c56bef871b
Sync docs with Docusaurus / sync (push) Waiting to run
Tests / Check if changed (push) Waiting to run
Tests / format (push) Blocked by required conditions
Tests / check-imports (push) Blocked by required conditions
Tests / Unit / macos-latest (push) Blocked by required conditions
Tests / Unit / ubuntu-latest (push) Blocked by required conditions
Tests / Unit / windows-latest (push) Blocked by required conditions
Tests / mypy (push) Blocked by required conditions
Tests / Integration / ubuntu-latest (push) Blocked by required conditions
Tests / Integration / macos-latest (push) Blocked by required conditions
Tests / Integration / windows-latest (push) Blocked by required conditions
Tests / notify-slack-on-failure (push) Blocked by required conditions
Tests / Mark tests as completed (push) Blocked by required conditions
Docker image release / Build base image (push) Waiting to run
CodeQL / Analyze (python) (push) Has been cancelled
Update Platform Components Table / update (push) Has been cancelled
71 lines
2.4 KiB
YAML
71 lines
2.4 KiB
YAML
name: Detect docstrings edit
|
|
|
|
# This workflow runs in the *untrusted* pull_request context: it has a read-only
|
|
# token and no access to secrets, so checking out the PR head here is safe.
|
|
# It only computes whether docstrings changed and hands the result to the
|
|
# "Apply docstrings label" workflow (workflow_run), which holds the write token
|
|
# but never checks out untrusted code. See:
|
|
# https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
|
|
on:
|
|
pull_request:
|
|
paths:
|
|
- "haystack/**/*.py"
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
env:
|
|
PYTHON_VERSION: "3.11"
|
|
|
|
jobs:
|
|
detect:
|
|
runs-on: ubuntu-slim
|
|
|
|
steps:
|
|
- name: Checkout base commit
|
|
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
|
with:
|
|
persist-credentials: false
|
|
ref: ${{ github.base_ref }}
|
|
|
|
- name: Setup Python
|
|
uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
|
|
with:
|
|
python-version: "${{ env.PYTHON_VERSION }}"
|
|
|
|
- name: Get base docstrings
|
|
id: base-docstrings
|
|
run: |
|
|
CHECKSUM=$(python .github/utils/docstrings_checksum.py --root "${{ github.workspace }}")
|
|
echo "checksum=$CHECKSUM" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Checkout HEAD commit
|
|
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
|
with:
|
|
persist-credentials: false
|
|
ref: ${{ github.event.pull_request.head.sha }}
|
|
|
|
- name: Get HEAD docstrings
|
|
id: head-docstrings
|
|
run: |
|
|
CHECKSUM=$(python .github/utils/docstrings_checksum.py --root "${{ github.workspace }}")
|
|
echo "checksum=$CHECKSUM" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Write result
|
|
# The follow-up workflow reads these values; it never checks out the PR code.
|
|
run: |
|
|
mkdir -p result
|
|
echo "${{ github.event.pull_request.number }}" > result/pr_number
|
|
if [ "${{ steps.base-docstrings.outputs.checksum }}" != "${{ steps.head-docstrings.outputs.checksum }}" ]; then
|
|
echo "true" > result/should_label
|
|
else
|
|
echo "false" > result/should_label
|
|
fi
|
|
|
|
- name: Upload result
|
|
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
|
|
with:
|
|
name: docstring-label-result
|
|
path: result/
|
|
retention-days: 1
|