ci: fix offline-bundle workflow overwriting its own tooling + harden CodeArtifact creds #532
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Hotfix Tracking Guard | |
| on: | |
| pull_request: | |
| types: | |
| - opened | |
| - reopened | |
| - synchronize | |
| - labeled | |
| - unlabeled | |
| - ready_for_review | |
| branches: | |
| - main | |
| - 'release-candidate/*' | |
| jobs: | |
| block_placeholder_merge: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| pull-requests: read | |
| steps: | |
| - name: Skip non-auto-hotfix PRs | |
| if: ${{ !contains(github.event.pull_request.labels.*.name, 'auto-hotfix') }} | |
| run: echo "PR does not have auto-hotfix label. Passing." | |
| - name: Fail on placeholder files and unresolved conflict markers | |
| if: contains(github.event.pull_request.labels.*.name, 'auto-hotfix') | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| const files = await github.paginate(github.rest.pulls.listFiles, { | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| pull_number: context.payload.pull_request.number, | |
| per_page: 100, | |
| }); | |
| const fileNames = files.map((file) => file.filename); | |
| const placeholderFiles = fileNames | |
| .filter((filename) => filename.startsWith(".github/hotfix-manual/")); | |
| if (placeholderFiles.length > 0) { | |
| core.error(`Found hotfix tracking placeholder file(s): ${placeholderFiles.join(", ")}`); | |
| core.setFailed( | |
| "Manual hotfix tracking PR detected (.github/hotfix-manual/*). Close this PR after manually cherry-picking the changes. Do NOT merge." | |
| ); | |
| return; | |
| } | |
| const conflictStartPattern = /^<{7,}(?:$| )/; | |
| const conflictMiddlePattern = /^={7,}$/; | |
| const conflictEndPattern = /^>{7,}(?:$| )/; | |
| const filesWithoutPatch = fileNames.filter((filename, index) => typeof files[index].patch !== "string"); | |
| if (filesWithoutPatch.length > 0) { | |
| core.warning(`Could not inspect diff patch for: ${filesWithoutPatch.join(", ")}`); | |
| } | |
| const conflictedFiles = files | |
| .filter((file) => typeof file.patch === "string") | |
| .filter((file) => { | |
| const addedLines = file.patch | |
| .split("\n") | |
| .filter((line) => line.startsWith("+") && !line.startsWith("+++")) | |
| .map((line) => line.slice(1)); | |
| return ( | |
| addedLines.some((line) => conflictStartPattern.test(line)) && | |
| addedLines.some((line) => conflictMiddlePattern.test(line)) && | |
| addedLines.some((line) => conflictEndPattern.test(line)) | |
| ); | |
| }) | |
| .map((file) => file.filename); | |
| if (conflictedFiles.length === 0) { | |
| core.info("No unresolved conflict markers found in added lines for auto-hotfix PR files."); | |
| return; | |
| } | |
| core.error(`Found unresolved conflict markers in: ${conflictedFiles.join(", ")}`); | |
| core.setFailed( | |
| "Auto-hotfix PR still contains unresolved conflict markers in added lines. Resolve them in this branch and push a follow-up commit before merging." | |
| ); |