-
Notifications
You must be signed in to change notification settings - Fork 0
61 lines (55 loc) · 2.05 KB
/
_commit.yml
File metadata and controls
61 lines (55 loc) · 2.05 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
name: Commit and push changes
on:
workflow_call:
inputs:
rulesets_dir:
required: true
type: string
description: "Base directory containing generated rulesets"
secrets:
app_id:
required: true
app_private_key:
required: true
jobs:
commit:
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Generate app token
id: token
uses: actions/create-github-app-token@v3
with:
app-id: ${{ secrets.app_id }}
private-key: ${{ secrets.app_private_key }}
- uses: actions/checkout@v6
with:
token: ${{ steps.token.outputs.token }}
- name: Download all artifacts
uses: actions/download-artifact@v8
with:
path: ${{ inputs.rulesets_dir }}
merge-multiple: true
- name: Refresh badges
run: |
mkdir -p .github/badges
for dir in ${{ inputs.rulesets_dir }}/*/; do
ecosystem=$(basename "$dir")
count=$(grep -c '^ - id:' "$dir/all.yaml" || echo 0)
printf '{"schemaVersion":1,"label":"rules","message":"%s","color":"blue"}\n' \
"$count" > ".github/badges/${ecosystem}.json"
done
printf '{"schemaVersion":1,"label":"last updated","message":"%s","color":"green"}\n' \
"$(date -u +"%Y-%m-%d %H:%M UTC")" > .github/badges/last-updated.json
- name: Commit and push changes
# We intentionally commit every run, even when rulesets are unchanged.
# The "nothing changed" commit confirms the pipeline ran and OSV had
# nothing new for us. The last-updated badge always changes, so the
# diff check below is just a safety net.
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git add ${{ inputs.rulesets_dir }}/ .github/badges/
git diff --staged --quiet || git commit -m "Update OSV rules ($(date -u +"%Y-%m-%d %H:%M UTC"))"
git push