Git action test [AllBridgeFacet v3.0.1] [@coderabbit ignore] #3
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Audit Verifier | |
# - checks if an audit is required for a given PR | |
# - an audit is required if any .sol file in path 'src/' has been modified or added | |
# - if audit is required, the action will assign the label "AuditRequired", otherwise it will assign label "AuditNotRequired" | |
# - it will also make sure that at the end, exactly one of these two labels is indeed assigned | |
name: Audit Verifier | |
# - checks if an audit is required and assigns a (protected) label based on the result ('AuditRequired' or 'AuditNotRequired') | |
# - if an audit is required, it will verify that the audit was actually done and assign label "AuditCompleted" | |
# - verification includes: | |
# - ensuring the audit log contains an entry for all added/modified contracts in their latest version | |
# - ensuring that an audit report has been added | |
# - ensuring that the PR is approved by the auditor (uses auditor git handle from audit log) | |
# - ensuring that the commit hash that was audited is actually part of this PR | |
# KNOWN LIMITATIONS | |
# - will only check the last 100 commits for any matches with audit commit hashes | |
on: | |
pull_request: | |
types: [opened, synchronize, reopened] | |
jobs: | |
check-if-audit-required: | |
# will only run once the PR is in "Ready for Review" state | |
if: ${{ github.event.pull_request.draft == false }} | |
runs-on: ubuntu-latest | |
permissions: | |
pull-requests: write | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 ##### Fetch all history for all branches | |
- name: Fetch currently assigned labels | |
id: fetch_current_labels | |
env: | |
GITHUB_TOKEN: ${{ secrets.GIT_ACTIONS_BOT_PAT_CLASSIC }} | |
run: | | |
echo "Fetching currently assigned labels..." | |
ASSIGNED_LABELS=$(gh pr view ${{ github.event.pull_request.number }} --json labels --jq '.labels[].name' | tr '\n' ' ') | |
echo "Assigned labels: $ASSIGNED_LABELS" | |
echo "ASSIGNED_LABELS=${ASSIGNED_LABELS}" >> "$GITHUB_ENV" | |
- name: Check PR for changes for protected folders ('src/*') | |
id: check_if_audit_is_required | |
run: | | |
##### Get all files modified by this PR | |
FILES=$(git diff --name-only origin/main HEAD) | |
##### Make sure that there are modified files | |
if [[ -z $FILES ]]; then | |
echo -e "\033[31mNo files found. This should not happen. Please check the code of the Github action. Aborting now.\033[0m" | |
echo "CONTINUE=false" >> "$GITHUB_ENV" | |
fi | |
##### Initialize empty variables | |
PROTECTED_CONTRACTS="" | |
##### Go through all modified file names/paths and identify contracts with path 'src/*' | |
while IFS= read -r FILE; do | |
if echo "$FILE" | grep -E '^src/.*\.sol$'; then | |
##### Contract found | |
PROTECTED_CONTRACTS="${PROTECTED_CONTRACTS}${FILE}"$'\n' | |
fi | |
done <<< "$FILES" | |
##### Determine if audit is required | |
if [[ -z "$PROTECTED_CONTRACTS" ]]; then | |
echo -e "\033[32mNo protected contracts found in this PR.\033[0m" | |
echo "AUDIT_REQUIRED=false" >> "$GITHUB_ENV" | |
else | |
echo -e "\033[31mProtected contracts found in this PR.\033[0m" | |
echo "AUDIT_REQUIRED=true" >> "$GITHUB_ENV" | |
fi | |
echo "PROTECTED_CONTRACTS: $PROTECTED_CONTRACTS" | |
echo -e "$PROTECTED_CONTRACTS" > protected_contracts.txt | |
- name: Assign or update labels based on check outcome | |
uses: actions/github-script@v7 | |
env: | |
ASSIGNED_LABELS: ${{ env.ASSIGNED_LABELS }} | |
AUDIT_REQUIRED: ${{ env.AUDIT_REQUIRED }} | |
GH_TOKEN: ${{ secrets.GIT_ACTIONS_BOT_PAT_CLASSIC}} | |
with: | |
script: | | |
const { execSync } = require('child_process'); | |
const assignedLabels = process.env.ASSIGNED_LABELS.split('\n').filter(Boolean); | |
const auditRequired = process.env.AUDIT_REQUIRED === 'true'; | |
const labelToAssign = auditRequired ? 'AuditRequired' : 'AuditNotRequired'; | |
const oppositeLabel = auditRequired ? 'AuditNotRequired' : 'AuditRequired'; | |
console.log(`Currently assigned labels: ${assignedLabels}`); | |
console.log(`Determined label to assign: ${labelToAssign}`); | |
console.log(`Opposite label to remove if present: ${oppositeLabel}`); | |
if (!assignedLabels.includes(labelToAssign)) { | |
console.log(`Assigning label: ${labelToAssign}`); | |
execSync(`gh pr edit ${{ github.event.pull_request.number }} --add-label "${labelToAssign}"`, { stdio: 'inherit' }); | |
} else { | |
console.log(`Label "${labelToAssign}" is already assigned. No action needed.`); | |
} | |
if (assignedLabels.includes(oppositeLabel)) { | |
console.log(`Removing opposite label: ${oppositeLabel}`); | |
execSync(`gh pr edit ${{ github.event.pull_request.number }} --remove-label "${oppositeLabel}"`, { stdio: 'inherit' }); | |
} else { | |
console.log(`Opposite label "${oppositeLabel}" is not assigned. No action needed.`); | |
} | |
- name: Verify label assignments (make sure exactly one of the two labels is assigned) | |
env: | |
GITHUB_TOKEN: ${{ secrets.GIT_ACTIONS_BOT_PAT_CLASSIC }} | |
run: | | |
echo "Fetching currently assigned labels..." | |
assigned_labels=$(gh pr view ${{ github.event.pull_request.number }} --json labels --jq '.labels | map(.name) | .[]') | |
echo "Assigned labels: $assigned_labels" | |
audit_required_assigned=0 | |
audit_not_required_assigned=0 | |
##### Go through all assigned labels and count how many protected labels are found | |
for label in $assigned_labels; do | |
if [ "$label" = "AuditRequired" ]; then | |
audit_required_assigned=$((audit_required_assigned + 1)) | |
elif [ "$label" = "AuditNotRequired" ]; then | |
audit_not_required_assigned=$((audit_not_required_assigned + 1)) | |
fi | |
done | |
total_labels_assigned=$((audit_required_assigned + audit_not_required_assigned)) | |
echo "Total labels assigned: $total_labels_assigned" | |
##### Make sure that exactly (only) one protected label is assigned | |
if [ "$total_labels_assigned" -ne 1 ]; then | |
echo -e "\033[31mError: Exactly one of the two labels should be assigned but found $total_labels_assigned assigned labels.\033[0m" | |
exit 1 | |
else | |
echo -e "\033[32mVerified that exactly one label is assigned.\033[0m" | |
echo -e "\033[32mAll good :)\033[0m" | |
fi | |
echo -e "\033[31mGit Action completed successfully\033[0m" |