-
Notifications
You must be signed in to change notification settings - Fork 452
48 lines (43 loc) · 1.85 KB
/
submodule-pin-check.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
name: Merge Checks
on:
pull_request_target:
branches: [ master ]
types: [synchronize, opened, reopened]
permissions:
statuses: write
jobs:
submodule-pin-check:
name: Check Submodule Pin
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
submodules: true
- name: Check all submodules are ancestors of origin/HEAD or configured branch
run: |
status_state="pending"
if ${{ github.workspace }}/.github/workflows/submodule-pin-check.sh; then
status_state="success"
else
resp="$(curl -sSL --fail-with-body \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
-H "X-GitHub-Api-Version: 2022-11-28" \
"https://api.github.com/repos/$GITHUB_REPOSITORY/commits/${{ github.event.pull_request.head.sha }}/statuses")"
if ! jq -e '.[] | select(.context == "Submodule Pin Check")' > /dev/null <<< "$resp"; then
# Submodule pin check is failling and no status exists
# Keep it without a status to keep the green checkmark appearing
# Otherwise, the commit and PR's CI will appear to be indefinitely pending
# Merging will still be blocked until the required status appears
exit 0
fi
fi
curl -sSL --fail-with-body \
-X POST \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
-H "X-GitHub-Api-Version: 2022-11-28" \
"https://api.github.com/repos/$GITHUB_REPOSITORY/statuses/${{ github.event.pull_request.head.sha }}" \
-d '{"context":"Submodule Pin Check","state":"'"$status_state"'"}'