[Snyk] Security upgrade next from 14.2.3 to 14.2.7 #99
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Validate github/github docs URLs | |
# **What it does**: Checks the URLs in docs-urls.json in github/github | |
# **Why we have it**: To ensure the values in docs-urls.json are perfect. | |
# **Who does it impact**: Docs content. | |
on: | |
workflow_dispatch: | |
schedule: | |
- cron: '20 16 * * *' # Run every day at 16:20 UTC / 8:20 PST | |
pull_request: | |
paths: | |
- 'content/**' | |
# In case a relevant dependency changes | |
- 'package*.json' | |
# The scripts | |
- 'src/links/scripts/validate-github-github-docs-urls/**' | |
# The workflow | |
- .github/workflows/validate-github-github-docs-urls.yml | |
permissions: | |
contents: read | |
issues: write | |
pull-requests: write | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
jobs: | |
validate_github_github_docs_urls: | |
name: Validate github/github docs URLs | |
if: github.repository == 'github/docs-internal' | |
runs-on: ubuntu-20.04-xl | |
steps: | |
- name: Check out repo's default branch | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
# Picking this number is a "best guess". If we make it too large, | |
# the checkout will take potentially unnecessariily long. | |
# This reduces the chance that tj-actions/changed-files has to | |
# fetch deeper history. But if it needs to, it will. | |
fetch-depth: 10 | |
- uses: ./.github/actions/node-npm-setup | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} | |
repository: github/github | |
ref: master | |
path: github | |
- name: Run validation | |
run: | | |
# This will generate a .json file which we can use to | |
# do other things in other steps. | |
npm run validate-github-github-docs-urls -- validate \ | |
--output checks.json \ | |
github/config/docs-urls.json | |
- name: Update config/docs-urls.json in github/github (possibly) | |
if: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }} | |
env: | |
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} | |
run: | | |
npm run validate-github-github-docs-urls -- generate-new-json checks.json github/config/docs-urls.json | |
cd github | |
git status | |
git diff | |
changes=$(git diff --name-only | wc -l) | |
if [[ $changes -eq 0 ]]; then | |
echo "There are no changes to commit after running generate-new-json. Exiting this step" | |
exit 0 | |
fi | |
current_timestamp=$(date '+%Y-%m-%d-%H%M%S') | |
branch_name="update-docs-urls-$current_timestamp" | |
git checkout -b "$branch_name" | |
current_daystamp=$(date '+%Y-%m-%d') | |
git commit -a -m "Update Docs URLs from automation ($current_daystamp)" | |
git push origin "$branch_name" | |
# XXX TODO | |
# Perhaps post an issue somewhere, about that the fact that this | |
# branch has been created and now needs to be turned into a PR | |
# that some human can take responsibility for. | |
- name: Clean up old branches in github/github | |
if: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }} | |
env: | |
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} | |
run: | | |
npm run validate-github-github-docs-urls -- clean-up-old-branches --prefix update-docs-urls | |
echo "To see them all, go to:" | |
echo "https://github.com/github/github/branches/all?query=update-docs-urls-" | |
# If a PR comes along to github/docs-internal that causes some | |
# URLs in docs-urls.json (in github/github) to now fail, then | |
# we'll want to make the PR author+reviewer aware of this. | |
# For example, you moved a page without setting up a redirect. | |
# Or you edited a heading that now breaks a URL with fragment. | |
# In the latter case, you might want to update the URL in docs-urls.json | |
# after this PR has landed, or consider using `<a name="..."></a>` as a | |
# workaround for the time being. | |
# First, gather the URLs that were relevant | |
- name: Get changed content/data files | |
if: ${{ github.event_name == 'pull_request' }} | |
id: changed-files | |
uses: tj-actions/changed-files@1754cd4b9e661d1f0eced3b33545a8d8b3bc46d8 # v44.5.0 | |
with: | |
# No need to escape the file names because we make the output of | |
# tj-actions/changed-files be set as an environment variable. Not | |
# as a direct input to the line of bash that uses it. | |
safe_output: false | |
files: | | |
content/** | |
- name: Generate PR comment | |
if: ${{ github.event_name == 'pull_request' && steps.changed-files.outputs.any_changed == 'true' }} | |
env: | |
# Make it an environment variable so that its value doesn't need to be escaped. | |
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable | |
CHANGED_FILES: |- | |
${{ steps.changed-files.outputs.all_changed_files }} | |
GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_WRITEORG_PROJECT }} | |
ISSUE_NUMBER: ${{ github.event.pull_request.number }} | |
REPOSITORY: ${{ github.repository }} | |
run: npm run validate-github-github-docs-urls -- post-pr-comment checks.json --changed-files $CHANGED_FILES | |
- uses: ./.github/actions/slack-alert | |
if: ${{ failure() && github.event_name == 'schedule' }} | |
with: | |
slack_channel_id: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }} | |
slack_token: ${{ secrets.SLACK_DOCS_BOT_TOKEN }} |