Rework yml, only run when no merge conflict, fix possible security hole

easybuilders · Nov 2, 2024 · 02bfe0a · 02bfe0a
1 parent 229223c
commit 02bfe0a
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 37 deletions.
diff --git a/.github/workflows/tagbot.py b/.github/workflows/tagbot.py
@@ -6,7 +6,6 @@
 import git
 import requests
 import json
-import difflib
 from datetime import datetime
 from pathlib import Path
 
@@ -31,17 +30,6 @@ def similar_easyconfigs(repo, new_file):
     return sort_by_added_date(repo, possible_neighbours)
 
 
-def diff(old, new):
-    with open(old, 'r') as old_file, open(new, 'r') as new_file:
-        old_lines = list(old_file)
-        new_lines = list(new_file)
-        return ''.join(difflib.unified_diff(
-            old_lines,
-            new_lines,
-            fromfile=str(old),
-            tofile=str(new)))
-
-
 def pr_ecs(pr_diff):
     new_ecs = []
     changed_ecs = []
@@ -67,11 +55,10 @@ def pr_ecs(pr_diff):
 merge_commit_sha = data['pull_request']['merge_commit_sha']
 
 print("PR number:", pr_number)
-print("Repo:", repo)
 print("Base branch name:", base_branch_name)
 print("Merge commit ref:", merge_commit_sha)
 
-gitrepo = git.Repo(".")
+gitrepo = git.Repo("pr")
 
 target_commit = gitrepo.commit('origin/' + base_branch_name)
 pr_commit = gitrepo.commit(merge_commit_sha)
@@ -121,7 +108,7 @@ def pr_ecs(pr_diff):
             comment += f'<summary>Diff against <code>{neighbour.name}</code></summary>\n\n'
             comment += f'[{neighbour}](https://github.com/{repo}/blob/{base_branch_name}/{neighbour})\n\n'
             comment += '```diff\n'
-            comment += diff(neighbour, new_file)
+            comment += gitrepo.git.diff(f'HEAD:{neighbour}', f'HEAD:{new_file}')
             comment += '```\n</details>\n\n'
 
 print("Adjusting labels")

diff --git a/.github/workflows/tagbot.yml b/.github/workflows/tagbot.yml
@@ -3,35 +3,21 @@ on: [pull_request_target]
 
 jobs:
   tagbot:
+    if: github.event.pull_request.merge_commit_sha
     runs-on: ubuntu-24.04
     permissions:
       pull-requests: write
     steps:
-    - uses: actions/checkout@v4
+    - name: Checkout base branch for workflow scripts
+      uses: actions/checkout@v4
+
+    - name: Checkout PR for computing diff
+      uses: actions/checkout@v4
       with:
         ref: "${{ github.event.pull_request.merge_commit_sha }}"
+        path: 'pr'
         fetch-depth: 0
 
-    - name: Check if file has changed
-      run: |
-        if git diff --name-only origin/${{ github.event.pull_request.base.ref }}...HEAD | grep -q .github/workflows/tagbot.py; then
-          echo "tagbot_modified=true" >> $GITHUB_ENV
-        else
-          echo "tagbot_modified=false" >> $GITHUB_ENV
-        fi
-
-    - name: Post warning comment
-      if: env.tagbot_modified == 'true'
-      uses: actions/github-script@v7
-      with:
-        script: |
-          github.rest.issues.createComment({
-            issue_number: ${{ github.event.pull_request.number }},
-            owner: context.repo.owner,
-            repo: context.repo.repo,
-            body: "⚠️ Warning: The tagbot.py file has been modified. Please review changes carefully."
-          })
-
     - name: set up Python
       uses: actions/setup-python@v5
       with:
@@ -41,7 +27,6 @@ jobs:
       run: pip install gitpython requests
 
     - name: Tag and comment
-      if: env.tagbot_modified == 'false'
       env:
         GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       run: python .github/workflows/tagbot.py