add workflows for suggestions on PRs #1347
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| # Description: This workflow is triggered when the `receive-pr` workflow completes to post suggestions on the PR. | ||
| # Since this pull request has write permissions on the target repo, we should **NOT** execute any untrusted code. | ||
| # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ | ||
| --- | ||
| name: comment-pr | ||
|
|
||
| on: | ||
| workflow_run: | ||
| workflows: ["receive-pr"] | ||
| types: | ||
| - completed | ||
|
|
||
| jobs: | ||
| post-suggestions: | ||
| # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#running-a-workflow-based-on-the-conclusion-of-another-workflow | ||
| if: ${{ github.event.workflow_run.conclusion == 'success' }} | ||
| runs-on: ubuntu-latest | ||
| env: | ||
| # https://docs.github.com/en/actions/reference/authentication-in-a-workflow#permissions-for-the-github_token | ||
| ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| timeout-minutes: 10 | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| ref: ${{github.event.workflow_run.head_branch}} | ||
| repository: ${{github.event.workflow_run.head_repository.full_name}} | ||
|
|
||
| # Download the patch | ||
| - uses: actions/download-artifact@v4 | ||
| with: | ||
| name: patch | ||
| github-token: ${{ secrets.GITHUB_TOKEN }} | ||
| run-id: ${{ github.event.workflow_run.id }} | ||
| - name: Apply patch | ||
| run: | | ||
| git apply git-diff.patch --allow-empty | ||
| rm git-diff.patch | ||
|
|
||
| # Download the PR number | ||
| - uses: actions/download-artifact@v4 | ||
| with: | ||
| name: pr_number | ||
| github-token: ${{ secrets.GITHUB_TOKEN }} | ||
| run-id: ${{ github.event.workflow_run.id }} | ||
| - name: Read pr_number.txt | ||
| run: | | ||
| PR_NUMBER=$(cat pr_number.txt) | ||
| echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_ENV | ||
| rm pr_number.txt | ||
|
|
||
| # Post suggestions as a comment on the PR | ||
| - uses: googleapis/code-suggester@v4 | ||
| with: | ||
| command: review | ||
| pull_number: ${{ env.PR_NUMBER }} | ||
| git_dir: '.' |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| # Description: This workflow runs OpenRewrite recipes against opened pull request and upload the patch. | ||
| # Since this pull request receives untrusted code, we should **NOT** have any secrets in the environment. | ||
| # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ | ||
| --- | ||
| name: receive-pr | ||
|
|
||
| on: | ||
| pull_request: | ||
| types: [opened, synchronize] | ||
| branches: | ||
| - master | ||
| - 2.[0-9]+ | ||
| - 3.[0-9]+ | ||
| concurrency: | ||
| group: '${{ github.workflow }} @ ${{ github.ref }}' | ||
| cancel-in-progress: true | ||
|
|
||
| jobs: | ||
| upload-patch: | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 10 | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| ref: ${{github.event.pull_request.head.ref}} | ||
| repository: ${{github.event.pull_request.head.repo.full_name}} | ||
| - uses: actions/setup-java@v4 | ||
| with: | ||
| java-version: '21' | ||
| distribution: 'temurin' | ||
| cache: 'maven' | ||
|
|
||
| # Capture the PR number | ||
| # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#using-data-from-the-triggering-workflow | ||
| - name: Create pr_number.txt | ||
| run: echo "${{ github.event.number }}" > pr_number.txt | ||
| - uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: pr_number | ||
| path: pr_number.txt | ||
| - name: Remove pr_number.txt | ||
| run: rm -f pr_number.txt | ||
|
|
||
| # Execute recipes | ||
| - name: Apply OpenRewrite recipes | ||
| run: mvn --activate-profiles openrewrite org.openrewrite.maven:rewrite-maven-plugin:run | ||
|
|
||
| # Capture the diff | ||
| - name: Create patch | ||
| run: | | ||
| git diff | tee git-diff.patch | ||
| - uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: patch | ||
| path: git-diff.patch | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -298,4 +298,37 @@ tools.jackson.core.*;version=${project.version} | |
| <scope>test</scope> | ||
| </dependency> | ||
| </dependencies> | ||
|
|
||
| <profiles> | ||
| <profile> | ||
| <id>openrewrite</id> | ||
| <!-- `mvn -P openrewrite org.openrewrite.maven:rewrite-maven-plugin:run` --> | ||
| <build> | ||
| <plugins> | ||
| <plugin> | ||
| <groupId>org.openrewrite.maven</groupId> | ||
| <artifactId>rewrite-maven-plugin</artifactId> | ||
| <version>5.41.0</version> | ||
|
There was a problem hiding this comment. This can't be used on the 2.x branches because it would cause a huge diff There was a problem hiding this comment. I can try to put the info from the profile directly into the command in the workflow, I'll just have to figure out how to specify the version number there. There was a problem hiding this comment. We have the imports ordered on master so we can afford to support this and have full reordering - it is just not a good idea to have this on the 2.x branches. I still have my objections to using any build tooling that doesn't have multitudes of users and oodles of history to establish trust. My preference is not to merge any of this. Low cost to benefit ratio to me. If we insist on merging something like this - I would prefer to look at established tools to do this. I code mainly in Scala and use Scalafmt a lot. But if someone came to me with a custom project and asked me to replace Scalafmt, I would need a load of convincing. There was a problem hiding this comment. I see your point. Openrewrite is still new. It is the best tool I know for automatic refactoring and by extension it can also reformat code to a custom style. There was a problem hiding this comment. Again trying not to cast stones - but your PR includes call to a lib that is under your control. |
||
| <configuration> | ||
| <activeRecipes> | ||
| <recipe>org.openrewrite.java.OrderImports</recipe> | ||
| </activeRecipes> | ||
| <activeStyles> | ||
| <style>io.github.timoa.misc.JacksonImportStyle</style> | ||
| </activeStyles> | ||
| <failOnDryRunResults>true</failOnDryRunResults> | ||
| </configuration> | ||
| <dependencies> | ||
| <dependency> | ||
| <groupId>io.github.timo-a</groupId> | ||
| <artifactId>rewrite-recipe-starter</artifactId> | ||
| <version>0.4.0</version> | ||
| </dependency> | ||
| </dependencies> | ||
| </plugin> | ||
| </plugins> | ||
| </build> | ||
| </profile> | ||
| </profiles> | ||
|
|
||
| </project> | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is not a good way to get the PR number - try first answer in https://stackoverflow.com/questions/59077079/how-to-get-pull-request-number-within-github-actions-workflow
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't understand, both my workflow and the first stackoverflow answer use
github.event.numberto get the PR number. In order for the other workflow to get the PR number, this workflow then uploads the number as an artifact which the other workflow can download. I don't think this can be done with environment variables as used in the stackoverflow answer.