Skip to content
Commit Built File Changes (PRs)

Commit Built File Changes (PRs) #4585

Sign in to view logs

Commit Built File Changes (PRs)

Commit Built File Changes (PRs) #4585

Workflow file for this run

.github/workflows/commit-built-file-changes.yml at 2a5a37e
# Commits all missed changes to built files back to pull request branches.
name: Commit Built File Changes (PRs)
on:
workflow_run:
workflows:
- 'Check Built Files (PRs)'
- 'Test Default Themes & Create ZIPs'
types:
- completed
# Cancels all previous workflow runs for pull requests that have not completed.
concurrency:
# The concurrency group contains the workflow name and the branch name for pull requests
# or the commit hash for any other events.
group: ${{ github.workflow }}-${{ github.event_name == 'workflow_run' && format( '{0}-{1}', github.event.workflow_run.head_branch, github.event.workflow_run.head_repository.name ) || github.sha }}
# Disable permissions for all available scopes by default.
# Any needed permissions should be configured at the job level.
permissions: {}
jobs:
# Checks a PR for uncommitted changes to built files.
#
# Performs the following steps:
# - Attempts to download the artifact containing the PR diff.
# - Checks for the existence of an artifact.
# - Unzips the artifact.
# - Generates a token for authenticating with the GitHub App.
# - Checks out the repository.
# - Applies the patch file.
# - Displays the result of git diff.
# - Configures the Git author.
# - Stages changes.
# - Commits changes.
# - Pushes changes.
update-built-files:
name: Check and update built files
runs-on: ubuntu-24.04
if: ${{ github.repository == 'wordpress/wordpress-develop' }}
timeout-minutes: 10
permissions:
# The actual `git push` is authenticated via a dedicated GitHub App installation token
# generated below, so `GITHUB_TOKEN` only needs read access to the triggering workflow's artifacts.
actions: read # Required to list and download the artifact uploaded by the triggering workflow run.
steps:
- name: Download artifact
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
const artifacts = await github.rest.actions.listWorkflowRunArtifacts( {
owner: context.repo.owner,
repo: context.repo.repo,
run_id: process.env.RUN_ID,
} );
const matchArtifact = artifacts.data.artifacts.filter( ( artifact ) => {
return artifact.name === 'pr-built-file-changes'
} )[0];
if ( ! matchArtifact ) {
core.info( 'No artifact found!' );
return;
}
const download = await github.rest.actions.downloadArtifact( {
owner: context.repo.owner,
repo: context.repo.repo,
artifact_id: matchArtifact.id,
archive_format: 'zip',
} );
const fs = require( 'fs' );
fs.writeFileSync( '${{ github.workspace }}/pr-built-file-changes.zip', Buffer.from( download.data ) )
env:
RUN_ID: ${{ github.event.workflow_run.id }}
- name: Check for artifact
id: artifact-check
run: |
if [ -f "pr-built-file-changes.zip" ]; then
echo "exists=true" >> "$GITHUB_OUTPUT"
else
echo "exists=false" >> "$GITHUB_OUTPUT"
fi
- name: Unzip the artifact containing the PR data
if: ${{ steps.artifact-check.outputs.exists == 'true' }}
run: unzip pr-built-file-changes.zip
- name: Generate Installation Token
id: generate_token
if: ${{ steps.artifact-check.outputs.exists == 'true' }}
env:
GH_APP_ID: ${{ vars.GH_PR_BUILT_FILES_APP_ID }}
GH_APP_PRIVATE_KEY: ${{ secrets.GH_PR_BUILT_FILES_PRIVATE_KEY }}
run: |
# Generate JWT
JWT=$(python3 - <<EOF
import jwt, time, os
payload = {
"iat": int(time.time()),
"exp": int(time.time()) + 600, # 10-minute expiration
"iss": int(os.environ["GH_APP_ID"]),
}
print(jwt.encode(payload, os.environ["GH_APP_PRIVATE_KEY"], algorithm="RS256"))
EOF
)
# Get Installation ID
INSTALLATION_ID=$(curl -s -X GET -H "Authorization: Bearer $JWT" \
-H "Accept: application/vnd.github.v3+json" \
https://api.github.com/app/installations | jq -r '.[0].id')
# Request Installation Access Token
ACCESS_TOKEN=$(curl -s -X POST -H "Authorization: Bearer $JWT" \
-H "Accept: application/vnd.github.v3+json" \
"https://api.github.com/app/installations/$INSTALLATION_ID/access_tokens" | jq -r '.token')
echo "access-token=$ACCESS_TOKEN" >> "$GITHUB_OUTPUT"
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
if: ${{ steps.artifact-check.outputs.exists == 'true' }}
with:
repository: ${{ github.event.workflow_run.head_repository.full_name }}
ref: ${{ github.event.workflow_run.head_branch }}
path: 'pr-repo'
show-progress: ${{ runner.debug == '1' && 'true' || 'false' }}
token: ${{ steps.generate_token.outputs.access-token }}
persist-credentials: true
- name: Apply patch
if: ${{ steps.artifact-check.outputs.exists == 'true' }}
working-directory: 'pr-repo'
run: git apply "$GITHUB_WORKSPACE/changes.diff"
- name: Display changes to versioned files
if: ${{ steps.artifact-check.outputs.exists == 'true' }}
working-directory: 'pr-repo'
run: git diff
- name: Configure git user name and email
if: ${{ steps.artifact-check.outputs.exists == 'true' }}
working-directory: 'pr-repo'
env:
GH_APP_ID: ${{ vars.GH_PR_BUILT_FILES_APP_ID }}
run: |
git config user.name "wordpress-develop-pr-bot[bot]"
git config user.email "${GH_APP_ID}+wordpress-develop-pr-bot[bot]@users.noreply.github.com"
- name: Stage changes
if: ${{ steps.artifact-check.outputs.exists == 'true' }}
working-directory: 'pr-repo'
run: git add .
- name: Commit changes
if: ${{ steps.artifact-check.outputs.exists == 'true' }}
working-directory: 'pr-repo'
run: |
git commit -m "Automation: Updating built files with changes."
- name: Push changes
if: ${{ steps.artifact-check.outputs.exists == 'true' }}
working-directory: 'pr-repo'
run: git push