Alert Changed Branch Protections #36
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Alert Changed Branch Protections | |
| on: | |
| branch_protection_rule: | |
| workflow_dispatch: | |
| schedule: | |
| - cron: '20 16 * * 3' # Run every Wednesday at 16:20 UTC / 8:20 PST | |
| pull_request: | |
| paths: | |
| - .github/workflows/alert-changed-branch-protections.yml | |
| - .github/branch_protection_settings/*.json | |
| permissions: | |
| contents: write | |
| jobs: | |
| check-branch-protections: | |
| runs-on: ubuntu-latest | |
| if: github.repository == 'github/docs-internal' | |
| strategy: | |
| matrix: | |
| # List of branches we want to monitor for protection changes | |
| branch: [main] | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Fetch branch protections | |
| id: fetch | |
| env: | |
| GH_TOKEN: ${{ secrets.DOCS_BOT_PAT_WORKFLOW }} | |
| run: | | |
| # Fetch branch protections and store them in a file | |
| gh api /repos/GitHub/docs-internal/branches/${{ matrix.branch }}/protection \ | |
| > .github/branch_protection_settings/${{ matrix.branch }}.json | |
| - name: Format fetched settings with prettier for comparison | |
| id: format | |
| run: | | |
| npx prettier --write .github/branch_protection_settings/${{ matrix.branch }}.json | |
| - name: Compare branch protections | |
| id: compare | |
| run: | | |
| git diff --quiet .github/branch_protection_settings/${{ matrix.branch }}.json \ | |
| || echo "diff_failed=true" >> $GITHUB_ENV | |
| - name: Create a pull request to update branch protection settings | |
| if: ${{ env.diff_failed == 'true' }} | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }} | |
| run: | | |
| echo "Set git config" | |
| git config --global user.name "docs-bot" | |
| git config --global user.email "[email protected]" | |
| echo "Check out a new branch" | |
| xbranch=update-branch-protection-settings-$(date +%s) | |
| git checkout -b $xbranch | |
| echo "Commit changes" | |
| git commit -am "Update branch protection settings" | |
| echo "Push changes" | |
| git push origin $xbranch | |
| echo "Create pull request" | |
| gh pr create \ | |
| --title "Update branch protection settings" \ | |
| --body "Branch protections have changed." \ | |
| --head $xbranch \ | |
| --base main | |
| echo "Define pr_url" | |
| echo "pr_url=$(gh pr view --json url --jq .url)" >> $GITHUB_ENV | |
| - uses: ./.github/actions/slack-alert | |
| if: ${{ env.diff_failed == 'true' }} | |
| with: | |
| slack_channel_id: ${{ secrets.DOCS_ALERTS_SLACK_CHANNEL_ID }} | |
| slack_token: ${{ secrets.SLACK_DOCS_BOT_TOKEN }} | |
| message: "Branch protections have changed. I've created a pull request to update them. Please review and merge, or revert the change in the GitHub UI. ${{ env.pr_url }}" | |
| color: purple |