Skip to content

Create cleaner.yml#52

Closed
vib-adhoc wants to merge 1 commit into18.0from
18.0-update-hr
Closed

Create cleaner.yml#52
vib-adhoc wants to merge 1 commit into18.0from
18.0-update-hr

Conversation

@vib-adhoc
Copy link
Copy Markdown
Contributor

@vib-adhoc vib-adhoc commented Aug 18, 2025

Automatic update using copier template

@roboadhoc
Copy link
Copy Markdown

roboadhoc commented Aug 18, 2025

Pull request status dashboard

github-advanced-security[bot]
github-advanced-security AI found potential problems Aug 18, 2025
View reviewed changes
Comment thread .github/workflows/cleaner.yml
Comment on lines +21 to +158
runs-on: ubuntu-latest
if: >
github.repository_owner == 'ingadhoc' &&
(
(github.event_name == 'workflow_dispatch') ||
(github.event_name == 'deployment_status' && github.event.deployment_status.state == 'success')
)
steps:
- name: Delete branch from base and fork repos
uses: actions/github-script@v6
id: pr_data_fetcher
with:
script: |
// Get PR information
core.info('Fetching PR data and validating conditions...');

// Debug info
const eventName = context.eventName;
core.info(`El nombre del evento es: ${eventName}`);
core.info(JSON.stringify(context, null, 2))
// End Debug info

let repoOwner = context.repo.owner;
let repoName = context.repo.repo;
let pullRequest;

if (context.eventName === 'workflow_dispatch' || context.eventName === 'deployment_status') {
let prNumber = 0;
if (context.eventName === 'workflow_dispatch') {
prNumber = context.payload.inputs.pull_request_number;
core.info(`Manual trigger for PR #${prNumber}`);
}

if (context.eventName === 'deployment_status') {
prNumber = context.payload.deployment_status.description.split("#")[1].split(" ")[0];
core.info(`deployment_status trigger for PR #${prNumber}`);
}

// Fetch the PR data using the number
pullRequest = (await github.rest.pulls.get({
owner: repoOwner,
repo: repoName,
pull_number: prNumber,
})).data;

core.info(JSON.stringify(pullRequest, null, 2))

if (pullRequest.merged === true) {
core.info(`PR #${prNumber} was merged. No action needed.`);
core.setOutput('validation_passed', 'false');
return;
}

// Fetch the PR timeline to find the 'closed' event
const timeline = await github.rest.issues.listEventsForTimeline({
owner: repoOwner,
repo: repoName,
issue_number: prNumber,
});

// Find the 'closed' event in the timeline
const closeEvent = timeline.data.find(event => event.event === 'closed');

// Get the user who closed the PR from the event
const closedByLogin = closeEvent && closeEvent.actor ? closeEvent.actor.login : null;

if (closedByLogin !== 'roboadhoc') {
core.info(`PR #${prNumber} was not closed by 'roboadhoc' (${closedByLogin}). No action needed.`);
core.setOutput('validation_passed', 'false');
return;
}

} else {
core.setOutput('validation_passed', 'false');
core.error(`Unsupported event type: ${context.eventName}`);
return;
}

// Set outputs for subsequent steps
core.setOutput('validation_passed', 'true');
core.setOutput('base_repo_owner', repoOwner);
core.setOutput('base_repo_name', repoName);
core.setOutput('base_branch_name', pullRequest.head.ref);
core.setOutput('head_repo_full_name', pullRequest.head.repo.full_name);
core.setOutput('head_repo_owner', pullRequest.head.repo.owner.login);
core.setOutput('head_repo_name', pullRequest.head.repo.name);
core.setOutput('is_fork', pullRequest.head.repo.full_name !== context.repo.owner + '/' + context.repo.repo);

- name: Delete branch from the base repository
uses: actions/github-script@v6
if: ${{ steps.pr_data_fetcher.outputs.validation_passed == 'true' }}
with:
github-token: ${{ github.token }}
script: |
const baseBranchName = `${{ steps.pr_data_fetcher.outputs.base_branch_name }}`;
const baseRepoOwner = `${{ steps.pr_data_fetcher.outputs.base_repo_owner }}`;
const baseRepoName = `${{ steps.pr_data_fetcher.outputs.base_repo_name }}`;
try {
core.info(`Attempting to delete branch '${baseBranchName}' from base repo '${baseRepoOwner}/${baseRepoName}'`);
await github.rest.git.deleteRef({
owner: baseRepoOwner,
repo: baseRepoName,
ref: `heads/${baseBranchName}`,
});
core.info(`Branch '${baseBranchName}' deleted from base repo successfully.`);
} catch (error) {
if (error.status === 422) {
core.info(`Branch '${baseBranchName}' in base repo already deleted. No action needed.`);
} else {
console.error(`Error deleting branch '${baseBranchName}' from base repo: ${error.message}`);
}
}

- name: Delete branch from the fork repository (adhoc-dev)
if: ${{ steps.pr_data_fetcher.outputs.validation_passed == 'true' }}
uses: actions/github-script@v6
with:
github-token: ${{ secrets.EXTERNAL_REPO_TOKEN_CLEANER_ADHOC_DEV || github.token }}
script: |
const baseBranchName = `${{ steps.pr_data_fetcher.outputs.base_branch_name }}`;
const headRepoOwner = 'adhoc-dev';
const headRepoName = `${{ steps.pr_data_fetcher.outputs.head_repo_name }}`;

try {
core.info(`PR comes from a fork. Attempting to delete branch from fork repo '${headRepoOwner}/${headRepoName}'`);
await github.rest.git.deleteRef({
owner: headRepoOwner,
repo: headRepoName,
ref: `heads/${baseBranchName}`,
});
core.info(`Branch '${baseBranchName}' deleted from fork repo successfully.`);
} catch (error) {
if (error.status === 422) {
core.info(`Branch '${baseBranchName}' in fork repo already deleted. No action needed.`);
} else {
console.error(`Error deleting branch '${baseBranchName}' from fork repo: ${error.message}`);
}
}

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 9 months ago

To fix the problem, add a permissions block to the workflow to explicitly specify the minimum required permissions for the GITHUB_TOKEN. This can be done at the workflow level (applies to all jobs) or at the job level (applies to a specific job). Since the workflow deletes branches (which requires contents: write) and reads pull request data (which requires pull-requests: read), the minimal permissions required are likely contents: write and pull-requests: read. If the workflow only needs to delete branches and read PRs, these two scopes are sufficient. The permissions block should be added near the top of the file, after the name and before the on block.

Suggested changeset 1
.github/workflows/cleaner.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/cleaner.yml b/.github/workflows/cleaner.yml
--- a/.github/workflows/cleaner.yml
+++ b/.github/workflows/cleaner.yml
@@ -4,6 +4,10 @@
 
 name: Delete PR branch from fork and base repo
 
+permissions:
+  contents: write
+  pull-requests: read
+
 on:
 
   deployment_status:
EOF
@@ -4,6 +4,10 @@

name: Delete PR branch from fork and base repo

permissions:
contents: write
pull-requests: read

on:

deployment_status:
Copilot is powered by AI and may make mistakes. Always verify output.
@vib-adhoc vib-adhoc closed this Aug 18, 2025
@vib-adhoc vib-adhoc deleted the 18.0-update-hr branch August 18, 2025 23:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@vib-adhoc @roboadhoc @github-advanced-security