Skip to content

Commit 0cea7f5

Browse files
krassowskikrassowski
authored
Merge pull request from GHSA-rc7c-v5qg-g3vw
Port fix from extension-template
2 parents 4111b5d + 260ee8e commit 0cea7f5

File tree

1 file changed

+38
-2
lines changed

1 file changed

+38
-2
lines changed

{{cookiecutter.python_name}}/.github/workflows/update-integration-tests.yml

Lines changed: 38 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,13 @@ permissions:
1010

1111
jobs:{# Escape double curly brace #}{% raw %}
1212
update-snapshots:
13-
if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, 'please update playwright snapshots') }}
13+
if: >
14+
(
15+
github.event.issue.author_association == 'OWNER' ||
16+
github.event.issue.author_association == 'COLLABORATOR' ||
17+
github.event.issue.author_association == 'MEMBER'
18+
) && github.event.issue.pull_request && contains(github.event.comment.body, 'please update snapshots')
19+
1420
runs-on: ubuntu-latest
1521

1622
steps:
@@ -22,10 +28,40 @@ jobs:{# Escape double curly brace #}{% raw %}
2228
- name: Configure git to use https
2329
run: git config --global hub.protocol https
2430

31+
- name: Get PR Info
32+
id: pr
33+
env:
34+
PR_NUMBER: ${{ github.event.issue.number }}
35+
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
36+
GH_REPO: ${{ github.repository }}
37+
COMMENT_AT: ${{ github.event.comment.created_at }}
38+
run: |
39+
pr="$(gh api /repos/${GH_REPO}/pulls/${PR_NUMBER})"
40+
head_sha="$(echo "$pr" | jq -r .head.sha)"
41+
pushed_at="$(echo "$pr" | jq -r .pushed_at)"
42+
43+
if [[ $(date -d "$pushed_at" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then
44+
echo "Updating is not allowed because the PR was pushed to (at $pushed_at) after the triggering comment was issued (at $COMMENT_AT)"
45+
exit 1
46+
fi
47+
48+
echo "head_sha=$head_sha" >> $GITHUB_OUTPUT
49+
2550
- name: Checkout the branch from the PR that triggered the job
26-
run: hub pr checkout ${{ github.event.issue.number }}
2751
env:
2852
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
53+
run: gh pr checkout ${{ github.event.issue.number }}
54+
55+
- name: Validate the fetched branch HEAD revision
56+
env:
57+
EXPECTED_SHA: ${{ steps.pr.outputs.head_sha }}
58+
run: |
59+
actual_sha="$(git rev-parse HEAD)"
60+
61+
if [[ "$actual_sha" != "$EXPECTED_SHA" ]]; then
62+
echo "The HEAD of the checked out branch ($actual_sha) differs from the HEAD commit available at the time when trigger comment was submitted ($EXPECTED_SHA)"
63+
exit 1
64+
fi
2965
3066
- name: Base Setup
3167
uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1

0 commit comments

Comments
 (0)