Releases/v2.2 (#104)

dangoslen · Apr 26, 2021 · c2a8bfa · c2a8bfa
1 parent 7ed3d6f
commit c2a8bfa
Show file tree

Hide file tree

Showing 8 changed files with 125 additions and 151 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -6,18 +6,18 @@ updates:
     labels:
       - dependabot
       - javascript
-      - Skip-Changelog
+      - verified
     open-pull-requests-limit: 3
     schedule:
       interval: "daily"
-    target-branch: "releases/v2.2"
+    target-branch: "releases/v2.3"
   - package-ecosystem: "github-actions"
     directory: "/"
     labels:
       - dependabot
       - github-actions
-      - Skip-Changelog
+      - verified
     open-pull-requests-limit: 3
     schedule:
       interval: "daily"
-    target-branch: "releases/v2.2"
+    target-branch: "releases/v2.3"
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -1,11 +1,24 @@
 name: "Pull Request Workflow"
 on:
-  pull_request:
+  pull_request_target:
     types: [opened, synchronize, reopened, ready_for_review, labeled, unlabeled]
 
 jobs:
+
+  # validates that the pull request is trusted
+  verify: 
+    runs-on: ubuntu-latest
+    steps:
+      - run: |
+          VERIFIED_LABEL=${{ contains(github.event.pull_request.labels.*.name, 'verified') }}
+          if [[ ( $VERIFIED_LABEL == 'false' ) ]]; then
+            echo "Pull request is not from a trusted source!"
+            exit 1
+          fi
+
   # unit tests
   unit-tests:
+    needs: [ verify ]
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
@@ -20,7 +33,6 @@ jobs:
 
   # test action works running from the graph
   enforce-changelog:
-    needs: unit-tests
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
@@ -30,9 +42,11 @@ jobs:
       - id: read-version
         run: |
           echo "::set-output name=version::$(jq -r ".version" package.json)"
+          echo "::set-output name=tag::v$(jq -r ".version" package.json)"
 
       - uses: dangoslen/[email protected]
         with:
+          version: ${{ steps.read-version.outputs.tag }}
           activationLabel: 'dependabot'
           newVersionLineNumber: 4
 
@@ -43,7 +57,8 @@ jobs:
       - id: changelog-enforcer
         uses: ./
         with:
-          expectedLatestVersion: "v${{ steps.read-version.outputs.version }}"
+          skipLabels: "skip-changelog"
+          expectedLatestVersion: ${{ steps.read-version.outputs.tag }}
 
       - if: failure()
         uses: unsplash/comment-on-pr@master
@@ -58,42 +73,19 @@ jobs:
             ${{ steps.changelog-enforcer.outputs.errorMessage }}
             ```
 
-  # test action works running from the graph - back compat
-  enforce-changelog-v1:
-    needs: unit-tests
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v1
-      - uses: ./
-
-  preview-release:
-    runs-on: ubuntu-latest
-    needs: [enforce-changelog]
-    steps:
-      - uses: actions/checkout@v2
-
-      - name: read version
-        id: read_version
-        run: |
-          echo ::set-output name=version::$(jq -r ".version" package.json)
-          echo ::set-output name=tag::v$(jq -r ".version" package.json)
-
-      - name: Get Changelog Entry
-        id: changelog_reader
+      - id: changelog_reader
         uses: mindsers/changelog-reader-action@v2
         with:
           version: "${{ steps.read_version.outputs.tag }}"
           path: ./CHANGELOG.md
 
-      - name: Check for Release
-        id: check_release
+      - id: check_release
         run: |
-          TAG=$(git ls-remote --tags origin | grep ${{ steps.read_version.outputs.version }} || [[ $? == 1 ]] && echo '')
+          TAG=$(git ls-remote --tags origin | grep ${{ steps.read-version.outputs.tag }} || [[ $? == 1 ]] && echo '')
           MISSING=$([[ -z "$TAG" ]] && echo 'true' || echo 'false')
           echo ::set-output name=missing::$MISSING
 
-      - name: Preview Changelog
-        if: ${{ steps.check_release.outputs.missing }}
+      - if: ${{ steps.check_release.outputs.missing }}
         uses: unsplash/comment-on-pr@master
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -105,4 +97,14 @@ jobs:
 
               ${{ steps.changelog_reader.outputs.changes }}
 
-            </details>
+            </details>
+
+  # test action works running from the graph - back compat
+  enforce-changelog-v1:
+    needs: [ unit-tests ]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v1
+      - uses: ./
+        with:
+          skipLabels: "skip-changelog"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -12,7 +12,7 @@ jobs:
       - uses: actions/checkout@v2
 
       - name: read versions
-        id: read_version
+        id: read-version
         run: |
           echo ::set-output name=version::$(jq -r ".version" package.json)
           echo ::set-output name=tag::v$(jq -r ".version" package.json)
@@ -22,13 +22,13 @@ jobs:
         id: changelog_reader
         uses: mindsers/changelog-reader-action@v2
         with:
-          version: "${{ steps.read_version.outputs.tag }}"
+          version: "${{ steps.read-version.outputs.tag }}"
           path: ./CHANGELOG.md
 
       - name: check for existing release
         id: check_release
         run: |
-          TAG=$(git ls-remote --tags origin | grep ${{ steps.read_version.outputs.tag }} || [[ $? == 1 ]] && echo '')
+          TAG=$(git ls-remote --tags origin | grep ${{ steps.read-version.outputs.tag }} || [[ $? == 1 ]] && echo '')
           MISSING=$([[ -z "$TAG" ]] && echo 'true' || echo 'false')
           echo ::set-output name=missing::$MISSING
         
@@ -39,15 +39,15 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          tag_name: "${{ steps.read_version.outputs.tag }}"
-          release_name: Changelog Enforcer ${{ steps.read_version.outputs.version }}
+          tag_name: "${{ steps.read-version.outputs.tag }}"
+          release_name: Changelog Enforcer ${{ steps.read-version.outputs.version }}
           body: ${{ steps.changelog_reader.outputs.changes }} 
           draft: false
           prerelease: false
 
       - name: update major version tag
         uses: richardsimko/update-tag@v1
         with:
-          tag_name: "${{ steps.read_version.outputs.major_tag }}"
+          tag_name: "${{ steps.read-version.outputs.major_tag }}"
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,18 @@
 # CHANGELOG
 Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 
+## [v2.2.0]
+### Changed
+- The `pull_request` workflow now executes as a `pull_request_target` workflow to handle incoming pull requests from forked repos.
+  - This is needed because Dependabot now works as a [forked branch](https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/). The reasoning and ways to accomodate are listed in a [GitHub Security article](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)
+  - The `verified` label is needed to allow the workflow to execute
+### Dependencies
+- Bumps `uglify-js` from 3.13.2 to 3.13.3
+- Bumps `y18n` from 4.0.1 to 5.0.8
+- Bumps `@vercel/ncc` from 0.27.0 to 0.28.2
+- Bumps `@actions/core` from 1.2.6 to 1.2.7
+- Bumps `eslint` from 7.23.0 to 7.25.0
+
 ## [v2.1.0]
 ### Deprecated
 - The input `versionPattern` is now deprecated. Starting in `v3.0.0` the Changelog Enforcer will only work with [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) for verifying the latest expected version.
@@ -20,7 +32,6 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 ### Dependencies
 - Bump `eslint` from 7.17.0 to 7.20.0
 - Bump `@vercel/ncc` from 0.26.1 to 0.27.0
-
 ### Changed
 - Now reads the version from `package.json` instead of from `VERSION`
 
@@ -47,6 +58,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 - `eslint` from `7.14.0` to `7.15.0`
 - `uglify-js` from `2.6.0` to `3.12.1`
 - `jest` from `24.9.0` to `26.6.3`
+
 ## [v1.5.1]
 ### Added
 - Improved GitHub actions workflow for testing and packaging
@@ -56,6 +68,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 - `@actions/github` from `2.1.1` to `4.0.0`
 - `eslint` from `6.3.0` to `7.14.0`
 - `changelog-reader-action` from `v1` to `v2`
+
 ## [v1.5.0]
 ### Added
 - New input parameter `expectedLatestVersion`. 

diff --git a/README.md b/README.md
@@ -69,3 +69,8 @@ Below are the properties allowed by the Changelog Enforcer. These properties are
 ### Creating Releases Automatically
 Using this Action and the [Changelog Reader](https://github.com/mindsers/changelog-reader-action), plus a few standard GitHub created Actions, we can keep the changelog of a project up to date and create a GitHub release automatically with contents from the changelog. See this project's [release.yml](./.github/workflows/release.yml) for how to set up a simple workflow to create a new release based on a `VERSION` file and a changelog.
 
+### Support
+
+If you enjoy this GitHub action, show some support by staring this repo! Other ways include:
+
+[<img src='https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png'/>](https://www.buymeacoffee.com/dangoslen)
diff --git a/dist/index.js b/dist/index.js
@@ -1,22 +1,6 @@
-module.exports =
 /******/ (() => { // webpackBootstrap
 /******/ 	var __webpack_modules__ = ({
 
-/***/ 2932:
-/***/ ((__unused_webpack_module, __unused_webpack_exports, __nccwpck_require__) => {
-
-const changelogEnforcer = __nccwpck_require__(9679)
-
-// Looks for a label with the name from 
-async function run() {
-  changelogEnforcer.enforce();
-}
-
-run()
-
-
-/***/ }),
-
 /***/ 7351:
 /***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
 
@@ -213,6 +197,7 @@ exports.getInput = getInput;
  */
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
 function setOutput(name, value) {
+    process.stdout.write(os.EOL);
     command_1.issueCommand('set-output', { name }, value);
 }
 exports.setOutput = setOutput;
@@ -7315,8 +7300,9 @@ module.exports = require("zlib");;
 /******/ 	// The require function
 /******/ 	function __nccwpck_require__(moduleId) {
 /******/ 		// Check if module is in cache
-/******/ 		if(__webpack_module_cache__[moduleId]) {
-/******/ 			return __webpack_module_cache__[moduleId].exports;
+/******/ 		var cachedModule = __webpack_module_cache__[moduleId];
+/******/ 		if (cachedModule !== undefined) {
+/******/ 			return cachedModule.exports;
 /******/ 		}
 /******/ 		// Create a new module (and put it into the cache)
 /******/ 		var module = __webpack_module_cache__[moduleId] = {
@@ -7341,10 +7327,21 @@ module.exports = require("zlib");;
 /************************************************************************/
 /******/ 	/* webpack/runtime/compat */
 /******/ 	
-/******/ 	__nccwpck_require__.ab = __dirname + "/";/************************************************************************/
-/******/ 	// module exports must be returned from runtime so entry inlining is disabled
-/******/ 	// startup
-/******/ 	// Load entry module and return exports
-/******/ 	return __nccwpck_require__(2932);
+/******/ 	if (typeof __nccwpck_require__ !== 'undefined') __nccwpck_require__.ab = __dirname + "/";/************************************************************************/
+var __webpack_exports__ = {};
+// This entry need to be wrapped in an IIFE because it need to be isolated against other modules in the chunk.
+(() => {
+const changelogEnforcer = __nccwpck_require__(9679)
+
+// Looks for a label with the name from 
+async function run() {
+  changelogEnforcer.enforce();
+}
+
+run()
+
+})();
+
+module.exports = __webpack_exports__;
 /******/ })()
 ;