chore(deps): update dependency semver to v7.8.2 #345
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build & Test | |
| on: | |
| pull_request: | |
| branches: [main] | |
| types: | |
| - opened | |
| - synchronize | |
| - reopened | |
| # Documentation- and workflow-only changes do not affect the runtime | |
| # behaviour of the composite/JS actions in this repo. For those PRs the | |
| # paired skip workflow (build-and-test-skip.yml) reports the required | |
| # `all-tests-passed` status without burning ~5 minutes of e2e runtime. | |
| paths-ignore: | |
| - '**/*.md' | |
| - 'LICENSE' | |
| - 'LICENSES/**' | |
| - 'REUSE.toml' | |
| - 'renovate.json' | |
| - '.gitignore' | |
| - '.github/workflows/codeql.yml' | |
| - '.github/codeql/**' | |
| - '.github/dependabot.yml' | |
| - '.github/CODEOWNERS' | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: true | |
| # No workflow-level permissions — each job declares exactly what it needs. | |
| permissions: {} | |
| jobs: | |
| # Runs fork/PR code with read-only token. No write access here. | |
| # For fork PRs: also validates that dist is in sync (fails if not). | |
| # For same-repo PRs: uploads the compiled dist as a short-lived artifact | |
| # for commit-dist to consume. | |
| build-test-core: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| outputs: | |
| artifact-id: ${{ steps.upload-dist.outputs.artifact-id }} | |
| dist-dirty: ${{ steps.check-dirty.outputs.dirty }} | |
| steps: | |
| - name: Resolve checkout ref | |
| env: | |
| HEAD_REPO: ${{ github.event.pull_request.head.repo.full_name }} | |
| HEAD_REF: ${{ github.event.pull_request.head.ref }} | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| run: | | |
| if [[ "$HEAD_REPO" == "${{ github.repository }}" ]]; then | |
| # Same-repo PR: use branch ref so git status compares against the branch tip | |
| echo "CHECKOUT_REF=$HEAD_REF" >> "$GITHUB_ENV" | |
| else | |
| # Fork PR: use refs/pull/N/head — maintained by GitHub in the base repo, | |
| # so no cross-repo clone is needed and the CodeQL unsafe-checkout rule is satisfied | |
| echo "CHECKOUT_REF=refs/pull/$PR_NUMBER/head" >> "$GITHUB_ENV" | |
| fi | |
| - name: Checkout PR head | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ env.CHECKOUT_REF }} | |
| # persist-credentials: false so the read-only token is not stored in | |
| # the git credential helper and is unavailable to npm scripts. | |
| persist-credentials: false | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: 24 # use stable LTS; previous 24 caused manifest warning | |
| check-latest: true | |
| - name: Install dependencies | |
| working-directory: .github/actions/core | |
| run: npm ci | |
| - name: Run tests | |
| working-directory: .github/actions/core | |
| run: npm run test | |
| - name: Build action | |
| working-directory: .github/actions/core | |
| run: npm run build | |
| - name: Fail if dist is dirty (fork PRs only) | |
| id: check-dirty | |
| if: github.event.pull_request.head.repo.full_name != github.repository | |
| working-directory: .github/actions/core | |
| run: | | |
| if [[ -n $(git status --porcelain dist) ]]; then | |
| echo "dirty=true" >> "$GITHUB_OUTPUT" | |
| echo "::error::The 'dist' folder is out of sync with the source code." | |
| echo "::error::Because this is a forked PR, we cannot automatically commit the changes." | |
| echo "::error::Please run 'npm run build' in '.github/actions/core' locally and commit the changes." | |
| exit 1 | |
| fi | |
| - name: Upload dist artifact (same-repo PRs only) | |
| id: upload-dist | |
| if: github.event.pull_request.head.repo.full_name == github.repository | |
| uses: actions/upload-artifact@v7 | |
| with: | |
| name: dist-artifact | |
| path: .github/actions/core/dist/ | |
| retention-days: 1 # commit-dist deletes it immediately; this is a safety net | |
| # Posts a PR comment when the dist check fails on fork PRs. | |
| # Isolated into its own job so pull-requests:write is never held by the job | |
| # that executes untrusted fork code. | |
| comment-dist-dirty: | |
| needs: build-test-core | |
| if: >- | |
| always() && | |
| needs.build-test-core.result == 'failure' && | |
| needs.build-test-core.outputs.dist-dirty == 'true' | |
| runs-on: ubuntu-latest | |
| permissions: | |
| pull-requests: write | |
| steps: | |
| - name: Post dist-out-of-sync comment | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| cat > /tmp/comment.md << 'EOF' | |
| > [!WARNING] | |
| > The `dist` folder is out of sync with the source code. | |
| > | |
| > Because this is a forked PR, the workflow cannot automatically commit the updated build artifacts. | |
| > Please run the following commands locally and push the result: | |
| > | |
| > ```bash | |
| > cd .github/actions/core | |
| > npm run build | |
| > git add dist/ | |
| > git commit -m "chore: build core action dist" | |
| > git push | |
| > ``` | |
| EOF | |
| gh pr comment "${{ github.event.pull_request.number }}" \ | |
| --repo "${{ github.repository }}" \ | |
| --body-file /tmp/comment.md \ | |
| --edit-last || \ | |
| gh pr comment "${{ github.event.pull_request.number }}" \ | |
| --repo "${{ github.repository }}" \ | |
| --body-file /tmp/comment.md | |
| # Commits the pre-built dist artifact back to the PR branch. | |
| # Only runs for same-repo PRs — fork PR validation is handled entirely in | |
| # build-test-core, so this job never touches fork data. | |
| # The checkout is of a branch that lives in THIS repository (not a fork), | |
| # so it does not trigger the CodeQL "unsafe checkout in privileged context" rule. | |
| commit-dist: | |
| needs: build-test-core | |
| if: github.event.pull_request.head.repo.full_name == github.repository | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| actions: write # needed to delete the dist artifact after use | |
| outputs: | |
| committed_sha: ${{ steps.commit_dist.outputs.sha }} | |
| steps: | |
| - name: Checkout PR branch | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 | |
| with: | |
| fetch-depth: 0 | |
| # Default checkout (no ref:) avoids the CodeQL CWE-829 "unsafe checkout" | |
| # rule. We switch to the PR branch in the run: step below via an env var | |
| # so the branch name is never interpolated into an actions/checkout input. | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Download dist artifact | |
| uses: actions/download-artifact@v8 | |
| with: | |
| name: dist-artifact | |
| path: /tmp/dist-artifact/ | |
| - name: Commit and push dist to PR branch | |
| id: commit_dist | |
| run: | | |
| git config user.name "github-actions[bot]" | |
| git config user.email "github-actions[bot]@users.noreply.github.com" | |
| # Derive the PR head branch purely from git history so no GitHub | |
| # event/context data flows into the git checkout command (CodeQL taint-free). | |
| # For a pull_request checkout, HEAD is the merge commit; HEAD^2 is the PR head. | |
| PR_HEAD=$(git rev-parse HEAD^2) | |
| BRANCH=$(git branch -r --contains "$PR_HEAD" --format='%(refname:short)' \ | |
| | grep '^origin/' | grep -v 'origin/HEAD' | head -1 | sed 's|^origin/||') | |
| if [[ -z "$BRANCH" ]]; then | |
| echo "::error::Could not determine PR branch from git history." | |
| exit 1 | |
| fi | |
| git checkout -B "$BRANCH" "origin/$BRANCH" | |
| cp -r /tmp/dist-artifact/. .github/actions/core/dist/ | |
| git add .github/actions/core/dist/ | |
| if git diff --staged --quiet; then | |
| echo "sha=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT" | |
| exit 0 | |
| fi | |
| git commit -m "chore: build core action dist (auto)" | |
| git push origin "$BRANCH" | |
| echo "sha=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT" | |
| - name: Delete dist artifact | |
| if: always() | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| gh api --method DELETE \ | |
| "/repos/${{ github.repository }}/actions/artifacts/${{ needs.build-test-core.outputs.artifact-id }}" | |
| test-python: | |
| needs: [build-test-core, commit-dist] | |
| # commit-dist is skipped for fork PRs; treat 'skipped' as OK so fork PR tests still run. | |
| if: >- | |
| always() && | |
| needs.build-test-core.result == 'success' && | |
| (needs.commit-dist.result == 'success' || needs.commit-dist.result == 'skipped') | |
| runs-on: [ubuntu-latest] | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 | |
| with: | |
| persist-credentials: false | |
| - name: Patch composite actions for E2E | |
| run: | | |
| sed -i -E 's|sap/pull-request-semver-bumper/.github/actions/core@[^[:space:]"]+|./.github/actions/core|g' .github/actions/version-bumping/*/action.yml | |
| sed -i -E 's|sap/pull-request-semver-bumper/.github/actions/version-bumping/python@[^[:space:]"]+|./.github/actions/version-bumping/python|g' action.yml | |
| - name: Test Python Action (Dry Run) | |
| id: version_bump | |
| uses: ./ | |
| with: | |
| type: python | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| pyproject-file: "test-resources/pyproject.toml" | |
| dry-run: "true" | |
| - name: Verify Outputs | |
| run: | | |
| echo "Bumped: ${{ steps.version_bump.outputs.bumped }}" | |
| echo "New Version: ${{ steps.version_bump.outputs.new-version }}" | |
| echo "Bump Level: ${{ steps.version_bump.outputs.bumpLevel }}" | |
| echo "### Python Test New Version: ${{ steps.version_bump.outputs.new-version }}" >> $GITHUB_STEP_SUMMARY | |
| if [ -z "${{ steps.version_bump.outputs.bumped }}" ]; then | |
| echo "Error: 'bumped' output is empty" | |
| exit 1 | |
| fi | |
| test-npm: | |
| needs: [build-test-core, commit-dist] | |
| if: >- | |
| always() && | |
| needs.build-test-core.result == 'success' && | |
| (needs.commit-dist.result == 'success' || needs.commit-dist.result == 'skipped') | |
| runs-on: [ubuntu-latest] | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 | |
| with: | |
| persist-credentials: false | |
| - name: Patch composite actions for E2E | |
| run: | | |
| sed -i -E 's|sap/pull-request-semver-bumper/.github/actions/core@[^[:space:]"]+|./.github/actions/core|g' .github/actions/version-bumping/*/action.yml | |
| sed -i -E 's|sap/pull-request-semver-bumper/.github/actions/version-bumping/npm@[^[:space:]"]+|./.github/actions/version-bumping/npm|g' action.yml | |
| - name: Test NPM Action (Dry Run) | |
| id: version_bump | |
| uses: ./ | |
| with: | |
| type: npm | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| package-json-file: "test-resources/package.json" | |
| dry-run: "true" | |
| - name: Verify Outputs | |
| run: | | |
| echo "Bumped: ${{ steps.version_bump.outputs.bumped }}" | |
| echo "New Version: ${{ steps.version_bump.outputs.new-version }}" | |
| echo "Bump Level: ${{ steps.version_bump.outputs.bumpLevel }}" | |
| echo "### NPM Test New Version: ${{ steps.version_bump.outputs.new-version }}" >> $GITHUB_STEP_SUMMARY | |
| if [ -z "${{ steps.version_bump.outputs.bumped }}" ]; then | |
| echo "Error: 'bumped' output is empty" | |
| exit 1 | |
| fi | |
| test-maven: | |
| needs: [build-test-core, commit-dist] | |
| if: >- | |
| always() && | |
| needs.build-test-core.result == 'success' && | |
| (needs.commit-dist.result == 'success' || needs.commit-dist.result == 'skipped') | |
| runs-on: [ubuntu-latest] | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 | |
| with: | |
| persist-credentials: false | |
| - name: Patch composite actions for E2E | |
| run: | | |
| sed -i -E 's|sap/pull-request-semver-bumper/.github/actions/core@[^[:space:]"]+|./.github/actions/core|g' .github/actions/version-bumping/*/action.yml | |
| sed -i -E 's|sap/pull-request-semver-bumper/.github/actions/version-bumping/maven@[^[:space:]"]+|./.github/actions/version-bumping/maven|g' action.yml | |
| - name: Test Maven Action (Dry Run) | |
| id: version_bump | |
| uses: ./ | |
| with: | |
| type: maven | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| dry-run: "true" | |
| pom-file: "test-resources/pom.xml" | |
| # removed actual settings.xml to avoid fetch setting in this simple test | |
| bump-command: "mvn org.codehaus.mojo:versions-maven-plugin:set -DnewVersion=@NEW_VERSION@" | |
| - name: Verify Outputs | |
| run: | | |
| echo "Bumped: ${{ steps.version_bump.outputs.bumped }}" | |
| echo "New Version: ${{ steps.version_bump.outputs.new-version }}" | |
| echo "Bump Level: ${{ steps.version_bump.outputs.bumpLevel }}" | |
| echo "### Maven Test New Version: ${{ steps.version_bump.outputs.new-version }}" >> $GITHUB_STEP_SUMMARY | |
| if [ -z "${{ steps.version_bump.outputs.bumped }}" ]; then | |
| echo "Error: 'bumped' output is empty" | |
| exit 1 | |
| fi | |
| test-version-file: | |
| needs: [build-test-core, commit-dist] | |
| if: >- | |
| always() && | |
| needs.build-test-core.result == 'success' && | |
| (needs.commit-dist.result == 'success' || needs.commit-dist.result == 'skipped') | |
| runs-on: [ubuntu-latest] | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 | |
| with: | |
| persist-credentials: false | |
| - name: Patch composite actions for E2E | |
| run: | | |
| sed -i -E 's|sap/pull-request-semver-bumper/.github/actions/core@[^[:space:]"]+|./.github/actions/core|g' .github/actions/version-bumping/*/action.yml | |
| sed -i -E 's|sap/pull-request-semver-bumper/.github/actions/version-bumping/version-file@[^[:space:]"]+|./.github/actions/version-bumping/version-file|g' action.yml | |
| - name: Test Version File Action (Dry Run) | |
| id: version_bump | |
| uses: ./ | |
| with: | |
| type: version-file | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| version-file: "test-resources/VERSION" | |
| dry-run: "true" | |
| - name: Verify Outputs | |
| run: | | |
| echo "Bumped: ${{ steps.version_bump.outputs.bumped }}" | |
| echo "New Version: ${{ steps.version_bump.outputs.new-version }}" | |
| echo "Bump Level: ${{ steps.version_bump.outputs.bumpLevel }}" | |
| echo "### Version File Test New Version: ${{ steps.version_bump.outputs.new-version }}" >> $GITHUB_STEP_SUMMARY | |
| if [ -z "${{ steps.version_bump.outputs.bumped }}" ]; then | |
| echo "Error: 'bumped' output is empty" | |
| exit 1 | |
| fi | |
| reuse-lint: | |
| needs: [build-test-core, commit-dist, test-python, test-npm, test-maven, test-version-file] | |
| if: always() | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 | |
| with: | |
| persist-credentials: false | |
| - name: REUSE Compliance Check | |
| uses: fsfe/reuse-action@676e2d560c9a403aa252096d99fcab3e1132b0f5 # v6 | |
| all-tests-passed: | |
| if: always() | |
| needs: [build-test-core, commit-dist, test-python, test-npm, test-maven, test-version-file, reuse-lint] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| statuses: write | |
| steps: | |
| - name: Determine Status | |
| id: status | |
| run: | | |
| if [[ ${{ contains(needs.*.result, 'failure') }} == 'true' || ${{ contains(needs.*.result, 'cancelled') }} == 'true' ]]; then | |
| echo "status=failure" >> $GITHUB_OUTPUT | |
| else | |
| echo "status=success" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Set Commit Status | |
| uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| status: ${{ steps.status.outputs.status }} | |
| sha: ${{ needs.commit-dist.outputs.committed_sha || github.event.pull_request.head.sha }} | |
| context: "all-tests-passed" | |
| description: "Aggregation of all tests" | |
| - name: Fail if needed | |
| if: steps.status.outputs.status == 'failure' | |
| run: exit 1 |