Skip to content

Protect Status: Combine multiple vulnerabilities for the same extension into single threat objects #81313

Protect Status: Combine multiple vulnerabilities for the same extension into single threat objects

Protect Status: Combine multiple vulnerabilities for the same extension into single threat objects #81313

name: PR is up-to-date
on:
pull_request_target:
branches: [ trunk ]
push:
branches: [ trunk ]
tags:
- pr-update-to
- pr-update-to-projects/**
jobs:
check:
name: Check
runs-on: ubuntu-latest
timeout-minutes: 5 # 2021-03-23: The run on push to the tag might take a minute or two.
steps:
# We basically have two workflows in one here, one for pushes to trunk and one for PRs and pushes to tags.
# The reason we don't separate them into two is because GitHub's UI would then always be showing a skipped job
# in the PR check list, which is kind of annoying.
# First, the "PR or tag" job.
- name: Checkout trunk for tag push or PR
uses: actions/checkout@v4
if: github.event_name != 'push' || github.ref != 'refs/heads/trunk'
with:
ref: trunk
token: ${{ secrets.API_TOKEN_GITHUB }}
# On a PR, we need to fetch (but not check out) the actual PR too.
- name: Deepen to merge base
if: github.event_name != 'push'
uses: ./.github/actions/deepen-to-merge-base
with:
checkout: false
- name: Determine tags for PR or tag and paths for tag push
id: determine
if: github.event_name != 'push' || github.ref != 'refs/heads/trunk'
env:
REF: ${{ github.event.pull_request.head.sha }}
run: |
TAGS=()
TAG=
PATHS=
if [[ "$GITHUB_EVENT_NAME" == "push" ]]; then
TAG="${GITHUB_REF#refs/tags/}"
if [[ "$TAG" == pr-update-to-* ]]; then
PATHS="${TAG#pr-update-to-}"
fi
else
TMP="$(git -c core.quotepath=off diff --name-only "origin/trunk...${REF}" projects/*/*/ | sed -nE 's!^(projects/[^/]+/[^/]+)/.*!pr-update-to-\1!p' | sort -u)"
mapfile -t TAGS <<<"$TMP"
TAGS+=( pr-update-to )
fi
echo "pr-tags=${TAGS[*]}" >> "$GITHUB_OUTPUT"
echo "push-tag=$TAG" >> "$GITHUB_OUTPUT"
echo "push-paths=$PATHS" >> "$GITHUB_OUTPUT"
- name: Check PR or tag push
if: github.event_name != 'push' || github.ref != 'refs/heads/trunk'
uses: ./projects/github-actions/pr-is-up-to-date
with:
tags: ${{ steps.determine.outputs.pr-tags }}
tag: ${{ steps.determine.outputs.push-tag }}
paths: ${{ steps.determine.outputs.push-paths }}
token: ${{ secrets.API_TOKEN_GITHUB }}
status: PR is up to date
# Second, the "push to trunk" job.
- name: Checkout push to trunk
uses: actions/checkout@v4
if: github.event_name == 'push' && github.ref == 'refs/heads/trunk'
with:
# The "Check whether the tag needs updating for trunk commit" needs the previous commit for diffing.
fetch-depth: 2
token: ${{ secrets.API_TOKEN_GITHUB }}
- name: Wait for prior instances of the workflow to finish
if: github.event_name == 'push' && github.ref == 'refs/heads/trunk'
uses: ./.github/actions/turnstile
- name: Check whether the tag needs updating for trunk commit
if: github.event_name == 'push' && github.ref == 'refs/heads/trunk'
run: .github/files/pr-update-to.sh