New security helmet and coat #737
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Merge Upstream Master | |
| on: | |
| issue_comment: | |
| types: created | |
| jobs: | |
| merge-upstream: | |
| if: | | |
| github.event.issue.pull_request && | |
| (github.event.comment.body == '!merge_upstream') && | |
| ((github.event.sender.id == github.event.issue.user.id) || | |
| (github.event.comment.author_association == 'COLLABORATOR') || | |
| (github.event.comment.author_association == 'MEMBER') || | |
| (github.event.comment.author_association == 'OWNER')) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - id: create_token | |
| uses: actions/create-github-app-token@v1 | |
| with: | |
| app-id: ${{ secrets.APP_ID }} | |
| private-key: ${{ secrets.PRIVATE_KEY }} | |
| - run: echo "GH_TOKEN=${{ steps.create_token.outputs.token }}" >> "$GITHUB_ENV" | |
| - run: echo "FAIL_NOTIFIED=false" >> "$GITHUB_ENV" | |
| - name: Like the comment | |
| env: | |
| BASE_REPOSITORY: ${{ github.repository }} | |
| run: | | |
| gh api \ | |
| --method POST \ | |
| -H "Accept: application/vnd.github+json" \ | |
| -H "X-GitHub-Api-Version: 2022-11-28" \ | |
| /repos/$BASE_REPOSITORY/issues/comments/${{ github.event.comment.id }}/reactions \ | |
| -f content='+1' | |
| - name: PR Data | |
| run: | | |
| pr_json=$(curl -L -s --fail-with-body -H "Authorization: token ${{ github.token }}" ${{ github.event.issue.pull_request.url }}) | |
| if [ `jq -r '.maintainer_can_modify' <<<$pr_json` == "false" ] ; then | |
| gh pr comment ${{ github.event.issue.html_url }} --body 'GitHub Actions can not push to the repository without "Allow edits and access to secrets by maintainers" checked.' | |
| echo "FAIL_NOTIFIED=true" >> "$GITHUB_ENV" | |
| exit 1 | |
| fi | |
| echo "PR_REPO=`jq -r '.head.repo.full_name' <<<$pr_json`" >> $GITHUB_ENV | |
| echo "PR_BRANCH=`jq -r '.head.ref' <<<$pr_json`" >> $GITHUB_ENV | |
| echo "PR_HEAD_LABEL=`jq -r '.head.label' <<<$pr_json`" >> $GITHUB_ENV | |
| - uses: actions/checkout@v4 | |
| with: | |
| repository: ${{ env.PR_REPO }} | |
| ref: ${{ env.PR_BRANCH }} | |
| token: ${{ env.GH_TOKEN }} | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: 20 | |
| cache: 'yarn' | |
| cache-dependency-path: ./tgui/yarn.lock | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.11' | |
| cache: 'pip' | |
| - name: Perform Merge | |
| env: | |
| BASE_BRANCH: ${{ github.event.repository.default_branch }} | |
| BASE_REPOSITORY: ${{ github.repository }} | |
| run: | | |
| # Compare head branch and base branch | |
| compare_result=$(curl -L -s --fail-with-body \ | |
| -H "Accept: application/vnd.github+json" \ | |
| -H "X-GitHub-Api-Version: 2022-11-28" \ | |
| "https://api.github.com/repos/$BASE_REPOSITORY/compare/$BASE_BRANCH...$PR_HEAD_LABEL") | |
| # Assign multiple variables with one jq execution | |
| if IFS=$'\n' read -d '' -r behind_by ahead_by <<<$(jq '.behind_by, .ahead_by' <<<$compare_result) ; [ -z "$behind_by" ] || [ -z "$ahead_by" ] ; then | |
| echo '- Unable to determine the distance between the head branch and the base branch.' | tee -a "$GITHUB_STEP_SUMMARY" | |
| exit 1 | |
| fi | |
| if [ "$behind_by" -le 0 ] ; then | |
| echo '- Skipping merge. Up-to-date with base branch.' | tee -a "$GITHUB_STEP_SUMMARY" | |
| exit 0 | |
| else | |
| echo '- Merging base branch. Head branch is behind by '"$behind_by"' commits and ahead by '"$ahead_by"' commits.' | tee -a "$GITHUB_STEP_SUMMARY" | |
| fi | |
| # Install Tools | |
| chmod +x tools/bootstrap/python | |
| bash tools/hooks/install.sh | |
| bash tgui/bin/tgui --install-git-hooks | |
| chmod +x tools/hooks/*.merge tgui/bin/tgui | |
| # Actual Merge | |
| git config user.name paradisess13[bot] | |
| git config user.email "165046124+paradisess13[bot]@users.noreply.github.com" | |
| git remote add upstream "https://github.com/$BASE_REPOSITORY.git" | |
| git fetch origin "$PR_BRANCH" --depth=$((ahead_by + 1)) | |
| git fetch upstream "$BASE_BRANCH" --depth=$((behind_by + 1)) | |
| # Check if a workflow file would be modified by the merge (permissions prevent pushes if so) | |
| latest_workflow_commit=$(git log -n 1 --pretty=format:"%H" upstream/$BASE_BRANCH -- .github/workflows) | |
| if ! git branch --contains $latest_workflow_commit | grep -q "$(git rev-parse --abbrev-ref HEAD)"; then | |
| gh pr comment ${{ github.event.issue.html_url }} --body "GitHub Actions can not push to this branch as workflow files have been changed since your branch was last updated. Please update your branch past https://github.com/ParadiseSS13/Paradise/commit/$latest_workflow_commit before using this command again." | |
| echo "FAIL_NOTIFIED=true" >> "$GITHUB_ENV" | |
| exit 1 | |
| fi | |
| git merge FETCH_HEAD | |
| git push origin | |
| - name: Rebuild TGUI | |
| run: | | |
| if git diff-tree --name-only -r $(git rev-parse HEAD~2) | grep "tgui/public/" ; then | |
| bash tgui/bin/tgui | |
| git commit -m "Rebuild TGUI" | |
| git push origin | |
| else | |
| echo "No changes to rebuild TGUI" | |
| fi | |
| - name: Notify Failure | |
| if: failure() && env.FAIL_NOTIFIED != 'true' | |
| run: | | |
| gh pr comment ${{ github.event.issue.html_url }} -b 'Merging upstream failed, see the action run log for details: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}' |