--- # https://github.com/kekxv/pr-check name: PR check on: pull_request: types: [opened, synchronize] jobs: leak_test: name: Gitleaks runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v6 with: github-server-url: ${{ vars.GIT_SERVER_URL }} - name: Install Gitleaks run: | curl -sSL https://github.com/gitleaks/gitleaks/releases/download/v8.30.0/gitleaks_8.30.0_linux_x64.tar.gz \ | tar -xz sudo mv gitleaks /usr/local/bin/ - name: Run Gitleaks run: | gitleaks dir . \ --config .gitleaks.toml \ --redact=50 \ --verbose \ --exit-code 1 # --exclude-files "README.md" lint_test: name: lint tests runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v6 with: github-server-url: ${{ vars.GIT_SERVER_URL }} - name: Install Node.js uses: actions/setup-node@v4 with: node-version: 20 - name: Run markdownlint run: npx markdownlint-cli2 "**/*.md" "#node_modules" - name: Set up Python uses: actions/setup-python@v5 with: python-version: "3.14" - name: Install ansible-lint and yamllint run: | python -m pip install --upgrade pip pip install ansible ansible-lint yamllint - name: Run yamllint run: | yamllint . - name: Run ansible-lint run: | ansible-lint labeler: permissions: contents: read pull-requests: write runs-on: ubuntu-latest steps: - uses: actions/labeler@v6 with: repo-token: ${{ secrets.GITEA_TOKEN }} configuration-path: .gitea/labeler.yml handle_failures: runs-on: ubuntu-latest needs: [leak_test, lint_test] if: "${{ always() && ( needs.leak_test.result != 'success' || needs.lint_test.result != 'success' ) }}" steps: - name: Comment, label, and close PR run: | API="${{ vars.GIT_SERVER_URL }}/api/v1/repos/${{ github.repository }}" PR="${{ github.event.pull_request.number }}" TOKEN="${{ secrets.GITEA_TOKEN }}" COMMENT_BODY="❌ CI checks failed.\n\nLeak: ${{ needs.leak_test.result }}\nLint: ${{ needs.lint_test.result }}" # Find existing comment EXISTING_COMMENT_ID=$(curl -s -H "Authorization: token $TOKEN" \ "$API/issues/$PR/comments" \ | jq -r '.[] | select(.body | test("")) | .id') # Update or create comment if [ -n "$EXISTING_COMMENT_ID" ]; then curl -s -X PATCH \ -H "Authorization: token $TOKEN" \ -H "Content-Type: application/json" \ -d "{\"body\":\"\n$COMMENT_BODY\"}" \ "$API/issues/$PR/comments/$EXISTING_COMMENT_ID" else curl -s -X POST \ -H "Authorization: token $TOKEN" \ -H "Content-Type: application/json" \ -d "{\"body\":\"\n$COMMENT_BODY\"}" \ "$API/issues/$PR/comments" fi # Remove ci-pass +label if exists LABELS=$(curl -s -H "Authorization: token $TOKEN" "$API/issues/$PR/labels" | jq -r '.[] | .name') if echo "$LABELS" | grep -q "^ci-pass$"; then curl -s -X DELETE \ -H "Authorization: token $TOKEN" \ "$API/issues/$PR/labels/ci-pass" fi # Add label if missing LABELS=$(curl -s -H "Authorization: token $TOKEN" "$API/issues/$PR/labels" | jq -r '.[] | .name') if ! echo "$LABELS" | grep -q "^ci-failed$"; then curl -s -X POST \ -H "Authorization: token $TOKEN" \ -H "Content-Type: application/json" \ -d '["ci-failed"]' \ "$API/issues/$PR/labels" fi # Close PR curl -s -X PATCH \ -H "Authorization: token $TOKEN" \ -H "Content-Type: application/json" \ -d '{"state":"closed"}' \ "$API/pulls/$PR" handle_success: runs-on: ubuntu-latest needs: [leak_test, lint_test] if: needs.leak_test.result == 'success' && needs.lint_test.result == 'success' steps: - name: Update comment, remove label, reopen PR run: | API="${{ vars.GIT_SERVER_URL }}/api/v1/repos/${{ github.repository }}" PR="${{ github.event.pull_request.number }}" TOKEN="${{ secrets.GITEA_TOKEN }}" COMMENT_BODY="✅ CI checks pass.\n\nLeaks: ${{ needs.leak_test.result }}\nLint: ${{ needs.lint_test.result }}" # Find existing comment EXISTING_COMMENT_ID=$(curl -s -H "Authorization: token $TOKEN" \ "$API/issues/$PR/comments" \ | jq -r '.[] | select(.body | test("")) | .id') # Update comment if exists if [ -n "$EXISTING_COMMENT_ID" ]; then curl -s -X PATCH \ -H "Authorization: token $TOKEN" \ -H "Content-Type: application/json" \ -d "{\"body\":\"\n$COMMENT_BODY\"}" \ "$API/issues/$PR/comments/$EXISTING_COMMENT_ID" else curl -s -X POST \ -H "Authorization: token $TOKEN" \ -H "Content-Type: application/json" \ -d "$COMMENT_PAYLOAD" \ "$API/issues/$PR/comments" fi # Remove ci-failed +label if exists LABELS=$(curl -s -H "Authorization: token $TOKEN" "$API/issues/$PR/labels" | jq -r '.[] | .name') if echo "$LABELS" | grep -q "^ci-failed$"; then curl -s -X DELETE \ -H "Authorization: token $TOKEN" \ "$API/issues/$PR/labels/ci-failed" fi # Add ci-pass if not present if ! echo "$LABELS" | grep -q "^ci-pass$"; then echo "Adding ci-pass label" curl -s -X POST \ -H "Authorization: token $TOKEN" \ -H "Content-Type: application/json" \ -d '{"labels":["ci-pass"]}' \ "$API/issues/$PR/labels" fi # Reopen PR if closed PR_STATE=$(curl -s -H "Authorization: token $TOKEN" "$API/pulls/$PR" | jq -r '.state') if [ "$PR_STATE" = "closed" ]; then curl -s -X PATCH \ -H "Authorization: token $TOKEN" \ -H "Content-Type: application/json" \ -d '{"state":"open"}' \ "$API/pulls/$PR" fi