Incremental Coverage
|
|
|
|
# Runs when the build and test workflow completes. This will run with full
|
|
# privileges, even if the other workflow doesn't. That allows us to leave PR
|
|
# comments, when we would not be able to do so otherwise.
|
|
on:
|
|
workflow_run:
|
|
workflows: [Build and Test]
|
|
types: [completed]
|
|
|
|
jobs:
|
|
report:
|
|
if: ${{ github.event.workflow_run.event == 'pull_request' }}
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Compute incremental code coverage
|
|
id: compute
|
|
shell: bash
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.SHAKA_BOT_TOKEN }}
|
|
# Fetches the coverage data from the run that triggered the report,
|
|
# parses it, compares it to the changed lines in the PR, and computes
|
|
# the incremental code coverage.
|
|
run: |
|
|
python .github/workflows/compute-incremental-coverage.py \
|
|
--repo ${{ github.repository }} \
|
|
--run-id ${{ github.event.workflow_run.id }}
|
|
|
|
- name: Report incremental code coverage
|
|
shell: bash
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.SHAKA_BOT_TOKEN }}
|
|
PR_NUMBER: ${{ steps.compute.outputs.pr_number }}
|
|
MESSAGE: "Incremental code coverage: ${{ steps.compute.outputs.coverage }}"
|
|
COMMENT_INCLUDES: "Incremental code coverage: "
|
|
COMMENT_USER: "shaka-bot"
|
|
run: |
|
|
# Look for an old comment
|
|
jq_filter=".[] | select((.user.login == \"$COMMENT_USER\") and (.body | startswith(\"$COMMENT_INCLUDES\"))) | .id"
|
|
gh api \
|
|
/repos/${{ github.repository }}/issues/$PR_NUMBER/comments \
|
|
| jq "$jq_filter" > old-comment-id
|
|
|
|
if [[ -z "$(cat old-comment-id)" ]]; then
|
|
# Create a new comment
|
|
gh api \
|
|
--method POST \
|
|
/repos/${{ github.repository }}/issues/$PR_NUMBER/comments \
|
|
-F "body=$MESSAGE"
|
|
else
|
|
# Update an old comment
|
|
gh api \
|
|
--method PATCH \
|
|
/repos/${{ github.repository }}/issues/comments/$(cat old-comment-id) \
|
|
-F "body=$MESSAGE"
|
|
fi
|