fix(security): resolve GitHub code scanning vulnerabilities #82
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Auto Version Bump | |
| on: | |
| pull_request: | |
| types: [closed] | |
| branches: | |
| - main | |
| jobs: | |
| version-bump: | |
| runs-on: ubuntu-latest | |
| if: github.event.pull_request.merged == true | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| actions: write # Needed to trigger workflows | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Setup Git | |
| run: | | |
| git config --global user.name 'GitHub Actions' | |
| git config --global user.email 'github-actions[bot]@users.noreply.github.com' | |
| - name: Check PR label for version bump type | |
| id: check-label | |
| run: | | |
| PR_LABELS="${{ toJson(github.event.pull_request.labels.*.name) }}" | |
| # Determine conventional commit type from PR title or commits | |
| PR_TITLE="${{ github.event.pull_request.title }}" | |
| # PR body is not used for version determination, so we don't need to include it | |
| # Simple, robust function to determine bump type from conventional commits | |
| determine_bump_type() { | |
| local commits="$1" | |
| echo "Analyzing commits for conventional commit patterns..." | |
| # Check for breaking changes first (highest priority) | |
| if echo "$commits" | grep -q "^BREAKING CHANGE:" || echo "$commits" | grep -qE "^[a-z]+(\([a-z]+\))?!:"; then | |
| echo "Found breaking change - will use major bump" | |
| echo "major" | |
| return 0 | |
| fi | |
| # Then check for features | |
| if echo "$commits" | grep -qE "^feat(\([a-z]+\))?:"; then | |
| echo "Found feature - will use minor bump" | |
| echo "minor" | |
| return 0 | |
| fi | |
| # Then check for fixes | |
| if echo "$commits" | grep -qE "^fix(\([a-z]+\))?:"; then | |
| echo "Found fix - will use patch bump" | |
| echo "patch" | |
| return 0 | |
| fi | |
| # Default to patch if no patterns match | |
| echo "No conventional commit patterns found - defaulting to patch" | |
| echo "patch" | |
| return 0 | |
| } | |
| # Check PR title for conventional commit format | |
| AUTO_BUMP_TYPE="" | |
| if [[ "$PR_TITLE" =~ ^BREAKING\ CHANGE: || "$PR_TITLE" =~ ^[a-z]+(\([a-z]+\))?!: ]]; then | |
| AUTO_BUMP_TYPE="major" | |
| elif [[ "$PR_TITLE" =~ ^feat(\([a-z]+\))?: ]]; then | |
| AUTO_BUMP_TYPE="minor" | |
| elif [[ "$PR_TITLE" =~ ^fix(\([a-z]+\))?: ]]; then | |
| AUTO_BUMP_TYPE="patch" | |
| else | |
| # Check PR commits for conventional commit format | |
| echo "PR title not in conventional commit format, checking commits..." | |
| # Set GH_TOKEN for gh CLI | |
| export GH_TOKEN="${{ secrets.GITHUB_TOKEN }}" | |
| # Safely capture commits, providing a fallback if the command fails | |
| echo "Fetching commits from PR #${{ github.event.pull_request.number }}..." | |
| PR_COMMITS=$(gh pr view ${{ github.event.pull_request.number }} --json commits --jq '.commits[].messageHeadline' 2>/dev/null || echo "") | |
| if [ -z "$PR_COMMITS" ]; then | |
| echo "Failed to get PR commits or no commits found - defaulting to patch" | |
| AUTO_BUMP_TYPE="patch" | |
| else | |
| echo "Found commits, analyzing conventional commit patterns" | |
| # Call the function and store all output | |
| BUMP_TYPE_OUTPUT=$(determine_bump_type "$PR_COMMITS") | |
| echo "Function output: $BUMP_TYPE_OUTPUT" | |
| # Extract just the last word from the output (major, minor, or patch) | |
| AUTO_BUMP_TYPE=$(echo "$BUMP_TYPE_OUTPUT" | grep -o -E '(major|minor|patch)' | tail -n 1) | |
| echo "Extracted bump type: $AUTO_BUMP_TYPE" | |
| # Fallback to patch if extraction failed | |
| if [ -z "$AUTO_BUMP_TYPE" ]; then | |
| echo "Failed to extract bump type, defaulting to patch" | |
| AUTO_BUMP_TYPE="patch" | |
| fi | |
| fi | |
| fi | |
| echo "Auto-detected bump type from commits/title: $AUTO_BUMP_TYPE" | |
| # Explicit labels take precedence over auto-detection | |
| if echo "$PR_LABELS" | grep -q '"major"'; then | |
| echo "bump_type=major" >> $GITHUB_OUTPUT | |
| echo "Explicit 'major' label found, using it" | |
| elif echo "$PR_LABELS" | grep -q '"minor"'; then | |
| echo "bump_type=minor" >> $GITHUB_OUTPUT | |
| echo "Explicit 'minor' label found, using it" | |
| elif echo "$PR_LABELS" | grep -q '"patch"'; then | |
| echo "bump_type=patch" >> $GITHUB_OUTPUT | |
| echo "Explicit 'patch' label found, using it" | |
| elif [ -n "$AUTO_BUMP_TYPE" ]; then | |
| echo "bump_type=$AUTO_BUMP_TYPE" >> $GITHUB_OUTPUT | |
| echo "Using auto-detected bump type: $AUTO_BUMP_TYPE" | |
| else | |
| # Default to patch if no specific indication found | |
| echo "bump_type=patch" >> $GITHUB_OUTPUT | |
| echo "No version indicators found, defaulting to patch" | |
| fi | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '18' | |
| - name: Install project dependencies | |
| run: npm ci | |
| - name: Install semver globally | |
| run: npm install -g semver | |
| - name: Bump version | |
| id: bump-version | |
| run: | | |
| # Get current version from package.json | |
| CURRENT_VERSION=$(node -p "require('./package.json').version") | |
| # Determine new version based on bump type | |
| if [ "${{ steps.check-label.outputs.bump_type }}" = "major" ]; then | |
| NEW_VERSION=$(semver -i major $CURRENT_VERSION) | |
| elif [ "${{ steps.check-label.outputs.bump_type }}" = "minor" ]; then | |
| NEW_VERSION=$(semver -i minor $CURRENT_VERSION) | |
| else | |
| NEW_VERSION=$(semver -i patch $CURRENT_VERSION) | |
| fi | |
| echo "Current version: $CURRENT_VERSION" | |
| echo "New version: $NEW_VERSION" | |
| echo "Bump type: ${{ steps.check-label.outputs.bump_type }}" | |
| echo "new_version=$NEW_VERSION" >> $GITHUB_OUTPUT | |
| # Update package.json with new version | |
| node -e "const fs = require('fs'); const pkg = require('./package.json'); pkg.version = '$NEW_VERSION'; fs.writeFileSync('package.json', JSON.stringify(pkg, null, 2) + '\n');" | |
| - name: Commit and push version bump | |
| run: | | |
| git add package.json | |
| git commit -m "Bump version to ${{ steps.bump-version.outputs.new_version }} | |
| Version bump type: ${{ steps.check-label.outputs.bump_type }} | |
| PR: #${{ github.event.pull_request.number }} | |
| Title: ${{ github.event.pull_request.title }}" | |
| git push | |
| - name: Output summary | |
| run: | | |
| echo "✅ Version bumped to ${{ steps.bump-version.outputs.new_version }} (${{ steps.check-label.outputs.bump_type }} bump)" | |
| echo "🚀 The release-with-sbom workflow will be triggered directly." | |
| - name: Trigger release workflow | |
| uses: peter-evans/repository-dispatch@v2 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| event-type: trigger-release | |
| client-payload: '{"version": "${{ steps.bump-version.outputs.new_version }}", "bump_type": "${{ steps.check-label.outputs.bump_type }}"}' | |
| - name: Debug workflow information | |
| run: | | |
| echo "========== WORKFLOW DEBUG INFO ==========" | |
| echo "Workflow name: ${{ github.workflow }}" | |
| echo "Job name: ${{ github.job }}" | |
| echo "Run ID: ${{ github.run_id }}" | |
| echo "Run number: ${{ github.run_number }}" | |
| echo "Actor: ${{ github.actor }}" | |
| echo "Repository: ${{ github.repository }}" | |
| echo "Ref: ${{ github.ref }}" | |
| echo "SHA: ${{ github.sha }}" | |
| echo "Event name: ${{ github.event_name }}" | |
| echo "Workflow permissions:" | |
| echo " Contents: write" | |
| echo " Pull requests: write" | |
| echo " Actions: write" | |
| echo "========================================" | |
| # Wait a moment to ensure the push is processed | |
| sleep 5 | |
| echo "Checking if the release workflow was triggered..." | |
| # This is just informational and won't affect the workflow | |
| curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ | |
| "https://api.github.com/repos/${{ github.repository }}/actions/runs?event=workflow_run&status=in_progress" | \ | |
| grep -o '"name":"Release with SBOM and Notes"' || echo "Release workflow not found in currently running workflows" |