From f4e3c8897a37e25ed762829076e5c21bf8056d37 Mon Sep 17 00:00:00 2001 From: Sandeep Date: Mon, 15 Dec 2025 19:21:46 +0530 Subject: [PATCH 1/3] Raising a PR --- docs/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/README.md b/docs/README.md index ec74c24..11fa3cc 100644 --- a/docs/README.md +++ b/docs/README.md @@ -1,3 +1,4 @@ # Test Begins -1. Added branch protection and trying to push to main \ No newline at end of file +1. Added branch protection and trying to push to main +1. Raising a PR. \ No newline at end of file From aeed67ddc2637e7b030fe6f506cb49c97ba741fb Mon Sep 17 00:00:00 2001 From: Sandeep Date: Tue, 16 Dec 2025 10:05:52 +0530 Subject: [PATCH 2/3] Changed workflow --- .github/workflows/auto-merge.yml | 123 ++++++++++++++++--------------- 1 file changed, 64 insertions(+), 59 deletions(-) diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml index 927a77a..213f4c5 100644 --- a/.github/workflows/auto-merge.yml +++ b/.github/workflows/auto-merge.yml @@ -1,59 +1,64 @@ -name: Auto Merge Specific Folders - -on: - pull_request: - types: [opened, synchronize, reopened] - branches: - - main - -permissions: - contents: write - pull-requests: write - -jobs: - auto-merge: - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Check for changes in allowed paths - id: check_changes - uses: dorny/paths-filter@v3 - with: - filters: | - safe_changes: - - 'docs/**' - - 'assets/**' - # Add your specific folders here - - - name: Verify if ONLY safe paths were changed - id: verify_exclusive - # We need to ensure that the user didn't change 'docs/' AND 'src/core/security.js' - # The paths-filter action returns 'true' if matches are found, but we need to ensure - # NO files outside those paths were changed. - run: | - # Get list of all changed files - CHANGED_FILES=$(gh pr diff ${{ github.event.pull_request.number }} --name-only) - - # Logic to check if any file falls OUTSIDE the allowed folders - # This is a critical security step. - # (Simplified for brevity; in production, use a script to compare the lists) - - if [[ "${{ steps.check_changes.outputs.safe_changes }}" == "true" ]]; then - echo "Safe changes detected." - else - echo "Unsafe changes or mixed content. Skipping auto-merge." - exit 1 - fi - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Auto Merge - if: steps.check_changes.outputs.safe_changes == 'true' - run: | - gh pr merge ${{ github.event.pull_request.number }} --merge --auto --subject "Auto-merge based on folder rules" - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file + name: Auto Merge Specific Folders + + on: + pull_request: + types: [opened, synchronize, reopened] + branches: + - main + + permissions: + contents: read + + jobs: + auto-merge: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Get changed files + id: changed_files + run: | + FILES=$(gh pr diff ${{ github.event.pull_request.number }} --name-only) + echo "files<> $GITHUB_OUTPUT + echo "$FILES" >> $GITHUB_OUTPUT + echo "EOF" >> $GITHUB_OUTPUT + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Check if only safe paths changed + id: check_safe + run: | + SAFE=true + while IFS= read -r file; do + if [[ ! "$file" =~ ^docs/ && ! "$file" =~ ^assets/ ]]; then + echo "Unsafe file: $file" + SAFE=false + break + fi + done <<< "${{ steps.changed_files.outputs.files }}" + echo "safe=$SAFE" >> $GITHUB_OUTPUT + + - name: Generate GitHub App token + if: steps.check_safe.outputs.safe == 'true' + id: app_token + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ secrets.APP_ID }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} + + - name: Approve PR + if: steps.check_safe.outputs.safe == 'true' + run: | + gh pr review ${{ github.event.pull_request.number }} --approve --body "Auto-approved: changes only in docs/ or assets/" + env: + GH_TOKEN: ${{ steps.app_token.outputs.token }} + + - name: Enable auto-merge + if: steps.check_safe.outputs.safe == 'true' + run: | + gh pr merge ${{ github.event.pull_request.number }} --merge --auto + env: + GH_TOKEN: ${{ steps.app_token.outputs.token }} \ No newline at end of file From 375211579a2b903f45ee6bca643aa3a5d71bff0c Mon Sep 17 00:00:00 2001 From: Sandeep Date: Tue, 16 Dec 2025 10:07:34 +0530 Subject: [PATCH 3/3] Fixed indentation issues --- .github/workflows/auto-merge.yml | 112 +++++++++++++++---------------- 1 file changed, 56 insertions(+), 56 deletions(-) diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml index 213f4c5..73c01fb 100644 --- a/.github/workflows/auto-merge.yml +++ b/.github/workflows/auto-merge.yml @@ -1,64 +1,64 @@ - name: Auto Merge Specific Folders +name: Auto Merge Specific Folders - on: - pull_request: - types: [opened, synchronize, reopened] - branches: - - main +on: + pull_request: + types: [opened, synchronize, reopened] + branches: + - main - permissions: - contents: read +permissions: + contents: read - jobs: - auto-merge: - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - fetch-depth: 0 +jobs: + auto-merge: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 - - name: Get changed files - id: changed_files - run: | - FILES=$(gh pr diff ${{ github.event.pull_request.number }} --name-only) - echo "files<> $GITHUB_OUTPUT - echo "$FILES" >> $GITHUB_OUTPUT - echo "EOF" >> $GITHUB_OUTPUT - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Get changed files + id: changed_files + run: | + FILES=$(gh pr diff ${{ github.event.pull_request.number }} --name-only) + echo "files<> $GITHUB_OUTPUT + echo "$FILES" >> $GITHUB_OUTPUT + echo "EOF" >> $GITHUB_OUTPUT + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Check if only safe paths changed - id: check_safe - run: | - SAFE=true - while IFS= read -r file; do - if [[ ! "$file" =~ ^docs/ && ! "$file" =~ ^assets/ ]]; then - echo "Unsafe file: $file" - SAFE=false - break - fi - done <<< "${{ steps.changed_files.outputs.files }}" - echo "safe=$SAFE" >> $GITHUB_OUTPUT + - name: Check if only safe paths changed + id: check_safe + run: | + SAFE=true + while IFS= read -r file; do + if [[ ! "$file" =~ ^docs/ && ! "$file" =~ ^assets/ ]]; then + echo "Unsafe file: $file" + SAFE=false + break + fi + done <<< "${{ steps.changed_files.outputs.files }}" + echo "safe=$SAFE" >> $GITHUB_OUTPUT - - name: Generate GitHub App token - if: steps.check_safe.outputs.safe == 'true' - id: app_token - uses: actions/create-github-app-token@v1 - with: - app-id: ${{ secrets.APP_ID }} - private-key: ${{ secrets.APP_PRIVATE_KEY }} + - name: Generate GitHub App token + if: steps.check_safe.outputs.safe == 'true' + id: app_token + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ secrets.APP_ID }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} - - name: Approve PR - if: steps.check_safe.outputs.safe == 'true' - run: | - gh pr review ${{ github.event.pull_request.number }} --approve --body "Auto-approved: changes only in docs/ or assets/" - env: - GH_TOKEN: ${{ steps.app_token.outputs.token }} + - name: Approve PR + if: steps.check_safe.outputs.safe == 'true' + run: | + gh pr review ${{ github.event.pull_request.number }} --approve --body "Auto-approved: changes only in docs/ or assets/" + env: + GH_TOKEN: ${{ steps.app_token.outputs.token }} - - name: Enable auto-merge - if: steps.check_safe.outputs.safe == 'true' - run: | - gh pr merge ${{ github.event.pull_request.number }} --merge --auto - env: - GH_TOKEN: ${{ steps.app_token.outputs.token }} \ No newline at end of file + - name: Enable auto-merge + if: steps.check_safe.outputs.safe == 'true' + run: | + gh pr merge ${{ github.event.pull_request.number }} --merge --auto + env: + GH_TOKEN: ${{ steps.app_token.outputs.token }}