jprdonnelly/airbyte
1
0
Fork 0
mirror of synced 2025-12-26 14:02:10 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
f3f548b92f42fc2ec15570d2ffe42e8db5d4eade
airbyte/.github/workflows/format-fix-command.yml
Tobias Wennergren 05f1ed756b chore: pin GitHub Actions to SHA1 for supply chain security (#67019) 
## What
- Pin all GitHub Actions to their specific SHA1 hashes to reduce supply
chain attack risk
- Replaces version tags with specific commit SHAs
- Includes version comments for easier reference
- Changes generated with the pinact tool

See internal wiki page on supply chain security for further info

## How
Used the tool pinact to pin the sha for github actions. 

## Review guide
<!--
1. `x.py`
2. `y.py`
-->

## User Impact
No impact

## Can this PR be safely reverted and rolled back?

- [x] YES 💚
- [ ] NO
2025-10-07 13:14:36 -07:00

148 lines
5.8 KiB
YAML
Raw Blame History

name: Fix formatting on a PR
on:
workflow_dispatch:
inputs:
pr:
description: "Pull request number. Used to pull the proper branch ref, including on forks."
type: number
required: false
comment-id:
description: "Optional. The comment-id of the slash command. Used to update the comment with the status."
required: false
# These must be declared, but they are unused and ignored.
# TODO: Infer 'repo' and 'gitref' from PR number on other workflows, so we can remove these.
repo:
description: "Repo (Ignored)"
required: false
default: "airbytehq/airbyte"
gitref:
description: "Ref (Ignored)"
required: false
run-name: "Fix formatting on PR #${{ github.event.inputs.pr }}"
concurrency:
group: ${{ github.workflow }}-${{ github.event.inputs.pr }}
# Cancel any previous runs on the same branch if they are still in progress
cancel-in-progress: true
jobs:
format-fix:
name: "Run pre-commit fix"
runs-on: ubuntu-24.04
steps:
- name: Get job variables
id: job-vars
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
shell: bash
run: |
PR_JSON=$(gh api repos/${{ github.repository }}/pulls/${{ github.event.inputs.pr }})
echo "repo=$(echo "$PR_JSON" | jq -r .head.repo.full_name)" >> $GITHUB_OUTPUT
echo "branch=$(echo "$PR_JSON" | jq -r .head.ref)" >> $GITHUB_OUTPUT
echo "run-url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" >> $GITHUB_OUTPUT
# NOTE: We still use a PAT here (rather than a GitHub App) because the workflow needs
# permissions to add commits to our main repo as well as forks. This will only work on
# forks if the user installs the app into their fork. Until we document this as a clear
# path, we will have to keep using the PAT.
- name: Checkout Airbyte
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
with:
repository: ${{ steps.job-vars.outputs.repo }}
ref: ${{ steps.job-vars.outputs.branch }}
fetch-depth: 1
# Important that token is a PAT so that CI checks are triggered again.
# Without this we would be forever waiting on required checks to pass.
token: ${{ secrets.GH_PAT_APPROVINGTON_OCTAVIA }}
- name: Append comment with job run link
# If comment-id is not provided, this will create a new
# comment with the job run link.
id: first-comment-action
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
with:
comment-id: ${{ github.event.inputs.comment-id }}
issue-number: ${{ github.event.inputs.pr }}
body: |
> Format-fix job started... [Check job output.][1]
[1]: ${{ steps.job-vars.outputs.run-url }}
# Compare the below to the `format_check.yml` workflow
- name: Setup Java
uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3.14.1
with:
distribution: "zulu"
java-version: "21"
- name: Setup Python
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
with:
python-version: "3.11"
cache: "pip"
check-latest: true
update-environment: true
- name: Run pre-commit
uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
continue-on-error: true
id: format-fix
# This is helpful in the case that we change a previously committed generated file to be ignored by git.
- name: Remove any files that have been gitignored
run: git ls-files -i -c --exclude-from=.gitignore | xargs -r git rm --cached
# Check for changes in git
- name: Check for changes
id: git-diff
run: |
git diff --quiet && echo "No changes to commit" || echo "changes=true" >> $GITHUB_OUTPUT
shell: bash
# Commit changes (if any)
- name: Commit changes
id: commit-step
if: steps.git-diff.outputs.changes == 'true'
run: |
git config --global user.name "Octavia Squidington III"
git config --global user.email "octavia-squidington-iii@users.noreply.github.com"
git add .
git commit -m "chore: auto-fix lint and format issues"
echo "sha=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
- name: Push changes to '(${{ steps.job-vars.outputs.repo }})'
if: steps.git-diff.outputs.changes == 'true'
run: |
git remote add contributor https://github.com/${{ steps.job-vars.outputs.repo }}.git
git push contributor HEAD:'${{ steps.job-vars.outputs.branch }}'
- name: Append success comment
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
if: steps.git-diff.outputs.changes == 'true'
with:
comment-id: ${{ steps.first-comment-action.outputs.comment-id }}
reactions: hooray
body: |
> ✅ Changes applied successfully. (${{ steps.commit-step.outputs.sha }})
- name: Append success comment (no-op)
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
if: steps.git-diff.outputs.changes != 'true'
with:
comment-id: ${{ steps.first-comment-action.outputs.comment-id }}
reactions: "+1"
body: |
> 🟦 Job completed successfully (no changes).
- name: Append failure comment
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
if: failure()
with:
comment-id: ${{ steps.first-comment-action.outputs.comment-id }}
reactions: confused
body: |
> ❌ Job failed.
Reference in New Issue View Git Blame Copy Permalink