Merge pull request #38 from carstenartur/copilot/fix-authentication-issues

carstenartur · web-flow · commit 08eb8020347b · 2025-12-20T09:35:38.000+01:00
diff --git a/.github/workflows/publishVersionCheckResults.yml b/.github/workflows/publishVersionCheckResults.yml
@@ -0,0 +1,150 @@
+name: Publish Version Check Results
+on:
+  workflow_call:
+    inputs:
+      botGithubId:
+        description: The id of the bot's github account that adds the information comment
+        type: string
+        required: true
+
+    secrets:
+      githubBotPAT:
+        description: The personal access token (with scope 'public_repo') of the bot to push a required change to a PR branch in a fork.
+        required: true
+
+permissions: {} # all none
+
+env:
+  COMMENT_FIRST_LINE: 'This pull request changes some projects for the first time in this development cycle'
+
+jobs:
+  versions-check-result:
+    name: Publish Version Check Results
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+
+    - name: Search version increment git patch
+      uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+      id: search-patch
+      with:
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        script: |
+          let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
+             run_id: context.payload.workflow_run.id,
+             ...context.repo
+          })
+          let artifact = allArtifacts.data.artifacts.find(artifact => artifact.name == 'versions-git-patch')
+          return artifact?.id
+
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      if: steps.search-patch.outputs.result
+      with:
+        ref: '${{ github.event.workflow_run.head_sha }}'
+        persist-credentials: false #Opt out from persisting the default Github-token authentication in order to enable use of the bot's PAT when pushing below
+
+    - name: Download version increment git patch
+      uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+      id: fetch-patch
+      if: steps.search-patch.outputs.result
+      with:
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        script: |
+          let download = await github.rest.actions.downloadArtifact({
+             artifact_id: ${{ steps.search-patch.outputs.result }},
+             archive_format: 'zip',
+             ...context.repo
+          })
+          let fs = require('fs')
+          fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/patch.zip`, Buffer.from(download.data))
+          await exec.exec('unzip', ['patch.zip'])
+          let pr_number = Number(fs.readFileSync('github_pull_request_number.txt'))
+          core.setOutput('pull_request_number', pr_number)
+          await io.rmRF('patch.zip')
+          await io.rmRF('github_pull_request_number.txt')
+
+    - name: Apply and push version increment
+      id: git-commit
+      if: steps.search-patch.outputs.result
+      env:
+        REPOSITORY_NAME: ${{ github.event.workflow_run.head_repository.full_name }}
+        BRANCH_NAME: ${{ github.event.workflow_run.head_branch }}
+        BOT_PA_TOKEN: ${{ secrets.githubBotPAT }}
+      run: |
+          set -x
+          # Set initial placeholder name/mail and read it from the patch later
+          git config --global user.email 'foo@bar'
+          git config --global user.name 'Foo Bar'
+          
+          git am version_increments.patch
+          
+          # Read the author's name+mail from the just applied patch and recommit it with both set as committer
+          botMail=$(git log -1 --pretty=format:'%ae')
+          botName=$(git log -1 --pretty=format:'%an')
+          git config --global user.email "${botMail}"
+          git config --global user.name "${botName}"
+          git commit --amend --no-edit
+          
+          fileList=$(git diff-tree --no-commit-id --name-only HEAD -r)
+          echo "file-list<<EOF" >> $GITHUB_OUTPUT
+          echo "$fileList" >> $GITHUB_OUTPUT
+          echo "EOF" >> $GITHUB_OUTPUT
+          
+          git push \
+            "https://oauth2:${BOT_PA_TOKEN}@github.com/${REPOSITORY_NAME}.git" \
+            "HEAD:refs/heads/${BRANCH_NAME}"
+
+    - name: Find existing information comment
+      uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad # v4.0.0
+      id: search-comment
+      if: always() && steps.fetch-patch.outputs.pull_request_number
+      with:
+        github-token: ${{ secrets.githubBotPAT }}
+        body-regex: '^${{ env.COMMENT_FIRST_LINE }}'
+        issue-number: ${{ steps.fetch-patch.outputs.pull_request_number }}
+        comment-author: ${{ inputs.botGithubId }}
+        direction: last
+
+    - name: Add or update information comment
+      uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+      if: always() && steps.search-patch.outputs.result
+      env:
+        FILELIST: ${{ steps.git-commit.outputs.file-list }}
+      with:
+        github-token: ${{ secrets.githubBotPAT }}
+        script: |
+          const fs = require('fs')
+          const fileList = process.env.FILELIST
+          if (fileList) { // if list is empty, no versions were changed
+            const prNumber = '${{ steps.fetch-patch.outputs.pull_request_number }}'
+            const pr = await github.rest.pulls.get({
+               pull_number: prNumber,
+               ...context.repo
+            })
+            const applyChangeMessagePart = pr.data.maintainer_can_modify || pr.data.base.repo.full_name == pr.data.head.repo.full_name
+              ? "An additional commit containing all the necessary changes was pushed to the top of this PR's branch. To obtain these changes (for example if you want to push more changes) either fetch from your fork or apply the _git patch_."
+              : "> [!WARNING]\n> :construction: **This PR cannot be modified by maintainers** because edits are disabled or it is created from an organization repository. To obtain the required changes apply the _git patch_ manually as an additional commit."
+            const commentBody = `
+          ${{ env.COMMENT_FIRST_LINE }}.
+          Therefore the following files need a version increment:
+          \`\`\`
+          ${fileList}
+          \`\`\`
+          ${applyChangeMessagePart}
+          <details>
+          <summary>Git patch</summary>
+          
+          \`\`\`
+          ${ fs.readFileSync( process.env.GITHUB_WORKSPACE + '/version_increments.patch', {encoding: 'utf8'}).trim() }
+          \`\`\`
+          </details>
+          
+          Further information are available in [Common Build Issues - Missing version increments](https://github.com/eclipse-platform/eclipse.platform.releng.aggregator/wiki/Common-Build-Issues#missing-version-increments).
+          `.trim()
+            const existingCommentId = '${{ steps.search-comment.outputs.comment-id  }}'
+            if (existingCommentId) {
+              github.rest.issues.updateComment({...context.repo, comment_id: existingCommentId, body: commentBody })
+            } else {
+              github.rest.issues.createComment({...context.repo, issue_number: prNumber, body: commentBody })
+            }
+          }
diff --git a/.github/workflows/version-increments.yml b/.github/workflows/version-increments.yml
@@ -5,9 +5,12 @@ on:
     workflows: [ 'Pull-Request Checks' ]
     types: [ completed ]
 
+permissions: {}
+
 jobs:
   publish-version-check-results:
-    uses: eclipse-platform/eclipse.platform.releng.aggregator/.github/workflows/publishVersionCheckResults.yml@master
+    if: github.event.workflow_run.conclusion == 'success'
+    uses: ./.github/workflows/publishVersionCheckResults.yml
     with:
       botGithubId: eclipse-jdt-bot
     secrets:
