From 32466bab32dfcfb7bb8477ab417232da1f2c325e Mon Sep 17 00:00:00 2001 From: Joyce Brum Date: Tue, 7 Mar 2023 17:35:06 +0000 Subject: [PATCH 1/9] chore: create workflow to add comment Signed-off-by: Joyce Brum --- .github/workflows/check_amalgamation.yml | 54 ++++--------- .../workflows/comment_check_amalgamation.yml | 75 +++++++++++++++++++ 2 files changed, 91 insertions(+), 38 deletions(-) create mode 100644 .github/workflows/comment_check_amalgamation.yml diff --git a/.github/workflows/check_amalgamation.yml b/.github/workflows/check_amalgamation.yml index 1f363abcdb..0fadb52065 100644 --- a/.github/workflows/check_amalgamation.yml +++ b/.github/workflows/check_amalgamation.yml @@ -1,9 +1,24 @@ name: "Check amalgamation" on: - pull_request_target: + pull_request: + +permissions: read-all jobs: + save: + runs-on: ubuntu-latest + steps: + - name: Save PR number + run: | + mkdir -p ./pr + echo ${{ github.event.number }} > ./pr/number + echo ${{ github.event.pull_request.user.login }} > ./pr/author + - uses: actions/upload-artifact@v2 + with: + name: pr + path: pr/ + check: runs-on: ubuntu-latest env: @@ -53,40 +68,3 @@ jobs: astyle $ASTYLE_FLAGS $(find docs/examples include tests -type f \( -name '*.hpp' -o -name '*.cpp' -o -name '*.cu' \) -not -path 'tests/thirdparty/*' -not -path 'tests/abi/include/nlohmann/*' | sort) echo Check find $MAIN_DIR -name '*.orig' -exec false {} \+ - - - name: Comment on pull request - if: failure() - uses: actions/github-script@v6 - with: - github-token: ${{secrets.GITHUB_TOKEN}} - script: | - const author = context.payload.pull_request.user.login - const opts = github.rest.issues.listForRepo.endpoint.merge({ - owner: context.repo.owner, - repo: context.repo.repo, - creator: author, - state: 'all' - }) - - let first = true - const issues = await github.paginate(opts) - for (const issue of issues) { - if (issue.number === context.issue.number) { - continue - } - - if (issue.pull_request) { - first = false - break - } - } - - await github.rest.issues.createComment({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - body: '## 🔴 Amalgamation check failed! 🔴\nThe source code has not been amalgamated.' - + (first ? ' @' + author + ' Please read and follow the [Contribution Guidelines]' - + '(https://github.com/nlohmann/json/blob/develop/.github/CONTRIBUTING.md#files-to-change).' - : '') - }) diff --git a/.github/workflows/comment_check_amalgamation.yml b/.github/workflows/comment_check_amalgamation.yml new file mode 100644 index 0000000000..58d68c8c93 --- /dev/null +++ b/.github/workflows/comment_check_amalgamation.yml @@ -0,0 +1,75 @@ +name: Comment Check Amalgamation +on: + workflow_run: + workflows: ["Check amalgamation"] + types: + - completed + +permissions: {} + +jobs: + comment: + if: ${{ github.event.workflow_run.conclusion == 'failure' }} + runs-on: ubuntu-latest + permissions: + contents: read + actions: read + issues: read + pull-requests: write + steps: + - name: 'Download artifact' + uses: actions/github-script@v3.1.0 + with: + script: | + var artifacts = await github.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: ${{github.event.workflow_run.id }}, + }); + var matchArtifact = artifacts.data.artifacts.filter((artifact) => { + return artifact.name == "pr" + })[0]; + var download = await github.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + var fs = require('fs'); + fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(download.data)); + - run: unzip pr.zip + + - name: 'Comment on PR' + uses: actions/github-script@98814c53be79b1d30f795b907e553d8679345975 # v6.4.0 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + var fs = require('fs'); + const author = fs.readFileSync('./author') + const issue_number = Number(fs.readFileSync('./number')); + const opts = github.rest.issues.listForRepo.endpoint.merge({ + owner: context.repo.owner, + repo: context.repo.repo, + creator: author, + state: 'all' + }) + let first = true + const issues = await github.paginate(opts) + for (const issue of issues) { + if (issue.number === issue_number) { + continue + } + if (issue.pull_request) { + first = false + break + } + } + await github.rest.issues.createComment({ + issue_number: issue_number, + owner: context.repo.owner, + repo: context.repo.repo, + body: '## 🔴 Amalgamation check failed! 🔴\nThe source code has not been amalgamated.' + + (first ? ' @' + author + ' Please read and follow the [Contribution Guidelines]' + + '(https://github.com/nlohmann/json/blob/develop/.github/CONTRIBUTING.md#files-to-change).' + : '') + }) From 9380ab096ed8a9161749bc5b277bc8b9e92953ae Mon Sep 17 00:00:00 2001 From: Joyce Brum Date: Tue, 7 Mar 2023 17:45:00 +0000 Subject: [PATCH 2/9] chore: use more recent github script Signed-off-by: Joyce Brum --- .github/workflows/comment_check_amalgamation.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/comment_check_amalgamation.yml b/.github/workflows/comment_check_amalgamation.yml index 58d68c8c93..2ab5ebb978 100644 --- a/.github/workflows/comment_check_amalgamation.yml +++ b/.github/workflows/comment_check_amalgamation.yml @@ -18,10 +18,10 @@ jobs: pull-requests: write steps: - name: 'Download artifact' - uses: actions/github-script@v3.1.0 + uses: actions/github-script@98814c53be79b1d30f795b907e553d8679345975 # v6.4.0 with: script: | - var artifacts = await github.actions.listWorkflowRunArtifacts({ + var artifacts = await github.rest.actions.listWorkflowRunArtifacts({ owner: context.repo.owner, repo: context.repo.repo, run_id: ${{github.event.workflow_run.id }}, @@ -29,7 +29,7 @@ jobs: var matchArtifact = artifacts.data.artifacts.filter((artifact) => { return artifact.name == "pr" })[0]; - var download = await github.actions.downloadArtifact({ + var download = await github.rest.actions.downloadArtifact({ owner: context.repo.owner, repo: context.repo.repo, artifact_id: matchArtifact.id, From 9d3b6c024aaaeb4fa086a9221e1b8ef165294cd1 Mon Sep 17 00:00:00 2001 From: Joyce Date: Thu, 9 Mar 2023 14:51:01 -0300 Subject: [PATCH 3/9] chore: set ci fuzz permissions Signed-off-by: Joyce --- .github/workflows/cifuzz.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml index f111ccdc92..0fd355bce5 100644 --- a/.github/workflows/cifuzz.yml +++ b/.github/workflows/cifuzz.yml @@ -1,5 +1,9 @@ name: CIFuzz on: [pull_request] + +permissions: + contents: read + jobs: Fuzzing: runs-on: ubuntu-latest From 9d090b57d7554bcc9ab3f8d68180ed3d46f3e568 Mon Sep 17 00:00:00 2001 From: Joyce Date: Thu, 9 Mar 2023 14:54:54 -0300 Subject: [PATCH 4/9] chore: set codeql permissions Signed-off-by: Joyce --- .github/workflows/codeql-analysis.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 7ba83ac1c7..9a87e828d1 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -10,6 +10,9 @@ on: schedule: - cron: '0 19 * * 1' workflow_dispatch: + +permissions: + contents: read concurrency: group: ${{ github.workflow }}-${{ github.ref || github.run_id }} @@ -19,6 +22,8 @@ jobs: CodeQL-Build: runs-on: ubuntu-latest + permissions: + security-events: write steps: - name: Checkout repository From d4ceded9323dc9738c4faa2c40c2157b5a13d6f6 Mon Sep 17 00:00:00 2001 From: Joyce Date: Thu, 9 Mar 2023 14:56:26 -0300 Subject: [PATCH 5/9] chore: set permission to labeler Signed-off-by: Joyce --- .github/workflows/labeler.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 66cb7eb348..11925e1af0 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -4,6 +4,8 @@ on: pull_request_target: types: [opened, synchronize] +permissions: {} + jobs: label: permissions: From 46acafe648335c16a66330f67569ef073d48e75a Mon Sep 17 00:00:00 2001 From: Joyce Date: Thu, 9 Mar 2023 14:57:15 -0300 Subject: [PATCH 6/9] chore: set permissions to macos.yml Signed-off-by: Joyce --- .github/workflows/macos.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml index ed867f45fe..b2cb429abd 100644 --- a/.github/workflows/macos.yml +++ b/.github/workflows/macos.yml @@ -9,6 +9,9 @@ on: pull_request: workflow_dispatch: +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref || github.run_id }} cancel-in-progress: true From 473450a4b0c84782e10d3c4df9921f6e60a9d592 Mon Sep 17 00:00:00 2001 From: Joyce Date: Thu, 9 Mar 2023 14:58:00 -0300 Subject: [PATCH 7/9] chore: update publish_documentation yml Signed-off-by: Joyce --- .github/workflows/publish_documentation.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/publish_documentation.yml b/.github/workflows/publish_documentation.yml index 65c42a74e0..f5e5c2c754 100644 --- a/.github/workflows/publish_documentation.yml +++ b/.github/workflows/publish_documentation.yml @@ -10,6 +10,9 @@ on: - docs/examples/** workflow_dispatch: +permissions: + contents: read + # we don't want to have concurrent jobs, and we don't want to cancel running jobs to avoid broken publications concurrency: group: documentation From e897965547433be124c2e7d8d1c613f37e971ab9 Mon Sep 17 00:00:00 2001 From: Joyce Date: Thu, 9 Mar 2023 15:01:25 -0300 Subject: [PATCH 8/9] chore: update ubuntu.yml permissions Signed-off-by: Joyce --- .github/workflows/ubuntu.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/ubuntu.yml b/.github/workflows/ubuntu.yml index 52e7534366..7a80c3ee61 100644 --- a/.github/workflows/ubuntu.yml +++ b/.github/workflows/ubuntu.yml @@ -8,6 +8,9 @@ on: - release/* pull_request: workflow_dispatch: + +permissions: + contents: read concurrency: group: ${{ github.workflow }}-${{ github.ref || github.run_id }} @@ -102,6 +105,9 @@ jobs: ci_test_coverage: runs-on: ubuntu-latest container: ghcr.io/nlohmann/json-ci:v2.4.0 + permissions: + contents: read + checks: write steps: - uses: actions/checkout@v3 - name: Run CMake From bb3c7cbd0a5373db8d06ae215aa3b828258a2b6d Mon Sep 17 00:00:00 2001 From: Joyce Date: Thu, 9 Mar 2023 15:01:59 -0300 Subject: [PATCH 9/9] chore: update windows.yml permissions Signed-off-by: Joyce --- .github/workflows/windows.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 00bd337da9..f4d4152272 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -9,6 +9,9 @@ on: pull_request: workflow_dispatch: +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref || github.run_id }} cancel-in-progress: true