diff --git a/.github/workflows/next-container-build.yaml b/.github/workflows/next-container-build.yaml index c3f9c40d..e744c83c 100644 --- a/.github/workflows/next-container-build.yaml +++ b/.github/workflows/next-container-build.yaml @@ -41,6 +41,8 @@ jobs: - name: check-changes # check changes in this commit for regex include and exclude matches; pipe to an env var run: | + # don't fail if nothing returned by grep + set +e CHANGES="$(git diff --name-only HEAD~1 | \ grep -E "docker/|\.dockerignore|workflows/.+-container-build.yaml|Makefile|bundle/|config/|go.mod|go.sum|.+\.go" | \ grep -v -E ".+_test.go|/.rhdh/")"; diff --git a/.github/workflows/pr-container-build.yaml b/.github/workflows/pr-container-build.yaml index 66c924ab..919dbe45 100644 --- a/.github/workflows/pr-container-build.yaml +++ b/.github/workflows/pr-container-build.yaml @@ -62,6 +62,8 @@ jobs: - name: check-changes # check changes in this commit for regex include and exclude matches; pipe to an env var run: | + # don't fail if nothing returned by grep + set +e CHANGES="$(git diff --name-only HEAD~1 | \ grep -E "docker/|\.dockerignore|workflows/.+-container-build.yaml|Makefile|bundle/|config/|go.mod|go.sum|.+\.go" | \ grep -v -E ".+_test.go|/.rhdh/")"; diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index 7611e18b..8ffdaa23 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -22,27 +22,61 @@ on: - 1.[0-9]+.x jobs: + check-changes: + # check if the change for this PR necessitates a rebuild of containers + runs-on: ubuntu-latest + needs: authorize + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + - name: check-changes + # check changes in this commit for regex include and exclude matches; pipe to an env var + # note regexes are different for the PR check than for *-container-build.yaml + run: | + # don't fail if nothing returned by grep + set +e + CHANGES="$(git diff --name-only | \ + grep -E "workflows/pr.yaml|Makefile|bundle/|config/|go.mod|go.sum|.+\.go" | \ + grep -v -E "/.rhdh/")"; + echo "Changed files for this commit:" + echo "==============================" + echo "$CHANGES" + echo "==============================" + echo "CHANGES=$CHANGES" >> $GITHUB_ENV + pr-validate: name: PR Validate runs-on: ubuntu-latest - + needs: check-changes steps: - - uses: actions/checkout@v3 + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Setup Go + uses: actions/setup-go@v4 + with: + go-version-file: 'go.mod' - - name: Setup Go - uses: actions/setup-go@v4 - with: - go-version-file: 'go.mod' + # gosec needs a "build" stage so connect it to the lint step which we always do + - name: build + run: make lint - - name: build - run: | - make lint test + - name: test + # run this stage only if there are changes that match the includes and not the excludes + if: ${{ env.CHANGES != '' }} + run: make test - - name: Run Gosec Security Scanner - run: make gosec + - name: Run Gosec Security Scanner + run: make gosec - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 - with: - # Path to SARIF file relative to the root of the repository - sarif_file: gosec.sarif + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: gosec.sarif