FLAM-27: Fixing Deploy to Azure App Service permissions, faster Delete Latest Tag step #1751
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Validate GitHub Actions Refs | |
on: | |
push: | |
branches: | |
- dev | |
pull_request: | |
pull_request_review: | |
types: [submitted] | |
merge_group: | |
jobs: | |
validate-gha-refs: | |
runs-on: ubuntu-24.04 | |
steps: | |
- name: Checkout Repository (Pull & Approve/Merge PR) | |
if: | | |
github.event_name == 'pull_request' || | |
(github.event_name == 'pull_request_review' && github.event.review.state == 'approved') || | |
github.event_name == 'merge_group' | |
uses: Lombiq/GitHub-Actions/.github/actions/checkout@dev | |
with: | |
fetch-depth: 0 | |
- name: Checkout Repository (Push) | |
if: github.event_name == 'push' | |
uses: Lombiq/GitHub-Actions/.github/actions/checkout@dev | |
- name: Check Merge Queue Adds | |
id: check-merge-queue-adds | |
if: github.event_name == 'pull_request' || (github.event_name == 'pull_request_review' && github.event.review.state == 'approved') | |
uses: Lombiq/GitHub-Actions/.github/actions/check-merge-queue-adds@dev | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Determine Diff-Filter for Git File Changes | |
id: git-diff-filter | |
if: | | |
github.event_name == 'pull_request' || | |
(github.event_name == 'pull_request_review' && github.event.review.state == 'approved') || | |
github.event_name == 'merge_group' | |
shell: pwsh | |
run: | | |
$eventName = "${{ github.event_name }}" | |
$mergeQueueApproved = "${{ steps.check-merge-queue-adds.outputs.added-to-merge-queue }}" | |
$filter = ($eventName -eq 'pull_request_review' -or $eventName -eq 'merge_group' -or ($eventName -eq 'pull_request' -and $mergeQueueApproved -eq 'True')) ? 'CMRT' : 'ACMRT' | |
$output = "git-diff-filter=$filter" | |
Write-Output "output=$output" | |
$output >> $env:GITHUB_OUTPUT | |
- name: Get Applicable Git File Changes | |
id: git-diff | |
if: | | |
github.event_name == 'pull_request' || | |
(github.event_name == 'pull_request_review' && github.event.review.state == 'approved') || | |
github.event_name == 'merge_group' | |
uses: Lombiq/GitHub-Actions/.github/actions/get-changed-files-from-git-diff@dev | |
with: | |
left-commit: ${{ github.event_name == 'merge_group' && github.event.merge_group.base_sha || github.event.pull_request.base.sha }} | |
right-commit: ${{ github.sha }} | |
diff-filter: ${{ steps.git-diff-filter.outputs.git-diff-filter }} | |
- name: Get GitHub Actions Item Changes from File Changes | |
id: changed-items | |
if: | | |
github.event_name == 'pull_request' || | |
(github.event_name == 'pull_request_review' && github.event.review.state == 'approved') || | |
github.event_name == 'merge_group' | |
uses: Lombiq/GitHub-Actions/.github/actions/get-changed-gha-items@dev | |
with: | |
file-include-list: ${{ steps.git-diff.outputs.changed-files }} | |
- name: Prefix File Names with Owner/Repo Name | |
id: add-prefix | |
if: | | |
github.event_name == 'pull_request' || | |
(github.event_name == 'pull_request_review' && github.event.review.state == 'approved') || | |
github.event_name == 'merge_group' | |
shell: pwsh | |
run: | | |
$prefix = "${{ github.repository }}" | |
$files = ${{ steps.changed-items.outputs.changed-items }} | |
$files = $files.ForEach({ Join-Path -Path $prefix -ChildPath $PSItem }) | |
$output = "prefixed-files=@(" + $($files | Join-String -DoubleQuote -Separator ',') + ")" | |
Write-Output "output=$output" | |
$output >> $env:GITHUB_OUTPUT | |
- name: Check PR Reviews | |
id: check-pr-reviews | |
if: github.event_name == 'pull_request' || (github.event_name == 'pull_request_review' && github.event.review.state == 'approved') | |
uses: Lombiq/GitHub-Actions/.github/actions/check-pull-request-reviews@dev | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Determine Expected Ref for GitHub Actions Files | |
id: determine-ref | |
if: | | |
github.event_name == 'pull_request' || | |
(github.event_name == 'pull_request_review' && github.event.review.state == 'approved') || | |
github.event_name == 'merge_group' | |
shell: pwsh | |
run: | | |
$eventName = "${{ github.event_name }}" | |
if ($eventName -eq 'merge_group') { | |
$headRef = "${{ github.event.merge_group.head_ref }}" | |
$baseRef = "${{ github.event.merge_group.base_ref }}" | |
# For merge group context, the refs are the full path rather than just the branch name, so adjust. | |
$headRef = $headRef.replace('refs/heads/', '') | |
$baseRef = $baseRef.replace('refs/heads/', '') | |
} | |
elseif ($eventName -eq 'pull_request_review') { | |
$headRef = "${{ github.event.pull_request.head.ref }}" | |
$baseRef = "${{ github.event.pull_request.base.ref }}" | |
} | |
else { | |
$headRef = "${{ github.head_ref }}" | |
$baseRef = "${{ github.base_ref }}" | |
} | |
$lastReviewApproved = "${{ steps.check-pr-reviews.outputs.last-review-approved }}" | |
$mergeQueueApproved = "${{ steps.check-merge-queue-adds.outputs.added-to-merge-queue }}" | |
# Ternary operator syntax available starting in PowerShell 7.0. | |
$expectedRef = ( | |
$lastReviewApproved -eq 'True' -or | |
$eventName -eq 'merge_group' -or | |
($eventName -eq 'pull_request' -and $mergeQueueApproved -eq 'True') | |
) ? $baseRef : $headRef | |
$output = "expected-ref=$expectedRef" | |
$output >> $env:GITHUB_OUTPUT | |
- name: Verify GitHub Actions Items Match Expected Ref (Pull & Approve/Merge PR) | |
if: | | |
(github.event_name == 'pull_request' || | |
(github.event_name == 'pull_request_review' && github.event.review.state == 'approved') || | |
github.event_name == 'merge_group') && | |
steps.add-prefix.outputs.prefixed-files != '@()' | |
uses: Lombiq/GitHub-Actions/.github/actions/verify-gha-refs@dev | |
with: | |
called-repo-base-include-list: ${{ steps.add-prefix.outputs.prefixed-files }} | |
expected-ref: ${{ steps.determine-ref.outputs.expected-ref }} | |
- name: Verify GitHub Actions Items Match Expected Ref (Push) | |
if: github.event_name == 'push' | |
uses: Lombiq/GitHub-Actions/.github/actions/verify-gha-refs@dev |