Skip to content

Comments

Create cleaner.yml#267

Closed
vib-adhoc wants to merge 1 commit into18.0from
18.0-update-miscellaneous
Closed

Create cleaner.yml#267
vib-adhoc wants to merge 1 commit into18.0from
18.0-update-miscellaneous

Conversation

@vib-adhoc
Copy link
Contributor

@vib-adhoc vib-adhoc commented Aug 18, 2025

Automatic update using copier template

@roboadhoc
Copy link
Contributor

roboadhoc commented Aug 18, 2025

Pull request status dashboard

github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 18, 2025
View reviewed changes
.github/workflows/cleaner.yml
Comment on lines +21 to +158
runs-on: ubuntu-latest
if: >
github.repository_owner == 'ingadhoc' &&
(
(github.event_name == 'workflow_dispatch') ||
(github.event_name == 'deployment_status' && github.event.deployment_status.state == 'success')
)
steps:
- name: Delete branch from base and fork repos
uses: actions/github-script@v6
id: pr_data_fetcher
with:
script: |
// Get PR information
core.info('Fetching PR data and validating conditions...');

// Debug info
const eventName = context.eventName;
core.info(`El nombre del evento es: ${eventName}`);
core.info(JSON.stringify(context, null, 2))
// End Debug info

let repoOwner = context.repo.owner;
let repoName = context.repo.repo;
let pullRequest;

if (context.eventName === 'workflow_dispatch' || context.eventName === 'deployment_status') {
let prNumber = 0;
if (context.eventName === 'workflow_dispatch') {
prNumber = context.payload.inputs.pull_request_number;
core.info(`Manual trigger for PR #${prNumber}`);
}

if (context.eventName === 'deployment_status') {
prNumber = context.payload.deployment_status.description.split("#")[1].split(" ")[0];
core.info(`deployment_status trigger for PR #${prNumber}`);
}

// Fetch the PR data using the number
pullRequest = (await github.rest.pulls.get({
owner: repoOwner,
repo: repoName,
pull_number: prNumber,
})).data;

core.info(JSON.stringify(pullRequest, null, 2))

if (pullRequest.merged === true) {
core.info(`PR #${prNumber} was merged. No action needed.`);
core.setOutput('validation_passed', 'false');
return;
}

// Fetch the PR timeline to find the 'closed' event
const timeline = await github.rest.issues.listEventsForTimeline({
owner: repoOwner,
repo: repoName,
issue_number: prNumber,
});

// Find the 'closed' event in the timeline
const closeEvent = timeline.data.find(event => event.event === 'closed');

// Get the user who closed the PR from the event
const closedByLogin = closeEvent && closeEvent.actor ? closeEvent.actor.login : null;

if (closedByLogin !== 'roboadhoc') {
core.info(`PR #${prNumber} was not closed by 'roboadhoc' (${closedByLogin}). No action needed.`);
core.setOutput('validation_passed', 'false');
return;
}

} else {
core.setOutput('validation_passed', 'false');
core.error(`Unsupported event type: ${context.eventName}`);
return;
}

// Set outputs for subsequent steps
core.setOutput('validation_passed', 'true');
core.setOutput('base_repo_owner', repoOwner);
core.setOutput('base_repo_name', repoName);
core.setOutput('base_branch_name', pullRequest.head.ref);
core.setOutput('head_repo_full_name', pullRequest.head.repo.full_name);
core.setOutput('head_repo_owner', pullRequest.head.repo.owner.login);
core.setOutput('head_repo_name', pullRequest.head.repo.name);
core.setOutput('is_fork', pullRequest.head.repo.full_name !== context.repo.owner + '/' + context.repo.repo);

- name: Delete branch from the base repository
uses: actions/github-script@v6
if: ${{ steps.pr_data_fetcher.outputs.validation_passed == 'true' }}
with:
github-token: ${{ github.token }}
script: |
const baseBranchName = `${{ steps.pr_data_fetcher.outputs.base_branch_name }}`;
const baseRepoOwner = `${{ steps.pr_data_fetcher.outputs.base_repo_owner }}`;
const baseRepoName = `${{ steps.pr_data_fetcher.outputs.base_repo_name }}`;
try {
core.info(`Attempting to delete branch '${baseBranchName}' from base repo '${baseRepoOwner}/${baseRepoName}'`);
await github.rest.git.deleteRef({
owner: baseRepoOwner,
repo: baseRepoName,
ref: `heads/${baseBranchName}`,
});
core.info(`Branch '${baseBranchName}' deleted from base repo successfully.`);
} catch (error) {
if (error.status === 422) {
core.info(`Branch '${baseBranchName}' in base repo already deleted. No action needed.`);
} else {
console.error(`Error deleting branch '${baseBranchName}' from base repo: ${error.message}`);
}
}

- name: Delete branch from the fork repository (adhoc-dev)
if: ${{ steps.pr_data_fetcher.outputs.validation_passed == 'true' }}
uses: actions/github-script@v6
with:
github-token: ${{ secrets.EXTERNAL_REPO_TOKEN_CLEANER_ADHOC_DEV || github.token }}
script: |
const baseBranchName = `${{ steps.pr_data_fetcher.outputs.base_branch_name }}`;
const headRepoOwner = 'adhoc-dev';
const headRepoName = `${{ steps.pr_data_fetcher.outputs.head_repo_name }}`;

try {
core.info(`PR comes from a fork. Attempting to delete branch from fork repo '${headRepoOwner}/${headRepoName}'`);
await github.rest.git.deleteRef({
owner: headRepoOwner,
repo: headRepoName,
ref: `heads/${baseBranchName}`,
});
core.info(`Branch '${baseBranchName}' deleted from fork repo successfully.`);
} catch (error) {
if (error.status === 422) {
core.info(`Branch '${baseBranchName}' in fork repo already deleted. No action needed.`);
} else {
console.error(`Error deleting branch '${baseBranchName}' from fork repo: ${error.message}`);
}
}

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 6 months ago

To fix the problem, add a permissions block to the workflow to explicitly specify the minimal required permissions for the GITHUB_TOKEN. Since the workflow deletes branches (a repository content operation), it requires contents: write. Other permissions (such as pull-requests) are not needed for branch deletion, and the workflow does not appear to perform actions requiring additional scopes. The permissions block should be added at the top level of the workflow (just after the name: field and before on:), so it applies to all jobs unless overridden. No changes to the steps or logic are required.

Suggested changeset 1
.github/workflows/cleaner.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/cleaner.yml b/.github/workflows/cleaner.yml
--- a/.github/workflows/cleaner.yml
+++ b/.github/workflows/cleaner.yml
@@ -3,6 +3,8 @@
 # See: https://github.com/ingadhoc/addons-repo-template
 
 name: Delete PR branch from fork and base repo
+permissions:
+  contents: write
 
 on:
 
EOF
@@ -3,6 +3,8 @@
# See: https://github.com/ingadhoc/addons-repo-template

name: Delete PR branch from fork and base repo
permissions:
contents: write

on:

Copilot is powered by AI and may make mistakes. Always verify output.
@vib-adhoc vib-adhoc closed this Aug 18, 2025
@vib-adhoc vib-adhoc deleted the 18.0-update-miscellaneous branch August 18, 2025 23:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vib-adhoc @roboadhoc