Skip to content

chore(deps): update dependency semver to v7.8.2 #345

chore(deps): update dependency semver to v7.8.2

chore(deps): update dependency semver to v7.8.2 #345

Workflow file for this run

name: Build & Test
on:
pull_request:
branches: [main]
types:
- opened
- synchronize
- reopened
# Documentation- and workflow-only changes do not affect the runtime
# behaviour of the composite/JS actions in this repo. For those PRs the
# paired skip workflow (build-and-test-skip.yml) reports the required
# `all-tests-passed` status without burning ~5 minutes of e2e runtime.
paths-ignore:
- '**/*.md'
- 'LICENSE'
- 'LICENSES/**'
- 'REUSE.toml'
- 'renovate.json'
- '.gitignore'
- '.github/workflows/codeql.yml'
- '.github/codeql/**'
- '.github/dependabot.yml'
- '.github/CODEOWNERS'
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
# No workflow-level permissions — each job declares exactly what it needs.
permissions: {}
jobs:
# Runs fork/PR code with read-only token. No write access here.
# For fork PRs: also validates that dist is in sync (fails if not).
# For same-repo PRs: uploads the compiled dist as a short-lived artifact
# for commit-dist to consume.
build-test-core:
runs-on: ubuntu-latest
permissions:
contents: read
outputs:
artifact-id: ${{ steps.upload-dist.outputs.artifact-id }}
dist-dirty: ${{ steps.check-dirty.outputs.dirty }}
steps:
- name: Resolve checkout ref
env:
HEAD_REPO: ${{ github.event.pull_request.head.repo.full_name }}
HEAD_REF: ${{ github.event.pull_request.head.ref }}
PR_NUMBER: ${{ github.event.pull_request.number }}
run: |
if [[ "$HEAD_REPO" == "${{ github.repository }}" ]]; then
# Same-repo PR: use branch ref so git status compares against the branch tip
echo "CHECKOUT_REF=$HEAD_REF" >> "$GITHUB_ENV"
else
# Fork PR: use refs/pull/N/head — maintained by GitHub in the base repo,
# so no cross-repo clone is needed and the CodeQL unsafe-checkout rule is satisfied
echo "CHECKOUT_REF=refs/pull/$PR_NUMBER/head" >> "$GITHUB_ENV"
fi
- name: Checkout PR head
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
with:
fetch-depth: 0
ref: ${{ env.CHECKOUT_REF }}
# persist-credentials: false so the read-only token is not stored in
# the git credential helper and is unavailable to npm scripts.
persist-credentials: false
- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version: 24 # use stable LTS; previous 24 caused manifest warning
check-latest: true
- name: Install dependencies
working-directory: .github/actions/core
run: npm ci
- name: Run tests
working-directory: .github/actions/core
run: npm run test
- name: Build action
working-directory: .github/actions/core
run: npm run build
- name: Fail if dist is dirty (fork PRs only)
id: check-dirty
if: github.event.pull_request.head.repo.full_name != github.repository
working-directory: .github/actions/core
run: |
if [[ -n $(git status --porcelain dist) ]]; then
echo "dirty=true" >> "$GITHUB_OUTPUT"
echo "::error::The 'dist' folder is out of sync with the source code."
echo "::error::Because this is a forked PR, we cannot automatically commit the changes."
echo "::error::Please run 'npm run build' in '.github/actions/core' locally and commit the changes."
exit 1
fi
- name: Upload dist artifact (same-repo PRs only)
id: upload-dist
if: github.event.pull_request.head.repo.full_name == github.repository
uses: actions/upload-artifact@v7
with:
name: dist-artifact
path: .github/actions/core/dist/
retention-days: 1 # commit-dist deletes it immediately; this is a safety net
# Posts a PR comment when the dist check fails on fork PRs.
# Isolated into its own job so pull-requests:write is never held by the job
# that executes untrusted fork code.
comment-dist-dirty:
needs: build-test-core
if: >-
always() &&
needs.build-test-core.result == 'failure' &&
needs.build-test-core.outputs.dist-dirty == 'true'
runs-on: ubuntu-latest
permissions:
pull-requests: write
steps:
- name: Post dist-out-of-sync comment
env:
GH_TOKEN: ${{ github.token }}
run: |
cat > /tmp/comment.md << 'EOF'
> [!WARNING]
> The `dist` folder is out of sync with the source code.
>
> Because this is a forked PR, the workflow cannot automatically commit the updated build artifacts.
> Please run the following commands locally and push the result:
>
> ```bash
> cd .github/actions/core
> npm run build
> git add dist/
> git commit -m "chore: build core action dist"
> git push
> ```
EOF
gh pr comment "${{ github.event.pull_request.number }}" \
--repo "${{ github.repository }}" \
--body-file /tmp/comment.md \
--edit-last || \
gh pr comment "${{ github.event.pull_request.number }}" \
--repo "${{ github.repository }}" \
--body-file /tmp/comment.md
# Commits the pre-built dist artifact back to the PR branch.
# Only runs for same-repo PRs — fork PR validation is handled entirely in
# build-test-core, so this job never touches fork data.
# The checkout is of a branch that lives in THIS repository (not a fork),
# so it does not trigger the CodeQL "unsafe checkout in privileged context" rule.
commit-dist:
needs: build-test-core
if: github.event.pull_request.head.repo.full_name == github.repository
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
actions: write # needed to delete the dist artifact after use
outputs:
committed_sha: ${{ steps.commit_dist.outputs.sha }}
steps:
- name: Checkout PR branch
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
with:
fetch-depth: 0
# Default checkout (no ref:) avoids the CodeQL CWE-829 "unsafe checkout"
# rule. We switch to the PR branch in the run: step below via an env var
# so the branch name is never interpolated into an actions/checkout input.
token: ${{ secrets.GITHUB_TOKEN }}
- name: Download dist artifact
uses: actions/download-artifact@v8
with:
name: dist-artifact
path: /tmp/dist-artifact/
- name: Commit and push dist to PR branch
id: commit_dist
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
# Derive the PR head branch purely from git history so no GitHub
# event/context data flows into the git checkout command (CodeQL taint-free).
# For a pull_request checkout, HEAD is the merge commit; HEAD^2 is the PR head.
PR_HEAD=$(git rev-parse HEAD^2)
BRANCH=$(git branch -r --contains "$PR_HEAD" --format='%(refname:short)' \
| grep '^origin/' | grep -v 'origin/HEAD' | head -1 | sed 's|^origin/||')
if [[ -z "$BRANCH" ]]; then
echo "::error::Could not determine PR branch from git history."
exit 1
fi
git checkout -B "$BRANCH" "origin/$BRANCH"
cp -r /tmp/dist-artifact/. .github/actions/core/dist/
git add .github/actions/core/dist/
if git diff --staged --quiet; then
echo "sha=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
exit 0
fi
git commit -m "chore: build core action dist (auto)"
git push origin "$BRANCH"
echo "sha=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
- name: Delete dist artifact
if: always()
env:
GH_TOKEN: ${{ github.token }}
run: |
gh api --method DELETE \
"/repos/${{ github.repository }}/actions/artifacts/${{ needs.build-test-core.outputs.artifact-id }}"
test-python:
needs: [build-test-core, commit-dist]
# commit-dist is skipped for fork PRs; treat 'skipped' as OK so fork PR tests still run.
if: >-
always() &&
needs.build-test-core.result == 'success' &&
(needs.commit-dist.result == 'success' || needs.commit-dist.result == 'skipped')
runs-on: [ubuntu-latest]
permissions:
contents: read
pull-requests: read
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
with:
persist-credentials: false
- name: Patch composite actions for E2E
run: |
sed -i -E 's|sap/pull-request-semver-bumper/.github/actions/core@[^[:space:]"]+|./.github/actions/core|g' .github/actions/version-bumping/*/action.yml
sed -i -E 's|sap/pull-request-semver-bumper/.github/actions/version-bumping/python@[^[:space:]"]+|./.github/actions/version-bumping/python|g' action.yml
- name: Test Python Action (Dry Run)
id: version_bump
uses: ./
with:
type: python
token: ${{ secrets.GITHUB_TOKEN }}
pyproject-file: "test-resources/pyproject.toml"
dry-run: "true"
- name: Verify Outputs
run: |
echo "Bumped: ${{ steps.version_bump.outputs.bumped }}"
echo "New Version: ${{ steps.version_bump.outputs.new-version }}"
echo "Bump Level: ${{ steps.version_bump.outputs.bumpLevel }}"
echo "### Python Test New Version: ${{ steps.version_bump.outputs.new-version }}" >> $GITHUB_STEP_SUMMARY
if [ -z "${{ steps.version_bump.outputs.bumped }}" ]; then
echo "Error: 'bumped' output is empty"
exit 1
fi
test-npm:
needs: [build-test-core, commit-dist]
if: >-
always() &&
needs.build-test-core.result == 'success' &&
(needs.commit-dist.result == 'success' || needs.commit-dist.result == 'skipped')
runs-on: [ubuntu-latest]
permissions:
contents: read
pull-requests: read
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
with:
persist-credentials: false
- name: Patch composite actions for E2E
run: |
sed -i -E 's|sap/pull-request-semver-bumper/.github/actions/core@[^[:space:]"]+|./.github/actions/core|g' .github/actions/version-bumping/*/action.yml
sed -i -E 's|sap/pull-request-semver-bumper/.github/actions/version-bumping/npm@[^[:space:]"]+|./.github/actions/version-bumping/npm|g' action.yml
- name: Test NPM Action (Dry Run)
id: version_bump
uses: ./
with:
type: npm
token: ${{ secrets.GITHUB_TOKEN }}
package-json-file: "test-resources/package.json"
dry-run: "true"
- name: Verify Outputs
run: |
echo "Bumped: ${{ steps.version_bump.outputs.bumped }}"
echo "New Version: ${{ steps.version_bump.outputs.new-version }}"
echo "Bump Level: ${{ steps.version_bump.outputs.bumpLevel }}"
echo "### NPM Test New Version: ${{ steps.version_bump.outputs.new-version }}" >> $GITHUB_STEP_SUMMARY
if [ -z "${{ steps.version_bump.outputs.bumped }}" ]; then
echo "Error: 'bumped' output is empty"
exit 1
fi
test-maven:
needs: [build-test-core, commit-dist]
if: >-
always() &&
needs.build-test-core.result == 'success' &&
(needs.commit-dist.result == 'success' || needs.commit-dist.result == 'skipped')
runs-on: [ubuntu-latest]
permissions:
contents: read
pull-requests: read
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
with:
persist-credentials: false
- name: Patch composite actions for E2E
run: |
sed -i -E 's|sap/pull-request-semver-bumper/.github/actions/core@[^[:space:]"]+|./.github/actions/core|g' .github/actions/version-bumping/*/action.yml
sed -i -E 's|sap/pull-request-semver-bumper/.github/actions/version-bumping/maven@[^[:space:]"]+|./.github/actions/version-bumping/maven|g' action.yml
- name: Test Maven Action (Dry Run)
id: version_bump
uses: ./
with:
type: maven
token: ${{ secrets.GITHUB_TOKEN }}
dry-run: "true"
pom-file: "test-resources/pom.xml"
# removed actual settings.xml to avoid fetch setting in this simple test
bump-command: "mvn org.codehaus.mojo:versions-maven-plugin:set -DnewVersion=@NEW_VERSION@"
- name: Verify Outputs
run: |
echo "Bumped: ${{ steps.version_bump.outputs.bumped }}"
echo "New Version: ${{ steps.version_bump.outputs.new-version }}"
echo "Bump Level: ${{ steps.version_bump.outputs.bumpLevel }}"
echo "### Maven Test New Version: ${{ steps.version_bump.outputs.new-version }}" >> $GITHUB_STEP_SUMMARY
if [ -z "${{ steps.version_bump.outputs.bumped }}" ]; then
echo "Error: 'bumped' output is empty"
exit 1
fi
test-version-file:
needs: [build-test-core, commit-dist]
if: >-
always() &&
needs.build-test-core.result == 'success' &&
(needs.commit-dist.result == 'success' || needs.commit-dist.result == 'skipped')
runs-on: [ubuntu-latest]
permissions:
contents: read
pull-requests: read
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
with:
persist-credentials: false
- name: Patch composite actions for E2E
run: |
sed -i -E 's|sap/pull-request-semver-bumper/.github/actions/core@[^[:space:]"]+|./.github/actions/core|g' .github/actions/version-bumping/*/action.yml
sed -i -E 's|sap/pull-request-semver-bumper/.github/actions/version-bumping/version-file@[^[:space:]"]+|./.github/actions/version-bumping/version-file|g' action.yml
- name: Test Version File Action (Dry Run)
id: version_bump
uses: ./
with:
type: version-file
token: ${{ secrets.GITHUB_TOKEN }}
version-file: "test-resources/VERSION"
dry-run: "true"
- name: Verify Outputs
run: |
echo "Bumped: ${{ steps.version_bump.outputs.bumped }}"
echo "New Version: ${{ steps.version_bump.outputs.new-version }}"
echo "Bump Level: ${{ steps.version_bump.outputs.bumpLevel }}"
echo "### Version File Test New Version: ${{ steps.version_bump.outputs.new-version }}" >> $GITHUB_STEP_SUMMARY
if [ -z "${{ steps.version_bump.outputs.bumped }}" ]; then
echo "Error: 'bumped' output is empty"
exit 1
fi
reuse-lint:
needs: [build-test-core, commit-dist, test-python, test-npm, test-maven, test-version-file]
if: always()
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
with:
persist-credentials: false
- name: REUSE Compliance Check
uses: fsfe/reuse-action@676e2d560c9a403aa252096d99fcab3e1132b0f5 # v6
all-tests-passed:
if: always()
needs: [build-test-core, commit-dist, test-python, test-npm, test-maven, test-version-file, reuse-lint]
runs-on: ubuntu-latest
permissions:
statuses: write
steps:
- name: Determine Status
id: status
run: |
if [[ ${{ contains(needs.*.result, 'failure') }} == 'true' || ${{ contains(needs.*.result, 'cancelled') }} == 'true' ]]; then
echo "status=failure" >> $GITHUB_OUTPUT
else
echo "status=success" >> $GITHUB_OUTPUT
fi
- name: Set Commit Status
uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # v2.0.1
with:
token: ${{ secrets.GITHUB_TOKEN }}
status: ${{ steps.status.outputs.status }}
sha: ${{ needs.commit-dist.outputs.committed_sha || github.event.pull_request.head.sha }}
context: "all-tests-passed"
description: "Aggregation of all tests"
- name: Fail if needed
if: steps.status.outputs.status == 'failure'
run: exit 1