singularity/singularity-forge
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
singularity-forge/.github/workflows/pr-risk.yml
Mikael Hugo 19bfc3d3f6 feat(sf): align node sqlite uok runtime
2026-05-08 03:01:20 +02:00

73 lines
2.5 KiB
YAML
Raw Blame History

name: PR Risk Report
# pull_request_target runs in the base repo context so the token has
# pull-requests: write even for cross-fork PRs. We never execute code
# from the fork — changed files are fetched via the GitHub API only.
on:
pull_request_target:
types: [opened, synchronize, reopened]
permissions:
contents: read
pull-requests: write
jobs:
risk-check:
name: Classify changed files and assess risk
runs-on: blacksmith-4vcpu-ubuntu-2404
steps:
# Checkout the BASE branch — our trusted script and map, not fork code.
- name: Checkout base
uses: actions/checkout@v6
with:
ref: ${{ github.base_ref }}
- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version: '26.1'
# Use the GitHub API to get changed files — no fork code is executed.
- name: Get changed files
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh api \
repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/files \
--paginate \
--jq '.[].filename' > /tmp/changed-files.txt
echo "Changed files:"
cat /tmp/changed-files.txt
- name: Run risk check
id: risk
run: |
REPORT=$(cat /tmp/changed-files.txt | node scripts/pr-risk-check.mjs --github || true)
echo "report<<EOF" >> "$GITHUB_OUTPUT"
echo "$REPORT" >> "$GITHUB_OUTPUT"
echo "EOF" >> "$GITHUB_OUTPUT"
RISK_LEVEL=$(cat /tmp/changed-files.txt | node scripts/pr-risk-check.mjs --json 2>/dev/null \
| node -e "let d=''; process.stdin.on('data',c=>d+=c); process.stdin.on('end',()=>{ try { console.log(JSON.parse(d).risk) } catch { console.log('low') } })" \
|| echo "low")
echo "level=$RISK_LEVEL" >> "$GITHUB_OUTPUT"
- name: Write step summary
run: echo "${{ steps.risk.outputs.report }}" >> $GITHUB_STEP_SUMMARY
- name: Find existing risk comment
id: find-comment
uses: peter-evans/find-comment@v3
with:
issue-number: ${{ github.event.pull_request.number }}
comment-author: github-actions[bot]
body-includes: PR Risk Report
- name: Post or update risk comment
uses: peter-evans/create-or-update-comment@v4
with:
comment-id: ${{ steps.find-comment.outputs.comment-id }}
issue-number: ${{ github.event.pull_request.number }}
body: ${{ steps.risk.outputs.report }}
edit-mode: replace
Reference in a new issue View git blame Copy permalink