github.com/anchore/syft@v1.38.2/.github/workflows/detect-schema-changes.yaml

github.com/anchore/syft@v1.38.2/.github/workflows/detect-schema-changes.yaml (about)

     1  name: "Detect schema changes"
     2  
     3  on:
     4    # IMPORTANT! This workflow is triggered by the `pull_request_target` event
     5    # which means that forked PRs will run with access secrets from the repo
     6    # it's forked from (the "target" repo).
     7    #
     8    # For this reason we only NEVER checkout the code from the pull request
     9    # (e.g. "ref: ${{ github.event.pull_request.head.sha }}") to prevent
    10    # accidentally running potentially untrusted code.
    11    #
    12    # By default the checkout will be:
    13    #   - GITHUB_SHA: Last commit on the PR base branch
    14    #   - GITHUB_REF: PR base branch
    15    #
    16    # ...unlike a typical PR where:
    17    #   - GITHUB_SHA: Last merge commit on the GITHUB_REF branch
    18    #   - GITHUB_REF: PR merge branch refs/pull/:prNumber/merge
    19    pull_request_target:
    20  
    21  env:
    22    # note: this is used within hashFiles() so must be within the GITHUB_WORKSPACE path (or will silently fail)
    23    CI_COMMENT_FILE: .tmp/labeler-comment.txt
    24    # needs to be any string to uniquely identify the comment on a PR across multiple runs
    25    COMMENT_HEADER: "label-commentary"
    26  
    27  jobs:
    28    label:
    29      name: "Label changes"
    30      runs-on: ubuntu-22.04
    31      permissions:
    32        contents: read
    33        pull-requests: write
    34        issues: write
    35      steps:
    36  
    37        - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
    38          with:
    39            persist-credentials: false
    40  
    41        - run: python .github/scripts/labeler.py
    42          env:
    43            # note: this token has write access to the repo
    44            GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    45            GITHUB_PR_NUMBER: ${{ github.event.number }}
    46  
    47        - name: Delete existing comment
    48          if: ${{ hashFiles( env.CI_COMMENT_FILE ) == '' }}
    49          uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 #v2.9.4
    50          with:
    51            header: ${{ env.COMMENT_HEADER }}
    52            hide: true
    53            hide_classify: "OUTDATED"
    54  
    55        - name: Add comment
    56          if: ${{ hashFiles( env.CI_COMMENT_FILE ) != '' }}
    57          uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 #v2.9.4
    58          with:
    59            header: ${{ env.COMMENT_HEADER }}
    60            path: ${{ env.CI_COMMENT_FILE }}