From 065da2500ac3d01321f85132aadf5517a6594e74 Mon Sep 17 00:00:00 2001 From: timo <1398557+timo-a@users.noreply.github.com> Date: Fri, 4 Oct 2024 19:21:25 +0200 Subject: [PATCH] add workflows --- .github/workflows/comment-pr.yml | 56 ++++++++++++++++++++++++++++++++ .github/workflows/receive-pr.yml | 55 +++++++++++++++++++++++++++++++ pom.xml | 33 +++++++++++++++++++ 3 files changed, 144 insertions(+) create mode 100644 .github/workflows/comment-pr.yml create mode 100644 .github/workflows/receive-pr.yml diff --git a/.github/workflows/comment-pr.yml b/.github/workflows/comment-pr.yml new file mode 100644 index 0000000000..4aac84804a --- /dev/null +++ b/.github/workflows/comment-pr.yml @@ -0,0 +1,56 @@ +# Description: This workflow is triggered when the `receive-pr` workflow completes to post suggestions on the PR. +# Since this pull request has write permissions on the target repo, we should **NOT** execute any untrusted code. +# https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ +--- +name: comment-pr + +on: + workflow_run: + workflows: ["receive-pr"] + types: + - completed + +jobs: + post-suggestions: + # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#running-a-workflow-based-on-the-conclusion-of-another-workflow + if: ${{ github.event.workflow_run.conclusion == 'success' }} + runs-on: ubuntu-latest + env: + # https://docs.github.com/en/actions/reference/authentication-in-a-workflow#permissions-for-the-github_token + ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }} + timeout-minutes: 10 + steps: + - uses: actions/checkout@v4 + with: + ref: ${{github.event.workflow_run.head_branch}} + repository: ${{github.event.workflow_run.head_repository.full_name}} + + # Download the patch + - uses: actions/download-artifact@v4 + with: + name: patch + github-token: ${{ secrets.GITHUB_TOKEN }} + run-id: ${{ github.event.workflow_run.id }} + - name: Apply patch + run: | + git apply git-diff.patch --allow-empty + rm git-diff.patch + + # Download the PR number + - uses: actions/download-artifact@v4 + with: + name: pr_number + github-token: ${{ secrets.GITHUB_TOKEN }} + run-id: ${{ github.event.workflow_run.id }} + - name: Read pr_number.txt + run: | + PR_NUMBER=$(cat pr_number.txt) + echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_ENV + rm pr_number.txt + + # Post suggestions as a comment on the PR + - uses: googleapis/code-suggester@v4 + with: + command: review + pull_number: ${{ env.PR_NUMBER }} + git_dir: '.' diff --git a/.github/workflows/receive-pr.yml b/.github/workflows/receive-pr.yml new file mode 100644 index 0000000000..3821d89332 --- /dev/null +++ b/.github/workflows/receive-pr.yml @@ -0,0 +1,55 @@ +# Description: This workflow runs OpenRewrite recipes against opened pull request and upload the patch. +# Since this pull request receives untrusted code, we should **NOT** have any secrets in the environment. +# https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ +--- +name: receive-pr + +on: + pull_request: + types: [opened, synchronize] + branches: + - master + - 2.[0-9]+ + - 3.[0-9]+ +concurrency: + group: '${{ github.workflow }} @ ${{ github.ref }}' + cancel-in-progress: true + +jobs: + upload-patch: + runs-on: ubuntu-latest + timeout-minutes: 10 + steps: + - uses: actions/checkout@v4 + with: + ref: ${{github.event.pull_request.head.ref}} + repository: ${{github.event.pull_request.head.repo.full_name}} + - uses: actions/setup-java@v4 + with: + java-version: '21' + distribution: 'temurin' + cache: 'maven' + + # Capture the PR number + # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#using-data-from-the-triggering-workflow + - name: Create pr_number.txt + run: echo "${{ github.event.number }}" > pr_number.txt + - uses: actions/upload-artifact@v4 + with: + name: pr_number + path: pr_number.txt + - name: Remove pr_number.txt + run: rm -f pr_number.txt + + # Execute recipes + - name: Apply OpenRewrite recipes + run: mvn --activate-profiles openrewrite org.openrewrite.maven:rewrite-maven-plugin:run + + # Capture the diff + - name: Create patch + run: | + git diff | tee git-diff.patch + - uses: actions/upload-artifact@v4 + with: + name: patch + path: git-diff.patch diff --git a/pom.xml b/pom.xml index 5bc6ac8f2a..7451c482dd 100644 --- a/pom.xml +++ b/pom.xml @@ -298,4 +298,37 @@ tools.jackson.core.*;version=${project.version} test + + + + openrewrite + + + + + org.openrewrite.maven + rewrite-maven-plugin + 5.41.0 + + + org.openrewrite.java.OrderImports + + + + + true + + + + io.github.timo-a + rewrite-recipe-starter + 0.4.0 + + + + + + + +