-
Notifications
You must be signed in to change notification settings - Fork 67.6k
132 lines (112 loc) · 5.45 KB
/
Copy pathsync-codeql-cli.yml
File metadata and controls
132 lines (112 loc) · 5.45 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
name: Sync CodeQL CLI
# **What it does**: This workflow is run manually approximately every two weeks.
# When run, this workflow syncs the CodeQL CLI automated pipeline with the semmle-code
# repository, and creates a pull request if there are updates.
# **Why we have it**: So we can automate CodeQL CLI documentation.
# **Who does it impact**: Anyone making CodeQL CLI changes in `github/semmle-code`, and wanting to get them published on the docs site.
on:
workflow_dispatch:
inputs:
SOURCE_BRANCH:
description: 'Branch to pull the source files from in the semmle-code repo.'
type: string
required: true
default: 'main'
permissions:
contents: write
pull-requests: write
# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
cancel-in-progress: true
jobs:
generate-codeql-files:
if: github.repository == 'github/docs-internal'
runs-on: ubuntu-latest
steps:
- name: Checkout repository code
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
- name: Generate GitHub App token
id: app-token
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
with:
app-id: ${{ secrets.DOCS_BOT_APP_ID }}
private-key: ${{ secrets.DOCS_BOT_APP_PRIVATE_KEY }}
owner: github
repositories: semmle-code,docs-internal
# Check out a nested repository inside of previous checkout
- name: Checkout semmle-code repo
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
# By default, only the most recent commit of the `main` branch
# will be checked out
token: ${{ steps.app-token.outputs.token }}
repository: github/semmle-code
path: semmle-code
ref: ${{ inputs.SOURCE_BRANCH }}
- uses: ./.github/actions/node-npm-setup
- name: Get the semmle-code SHA being synced
id: semmle-code
run: |
cd semmle-code
OPENAPI_COMMIT_SHA=$(git rev-parse HEAD)
echo "OPENAPI_COMMIT_SHA=$OPENAPI_COMMIT_SHA" >> $GITHUB_OUTPUT
echo "Copied files from github/semmle-code repo. Commit SHA: $OPENAPI_COMMIT_SHA"
- name: Install pandoc
run: |
# Remove all previous pandoc versions
sudo apt-get purge --auto-remove pandoc
# Download pandoc
wget https://github.com/jgm/pandoc/releases/download/3.0.1/pandoc-3.0.1-1-amd64.deb
# Install pandoc
sudo dpkg -i pandoc-3.0.1-1-amd64.deb
# Output the pandoc version installed
pandoc -v
rm pandoc-3.0.1-1-amd64.deb
- name: Sync the CodeQL CLI data
run: |
npm run sync-codeql-cli
git status
echo "Deleting the cloned github/semmle-code repo..."
rm -rf semmle-code
- name: Create pull request
env:
# Needed for gh
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
run: |
# If nothing to commit, exit now. It's fine. No orphans.
changes=$(git diff --name-only | wc -l)
untracked=$(git status --untracked-files --short | wc -l)
if [[ $changes -eq 0 ]] && [[ $untracked -eq 0 ]]; then
echo "There are no changes to commit after running 'npm run sync-codeql-cli'. Exiting..."
exit 0
fi
git config --global user.name "docs-bot"
git config --global user.email "77750099+docs-bot@users.noreply.github.com"
branchname=codeql-cli-update-${{ steps.semmle-code.outputs.OPENAPI_COMMIT_SHA }}
git checkout -b $branchname
git add .
git commit -m "Update CodeQL CLI data"
# Force-push to handle reruns where the branch already exists on the
# remote from a prior failed attempt. Plain --force is safe here
# because these branches are exclusively managed by this workflow.
git push --force -u origin $branchname
# If a PR already exists for this branch (e.g. a previous run
# succeeded but the workflow still reported failure), skip creation.
existing_pr=$(gh pr list --repo github/docs-internal --head "$branchname" --json number --jq '.[0].number')
if [[ -n "$existing_pr" ]]; then
echo "Pull request #$existing_pr already exists for branch $branchname. Skipping PR creation."
exit 0
fi
echo "Creating pull request..."
gh pr create \
--title "Update CodeQL CLI manual" \
--body '👋 humans. This PR updates the CodeQL CLI manual Markdown pages with the latest changes in preparation for the next **CodeQL CLI** release.
This will be reviewed and merged by the Code scanning and GHAS focus team as part of the release of CodeQL CLI. (Synced from semmle-code@${{ steps.semmle-code.outputs.OPENAPI_COMMIT_SHA }})
If CI does not pass or other problems arise, contact #docs-engineering on slack.' \
--repo github/docs-internal \
--label "codeql-cli-pipeline,skip FR board,ready-for-doc-review,workflow-generated"
- uses: ./.github/actions/slack-alert
if: ${{ failure() && github.event_name != 'workflow_dispatch' }}
with:
slack_token: ${{ secrets.SLACK_DOCS_BOT_TOKEN }}