Skip to content

Create cleaner.yml #90

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Create cleaner.yml #90

wants to merge 1 commit into from

Conversation

@vib-adhoc
Copy link
Contributor

@vib-adhoc vib-adhoc commented Aug 18, 2025

Automatic update using copier template

@roboadhoc
Copy link

roboadhoc commented Aug 18, 2025

Pull request status dashboard

github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 18, 2025
View reviewed changes
.github/workflows/cleaner.yml
Comment on lines +21 to +158
runs-on: ubuntu-latest
if: >
github.repository_owner == 'ingadhoc' &&
(
(github.event_name == 'workflow_dispatch') ||
(github.event_name == 'deployment_status' && github.event.deployment_status.state == 'success')
)
steps:
- name: Delete branch from base and fork repos
uses: actions/github-script@v6
id: pr_data_fetcher
with:
script: |
// Get PR information
core.info('Fetching PR data and validating conditions...');

// Debug info
const eventName = context.eventName;
core.info(`El nombre del evento es: ${eventName}`);
core.info(JSON.stringify(context, null, 2))
// End Debug info

let repoOwner = context.repo.owner;
let repoName = context.repo.repo;
let pullRequest;

if (context.eventName === 'workflow_dispatch' || context.eventName === 'deployment_status') {
let prNumber = 0;
if (context.eventName === 'workflow_dispatch') {
prNumber = context.payload.inputs.pull_request_number;
core.info(`Manual trigger for PR #${prNumber}`);
}

if (context.eventName === 'deployment_status') {
prNumber = context.payload.deployment_status.description.split("#")[1].split(" ")[0];
core.info(`deployment_status trigger for PR #${prNumber}`);
}

// Fetch the PR data using the number
pullRequest = (await github.rest.pulls.get({
owner: repoOwner,
repo: repoName,
pull_number: prNumber,
})).data;

core.info(JSON.stringify(pullRequest, null, 2))

if (pullRequest.merged === true) {
core.info(`PR #${prNumber} was merged. No action needed.`);
core.setOutput('validation_passed', 'false');
return;
}

// Fetch the PR timeline to find the 'closed' event
const timeline = await github.rest.issues.listEventsForTimeline({
owner: repoOwner,
repo: repoName,
issue_number: prNumber,
});

// Find the 'closed' event in the timeline
const closeEvent = timeline.data.find(event => event.event === 'closed');

// Get the user who closed the PR from the event
const closedByLogin = closeEvent && closeEvent.actor ? closeEvent.actor.login : null;

if (closedByLogin !== 'roboadhoc') {
core.info(`PR #${prNumber} was not closed by 'roboadhoc' (${closedByLogin}). No action needed.`);
core.setOutput('validation_passed', 'false');
return;
}

} else {
core.setOutput('validation_passed', 'false');
core.error(`Unsupported event type: ${context.eventName}`);
return;
}

// Set outputs for subsequent steps
core.setOutput('validation_passed', 'true');
core.setOutput('base_repo_owner', repoOwner);
core.setOutput('base_repo_name', repoName);
core.setOutput('base_branch_name', pullRequest.head.ref);
core.setOutput('head_repo_full_name', pullRequest.head.repo.full_name);
core.setOutput('head_repo_owner', pullRequest.head.repo.owner.login);
core.setOutput('head_repo_name', pullRequest.head.repo.name);
core.setOutput('is_fork', pullRequest.head.repo.full_name !== context.repo.owner + '/' + context.repo.repo);

- name: Delete branch from the base repository
uses: actions/github-script@v6
if: ${{ steps.pr_data_fetcher.outputs.validation_passed == 'true' }}
with:
github-token: ${{ github.token }}
script: |
const baseBranchName = `${{ steps.pr_data_fetcher.outputs.base_branch_name }}`;
const baseRepoOwner = `${{ steps.pr_data_fetcher.outputs.base_repo_owner }}`;
const baseRepoName = `${{ steps.pr_data_fetcher.outputs.base_repo_name }}`;
try {
core.info(`Attempting to delete branch '${baseBranchName}' from base repo '${baseRepoOwner}/${baseRepoName}'`);
await github.rest.git.deleteRef({
owner: baseRepoOwner,
repo: baseRepoName,
ref: `heads/${baseBranchName}`,
});
core.info(`Branch '${baseBranchName}' deleted from base repo successfully.`);
} catch (error) {
if (error.status === 422) {
core.info(`Branch '${baseBranchName}' in base repo already deleted. No action needed.`);
} else {
console.error(`Error deleting branch '${baseBranchName}' from base repo: ${error.message}`);
}
}

- name: Delete branch from the fork repository (adhoc-dev)
if: ${{ steps.pr_data_fetcher.outputs.validation_passed == 'true' }}
uses: actions/github-script@v6
with:
github-token: ${{ secrets.EXTERNAL_REPO_TOKEN_CLEANER_ADHOC_DEV || github.token }}
script: |
const baseBranchName = `${{ steps.pr_data_fetcher.outputs.base_branch_name }}`;
const headRepoOwner = 'adhoc-dev';
const headRepoName = `${{ steps.pr_data_fetcher.outputs.head_repo_name }}`;

try {
core.info(`PR comes from a fork. Attempting to delete branch from fork repo '${headRepoOwner}/${headRepoName}'`);
await github.rest.git.deleteRef({
owner: headRepoOwner,
repo: headRepoName,
ref: `heads/${baseBranchName}`,
});
core.info(`Branch '${baseBranchName}' deleted from fork repo successfully.`);
} catch (error) {
if (error.status === 422) {
core.info(`Branch '${baseBranchName}' in fork repo already deleted. No action needed.`);
} else {
console.error(`Error deleting branch '${baseBranchName}' from fork repo: ${error.message}`);
}
}

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 3 months ago

To fix the problem, add a permissions block to the workflow file. This block should be placed at the top level (applies to all jobs) or at the job level (applies only to the specific job). Since the workflow deletes branches (a write operation on git references), it requires contents: write permission. To follow the principle of least privilege, set contents: write and no other permissions unless required. The best place to add this is at the top level, just after the name: field and before on:.

Steps:

  • Edit .github/workflows/cleaner.yml.
  • Insert a permissions: block after the name: field (line 5), before the on: block.
  • Set contents: write as the only permission.
Suggested changeset 1
.github/workflows/cleaner.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/cleaner.yml b/.github/workflows/cleaner.yml
--- a/.github/workflows/cleaner.yml
+++ b/.github/workflows/cleaner.yml
@@ -3,6 +3,8 @@
 # See: https://github.com/ingadhoc/addons-repo-template
 
 name: Delete PR branch from fork and base repo
+permissions:
+  contents: write
 
 on:
 
EOF
@@ -3,6 +3,8 @@
# See: https://github.com/ingadhoc/addons-repo-template

name: Delete PR branch from fork and base repo
permissions:
contents: write

on:

Copilot is powered by AI and may make mistakes. Always verify output.
@vib-adhoc vib-adhoc closed this Aug 18, 2025
@vib-adhoc vib-adhoc deleted the 18.0-update-odoo-argentina-ce branch August 18, 2025 23:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@vib-adhoc @roboadhoc