name: Update API Suppressions on: issue_comment: types: [created] permissions: {} concurrency: group: update-api-${{ github.event.issue.number }} cancel-in-progress: true jobs: update-api: name: Update API Suppressions if: >- github.event.issue.pull_request && contains(github.event.comment.body, '/update-api') && contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association) runs-on: ubuntu-latest permissions: contents: write pull-requests: write steps: - name: Check maintainer permission uses: actions/github-script@v7 with: script: | const { data: permLevel } = await github.rest.repos.getCollaboratorPermissionLevel({ owner: context.repo.owner, repo: context.repo.repo, username: context.payload.comment.user.login, }); const allowed = ['admin', 'maintain', 'write']; if (!allowed.includes(permLevel.permission)) { core.setFailed(`User @${context.payload.comment.user.login} does not have write access.`); } - name: Add reaction to acknowledge command uses: actions/github-script@v7 with: script: | await github.rest.reactions.createForIssueComment({ owner: context.repo.owner, repo: context.repo.repo, comment_id: context.payload.comment.id, content: 'eyes', }); - name: Get PR branch info id: pr uses: actions/github-script@v7 with: script: | const { data: pr } = await github.rest.pulls.get({ owner: context.repo.owner, repo: context.repo.repo, pull_number: context.issue.number, }); if (pr.head.repo.full_name !== `${context.repo.owner}/${context.repo.repo}`) { core.setFailed('Cannot run /update-api on fork PRs — would execute untrusted code with write permissions.'); return; } core.setOutput('ref', pr.head.ref); core.setOutput('sha', pr.head.sha); - name: Checkout PR branch uses: actions/checkout@v4 with: ref: ${{ steps.pr.outputs.sha }} token: ${{ secrets.GITHUB_TOKEN }} submodules: recursive - name: Setup .NET uses: actions/setup-dotnet@v4 with: global-json-file: global.json - name: Run ValidateApiDiff run: dotnet run --project ./nukebuild/_build.csproj -- ValidateApiDiff --update-api-suppression true - name: Commit and push changes run: | git config user.name "github-actions[bot]" git config user.email "41898282+github-actions[bot]@users.noreply.github.com" git add api/ if git diff --cached --quiet; then echo "No API suppression changes to commit." else git commit -m "Update API suppressions" git push origin HEAD:${{ steps.pr.outputs.ref }} fi - name: Add success reaction if: success() uses: actions/github-script@v7 with: script: | await github.rest.reactions.createForIssueComment({ owner: context.repo.owner, repo: context.repo.repo, comment_id: context.payload.comment.id, content: 'rocket', }); - name: Report failure if: failure() uses: actions/github-script@v7 with: script: | await github.rest.reactions.createForIssueComment({ owner: context.repo.owner, repo: context.repo.repo, comment_id: context.payload.comment.id, content: '-1', }); await github.rest.issues.createComment({ owner: context.repo.owner, repo: context.repo.repo, issue_number: context.issue.number, body: `❌ \`/update-api\` failed. [See logs](${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}).`, });