mirror of
https://github.com/actualbudget/actual.git
synced 2026-07-11 11:59:55 -05:00
* [AI] Migrate remaining workflows to depot action runners Switch all remaining GitHub-hosted runners over to their depot equivalents: - ubuntu-latest -> depot-ubuntu-latest in the VRT-related jobs (e2e-test vrt/merge-vrt, e2e-vrt-comment, vrt-update-generate, vrt-update-apply) - windows-2022/windows-latest -> depot-windows-2022 in the electron build matrices (electron-pr, electron-master, publish-nightly-electron) and publish-microsoft-store Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_013dQEH47R5kTkPCvhC2cpoB * [AI] Add release note for depot runner migration Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_013dQEH47R5kTkPCvhC2cpoB --------- Co-authored-by: Claude <noreply@anthropic.com>
157 lines
6.0 KiB
YAML
157 lines
6.0 KiB
YAML
name: VRT Update - Apply
|
|
# SECURITY: This workflow runs in trusted base repo context.
|
|
# It treats the patch artifact as untrusted data, validates it contains only PNGs,
|
|
# and safely applies it to the contributor's fork branch.
|
|
on:
|
|
# Gated on the 'pr-automation' environment (manual approval) and
|
|
# validates the patch is PNG-only before applying. See SECURITY note above.
|
|
workflow_run: # zizmor: ignore[dangerous-triggers]
|
|
workflows: ['VRT Update - Generate']
|
|
types:
|
|
- completed
|
|
|
|
permissions:
|
|
contents: write
|
|
pull-requests: write
|
|
|
|
jobs:
|
|
apply-vrt-updates:
|
|
name: Apply VRT Updates
|
|
runs-on: depot-ubuntu-latest
|
|
environment: pr-automation
|
|
if: ${{ github.event.workflow_run.conclusion == 'success' }}
|
|
steps:
|
|
- name: Download patch artifact
|
|
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
|
|
with:
|
|
github-token: ${{ secrets.GITHUB_TOKEN }}
|
|
run-id: ${{ github.event.workflow_run.id }}
|
|
pattern: vrt-patch-*
|
|
path: /tmp/artifacts
|
|
|
|
- name: Download metadata artifact
|
|
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
|
|
with:
|
|
github-token: ${{ secrets.GITHUB_TOKEN }}
|
|
run-id: ${{ github.event.workflow_run.id }}
|
|
pattern: vrt-metadata-*
|
|
path: /tmp/metadata
|
|
|
|
- name: Extract metadata
|
|
id: metadata
|
|
run: |
|
|
if [ ! -f "/tmp/metadata/pr-number.txt" ]; then
|
|
echo "No metadata found, skipping..."
|
|
exit 0
|
|
fi
|
|
|
|
PR_NUMBER=$(cat "/tmp/metadata/pr-number.txt")
|
|
HEAD_REF=$(cat "/tmp/metadata/head-ref.txt")
|
|
HEAD_REPO=$(cat "/tmp/metadata/head-repo.txt")
|
|
|
|
echo "pr_number=$PR_NUMBER" >> "$GITHUB_OUTPUT"
|
|
echo "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"
|
|
echo "head_repo=$HEAD_REPO" >> "$GITHUB_OUTPUT"
|
|
|
|
echo "Found PR #$PR_NUMBER: $HEAD_REPO @ $HEAD_REF"
|
|
|
|
- name: Checkout fork branch
|
|
if: steps.metadata.outputs.pr_number != ''
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
repository: ${{ steps.metadata.outputs.head_repo }}
|
|
ref: ${{ steps.metadata.outputs.head_ref }}
|
|
token: ${{ secrets.ACTIONS_UPDATE_TOKEN }}
|
|
persist-credentials: false
|
|
fetch-depth: 0
|
|
|
|
- name: Validate and apply patch
|
|
if: steps.metadata.outputs.pr_number != ''
|
|
id: apply
|
|
run: |
|
|
PATCH_FILE="/tmp/artifacts/vrt-update.patch"
|
|
|
|
if [ ! -f "$PATCH_FILE" ]; then
|
|
echo "No patch file found"
|
|
exit 0
|
|
fi
|
|
|
|
echo "Found patch file: $PATCH_FILE"
|
|
|
|
# Validate patch only contains PNG files. `git format-patch` emits a
|
|
# `GIT binary patch` block for PNGs (no +++/--- lines), so check
|
|
# `diff --git` headers — those are present for both text and binary.
|
|
echo "Validating patch contains only PNG files..."
|
|
if grep -E '^diff --git ' "$PATCH_FILE" \
|
|
| grep -vE '^diff --git a/[^[:space:]]+\.png b/[^[:space:]]+\.png$'; then
|
|
echo "ERROR: Patch contains non-PNG files! Rejecting for security."
|
|
echo "applied=false" >> "$GITHUB_OUTPUT"
|
|
echo "error=Patch validation failed: contains non-PNG files" >> "$GITHUB_OUTPUT"
|
|
exit 1
|
|
fi
|
|
|
|
# Extract file list for verification
|
|
FILES_CHANGED=$(grep -cE '^diff --git ' "$PATCH_FILE")
|
|
echo "Patch modifies $FILES_CHANGED PNG file(s)"
|
|
|
|
# Configure git
|
|
git config --global user.name "github-actions[bot]"
|
|
git config --global user.email "github-actions[bot]@users.noreply.github.com"
|
|
|
|
# Apply patch
|
|
echo "Applying patch..."
|
|
if git apply --check "$PATCH_FILE" 2>&1; then
|
|
git apply "$PATCH_FILE"
|
|
|
|
# Stage only PNG files (extra safety)
|
|
git add "**/*.png"
|
|
|
|
if git diff --staged --quiet; then
|
|
echo "No changes after applying patch"
|
|
echo "applied=false" >> "$GITHUB_OUTPUT"
|
|
exit 0
|
|
fi
|
|
|
|
# Commit
|
|
git commit -m "Update VRT screenshots" -m "Auto-generated by VRT workflow" -m "PR: #${STEPS_METADATA_OUTPUTS_PR_NUMBER}"
|
|
|
|
echo "applied=true" >> "$GITHUB_OUTPUT"
|
|
else
|
|
echo "Patch could not be applied cleanly"
|
|
echo "applied=false" >> "$GITHUB_OUTPUT"
|
|
echo "error=Patch conflicts with current branch state" >> "$GITHUB_OUTPUT"
|
|
exit 1
|
|
fi
|
|
env:
|
|
STEPS_METADATA_OUTPUTS_PR_NUMBER: ${{ steps.metadata.outputs.pr_number }}
|
|
|
|
- name: Push changes
|
|
if: steps.apply.outputs.applied == 'true'
|
|
env:
|
|
HEAD_REF: ${{ steps.metadata.outputs.head_ref }}
|
|
HEAD_REPO: ${{ steps.metadata.outputs.head_repo }}
|
|
GITHUB_TOKEN: ${{ secrets.ACTIONS_UPDATE_TOKEN }}
|
|
run: |
|
|
# Use PAT in URL to ensure push triggers CI workflows
|
|
# Note: GitHub Actions automatically masks secrets in logs
|
|
git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@github.com/${HEAD_REPO}.git"
|
|
|
|
git push origin "HEAD:refs/heads/$HEAD_REF"
|
|
echo "Successfully pushed VRT updates to $HEAD_REPO@$HEAD_REF"
|
|
|
|
- name: Comment on PR - Failure
|
|
if: failure() && steps.metadata.outputs.pr_number != ''
|
|
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
|
|
env:
|
|
APPLY_ERROR: ${{ steps.apply.outputs.error }}
|
|
PR_NUMBER: ${{ steps.metadata.outputs.pr_number }}
|
|
with:
|
|
script: |
|
|
const error = process.env.APPLY_ERROR || 'Unknown error occurred';
|
|
await github.rest.issues.createComment({
|
|
issue_number: parseInt(process.env.PR_NUMBER, 10),
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
body: `❌ Failed to apply VRT updates: ${error}\n\nPlease check the workflow logs for details.`
|
|
});
|