Protect: Add WAF StatCards #72231
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: PR is up-to-date | |
on: | |
pull_request_target: | |
branches: [ trunk ] | |
push: | |
branches: [ trunk ] | |
tags: | |
- pr-update-to | |
- pr-update-to-projects/** | |
jobs: | |
check: | |
name: Check | |
runs-on: ubuntu-latest | |
timeout-minutes: 5 # 2021-03-23: The run on push to the tag might take a minute or two. | |
steps: | |
# We basically have two workflows in one here, one for pushes to trunk and one for PRs and pushes to tags. | |
# The reason we don't separate them into two is because GitHub's UI would then always be showing a skipped job | |
# in the PR check list, which is kind of annoying. | |
# First, the "PR or tag" job. | |
- name: Checkout trunk for tag push or PR | |
uses: actions/checkout@v4 | |
if: github.event_name != 'push' || github.ref != 'refs/heads/trunk' | |
with: | |
ref: trunk | |
token: ${{ secrets.API_TOKEN_GITHUB }} | |
# On a PR, we need to fetch (but not check out) the actual PR too. | |
- name: Deepen to merge base | |
if: github.event_name != 'push' | |
uses: ./.github/actions/deepen-to-merge-base | |
with: | |
checkout: false | |
- name: Determine tags for PR or tag and paths for tag push | |
id: determine | |
if: github.event_name != 'push' || github.ref != 'refs/heads/trunk' | |
env: | |
REF: ${{ github.event.pull_request.head.sha }} | |
run: | | |
TAGS=() | |
TAG= | |
PATHS= | |
if [[ "$GITHUB_EVENT_NAME" == "push" ]]; then | |
TAG="${GITHUB_REF#refs/tags/}" | |
if [[ "$TAG" == pr-update-to-* ]]; then | |
PATHS="${TAG#pr-update-to-}" | |
fi | |
else | |
TMP="$(git -c core.quotepath=off diff --name-only "origin/trunk...${REF}" projects/*/*/ | sed -nE 's!^(projects/[^/]+/[^/]+)/.*!pr-update-to-\1!p' | sort -u)" | |
mapfile -t TAGS <<<"$TMP" | |
TAGS+=( pr-update-to ) | |
fi | |
echo "pr-tags=${TAGS[*]}" >> "$GITHUB_OUTPUT" | |
echo "push-tag=$TAG" >> "$GITHUB_OUTPUT" | |
echo "push-paths=$PATHS" >> "$GITHUB_OUTPUT" | |
- name: Check PR or tag push | |
if: github.event_name != 'push' || github.ref != 'refs/heads/trunk' | |
uses: ./projects/github-actions/pr-is-up-to-date | |
with: | |
tags: ${{ steps.determine.outputs.pr-tags }} | |
tag: ${{ steps.determine.outputs.push-tag }} | |
paths: ${{ steps.determine.outputs.push-paths }} | |
token: ${{ secrets.API_TOKEN_GITHUB }} | |
status: PR is up to date | |
# Second, the "push to trunk" job. | |
- name: Checkout push to trunk | |
uses: actions/checkout@v4 | |
if: github.event_name == 'push' && github.ref == 'refs/heads/trunk' | |
with: | |
# The "Check whether the tag needs updating for trunk commit" needs the previous commit for diffing. | |
fetch-depth: 2 | |
token: ${{ secrets.API_TOKEN_GITHUB }} | |
- name: Wait for prior instances of the workflow to finish | |
if: github.event_name == 'push' && github.ref == 'refs/heads/trunk' | |
uses: ./.github/actions/turnstile | |
- name: Check whether the tag needs updating for trunk commit | |
if: github.event_name == 'push' && github.ref == 'refs/heads/trunk' | |
run: .github/files/pr-update-to.sh |