[Snyk] Fix for 19 vulnerabilities #407
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Check for unallowed internal changes | |
| # **What it does**: If someone changes app.json or search indexes, we fail the check. | |
| # **Why we have it**: app.json should rarely be edited, so we'll require an admin merge if the file really needs to be changed. The search indexes are synced every 4 hours, so changes should not need to be made. | |
| # **Who does it impact**: Docs engineering and content writers. | |
| on: | |
| pull_request: | |
| types: | |
| - labeled | |
| - unlabeled | |
| - opened | |
| - reopened | |
| - synchronize | |
| jobs: | |
| check-internal-changes: | |
| if: github.repository == 'github/docs-internal' && github.event.pull_request.user.login != 'Octomerger' | |
| runs-on: ubuntu-latest | |
| outputs: | |
| notAllowed: ${{ steps.filter.outputs.notAllowed }} | |
| notAllowedSearchSyncLabel: ${{ steps.filter.outputs.notAllowedSearchSyncLabel }} | |
| count: 0 | |
| steps: | |
| - name: Get files changed | |
| uses: dorny/paths-filter@eb75a1edc117d3756a18ef89958ee59f9500ba58 | |
| id: filter | |
| with: | |
| # Base branch used to get changed files | |
| base: ${{ github.event.pull_request.base.ref }} | |
| # Enables setting an output in the format in `${FILTER_NAME}_files | |
| # with the names of the matching files formatted as JSON array | |
| list-files: json | |
| # Returns list of changed files matching each filter | |
| filters: | | |
| notAllowed: | |
| - 'app.json' | |
| notAllowedSearchSyncLabel: | |
| - 'lib/search/indexes/**' | |
| notAllowed: | |
| needs: check-internal-changes | |
| if: ${{ needs.check-internal-changes.outputs.notAllowed == 'true' }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Fail if unallowed changes were made | |
| run: | | |
| echo "Please admin merge if you really need to update app.json!" | |
| exit 1 | |
| notAllowedSearchSyncLabel: | |
| needs: check-internal-changes | |
| if: ${{ needs.check-internal-changes.outputs.notAllowedSearchSyncLabel == 'true' }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 | |
| with: | |
| ref: ${{ github.head_ref }} | |
| token: ${{ secrets.DOCUBOT_REPO_PAT }} | |
| - name: Setup Node | |
| uses: actions/setup-node@04c56d2f954f1e4c69436aa54cfef261a018f458 | |
| with: | |
| node-version: 16.13.x | |
| cache: npm | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Check to see if the search label exists - will return version if it does | |
| id: labelExists | |
| run: $GITHUB_WORKSPACE/.github/actions-scripts/enterprise-search-label.js | |
| - name: Fail if unallowed changes were made outside of the Search Sync label added | |
| if: false == steps.labelExists.outputs.versionToSync && false == contains(github.event.pull_request.labels.*.name, 'deprecate-lunr-index') | |
| run: | | |
| echo "Search indices are updated automatically every 4 hours. Please revert any changes you have made to the search indexes before you merge this PR. If you need to update the search indices directly after you merge your PR, you can manually run the search sync workflow: Sync search indexes. See the docs/contributing/search.md for more details. If you have any other questions, please ping us in #docs-engineering." | |
| exit 1 |