ci(build): add threshold to build product workflow (#6564)

* ci(build): add threshold to build product workflow - Intorduce threshold for build product checking to warn the administrator * Add permissions for workflow from fork repo * Update the permission for workflow
2024-11-30 02:08:12 +08:00 · 2022-03-12 19:03:28 +08:00 · 2022-03-12 19:03:28 +08:00 · 58897ece76
commit 58897ece76
parent e98d1298c0
3 changed files with 30 additions and 2 deletions
--- a/.github/workflows/build-product.yml
+++ b/.github/workflows/build-product.yml
@ -6,10 +6,12 @@ jobs:
  check:
    name: Build Product Check
    runs-on: ubuntu-latest
+
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0
+          persist-credentials: false

      - name: Add dev branch
        run: git branch dev origin/dev
@ -47,6 +49,8 @@ jobs:

      - name: Diff gen
        run: pnpm diff:table
+        env:
+          THRESHOLD: 50

      - name: Read diff file
        id: diff
@ -54,9 +58,23 @@ jobs:
        with:
          path: ./tmp/diff.md

+      - uses: actions-cool/check-user-permission@v2
+        id: isTeamMember
+        with:
+          require: 'write'
+          username: ${{ github.event.pull_request.user.login }}
+
      - name: Set comment
        uses: actions-cool/maintain-one-comment@v2.0.2
+        if: steps.isTeamMember.outputs.require-result == 'true'
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          body: ${{ steps.diff.outputs.content }}
          body-include: '<sub>Generated with'
+
+      - name: Echo comment
+        if: steps.isTeamMember.outputs.require-result == 'false'
+        run: |
+          echo 'Error: compressed-size-action was unable to comment on your PR.'
+          echo 'This can happen for PR's originating from a fork without write permissions.'
+          echo ${{ steps.diff.outputs.content }}
--- a/.github/workflows/welcome.yml
+++ b/.github/workflows/welcome.yml
@ -1,7 +1,8 @@
 name: PR Open Greeting
-
+# Note that this `pull_request_target` is vulnerable, it grants write access to a fork repo
+# DO NOT ADD ANY CHECKOUT/CACHING in this workflow
 on:
-  pull_request:
+  pull_request_target:
    types: [opened]

 jobs:
@ -12,6 +13,8 @@ jobs:
        id: isTeamMember
        with:
          require: 'write'
+          username: ${{ github.event.pull_request.user.login }}
+
      - uses: actions-awesome/pr-helper@1.0.15
        if: steps.isTeamMember.outputs.require-result == 'false'
        with:
--- a/scripts/build-table.ts
+++ b/scripts/build-table.ts
@ -4,6 +4,7 @@ import path from 'path'
 main()

 async function main() {
+  const threshold = process.env.THRESHOLD || 40
  let output: string
  const diffOutput = await fs.readFile(
    path.resolve(__dirname, '..', 'tmp/diff.txt'),
@ -36,6 +37,12 @@ async function main() {

    output = `**Total changed files:** ${fileDiffs.length}

+${
+  fileDiffs.length >= threshold
+    ? `#### 🚔 Attention: the changed file has exceeded the threshold`
+    : ''
+}
+
 <details><summary>:information_source: Files have been changed</summary>

 ${table}