Skip to content

Create cleaner.yml #82

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
vib-adhoc wants to merge 1 commit into from
Closed

Create cleaner.yml #82

vib-adhoc wants to merge 1 commit into from

Conversation

@vib-adhoc
Copy link

@vib-adhoc vib-adhoc commented Aug 18, 2025

Automatic update using copier template

@roboadhoc
Copy link

roboadhoc commented Aug 18, 2025

Pull request status dashboard

github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 18, 2025
View reviewed changes
.github/workflows/cleaner.yml
Comment on lines +21 to +158
runs-on: ubuntu-latest
if: >
github.repository_owner == 'ingadhoc' &&
(
(github.event_name == 'workflow_dispatch') ||
(github.event_name == 'deployment_status' && github.event.deployment_status.state == 'success')
)
steps:
- name: Delete branch from base and fork repos
uses: actions/github-script@v6
id: pr_data_fetcher
with:
script: |
// Get PR information
core.info('Fetching PR data and validating conditions...');

// Debug info
const eventName = context.eventName;
core.info(`El nombre del evento es: ${eventName}`);
core.info(JSON.stringify(context, null, 2))
// End Debug info

let repoOwner = context.repo.owner;
let repoName = context.repo.repo;
let pullRequest;

if (context.eventName === 'workflow_dispatch' || context.eventName === 'deployment_status') {
let prNumber = 0;
if (context.eventName === 'workflow_dispatch') {
prNumber = context.payload.inputs.pull_request_number;
core.info(`Manual trigger for PR #${prNumber}`);
}

if (context.eventName === 'deployment_status') {
prNumber = context.payload.deployment_status.description.split("#")[1].split(" ")[0];
core.info(`deployment_status trigger for PR #${prNumber}`);
}

// Fetch the PR data using the number
pullRequest = (await github.rest.pulls.get({
owner: repoOwner,
repo: repoName,
pull_number: prNumber,
})).data;

core.info(JSON.stringify(pullRequest, null, 2))

if (pullRequest.merged === true) {
core.info(`PR #${prNumber} was merged. No action needed.`);
core.setOutput('validation_passed', 'false');
return;
}

// Fetch the PR timeline to find the 'closed' event
const timeline = await github.rest.issues.listEventsForTimeline({
owner: repoOwner,
repo: repoName,
issue_number: prNumber,
});

// Find the 'closed' event in the timeline
const closeEvent = timeline.data.find(event => event.event === 'closed');

// Get the user who closed the PR from the event
const closedByLogin = closeEvent && closeEvent.actor ? closeEvent.actor.login : null;

if (closedByLogin !== 'roboadhoc') {
core.info(`PR #${prNumber} was not closed by 'roboadhoc' (${closedByLogin}). No action needed.`);
core.setOutput('validation_passed', 'false');
return;
}

} else {
core.setOutput('validation_passed', 'false');
core.error(`Unsupported event type: ${context.eventName}`);
return;
}

// Set outputs for subsequent steps
core.setOutput('validation_passed', 'true');
core.setOutput('base_repo_owner', repoOwner);
core.setOutput('base_repo_name', repoName);
core.setOutput('base_branch_name', pullRequest.head.ref);
core.setOutput('head_repo_full_name', pullRequest.head.repo.full_name);
core.setOutput('head_repo_owner', pullRequest.head.repo.owner.login);
core.setOutput('head_repo_name', pullRequest.head.repo.name);
core.setOutput('is_fork', pullRequest.head.repo.full_name !== context.repo.owner + '/' + context.repo.repo);

- name: Delete branch from the base repository
uses: actions/github-script@v6
if: ${{ steps.pr_data_fetcher.outputs.validation_passed == 'true' }}
with:
github-token: ${{ github.token }}
script: |
const baseBranchName = `${{ steps.pr_data_fetcher.outputs.base_branch_name }}`;
const baseRepoOwner = `${{ steps.pr_data_fetcher.outputs.base_repo_owner }}`;
const baseRepoName = `${{ steps.pr_data_fetcher.outputs.base_repo_name }}`;
try {
core.info(`Attempting to delete branch '${baseBranchName}' from base repo '${baseRepoOwner}/${baseRepoName}'`);
await github.rest.git.deleteRef({
owner: baseRepoOwner,
repo: baseRepoName,
ref: `heads/${baseBranchName}`,
});
core.info(`Branch '${baseBranchName}' deleted from base repo successfully.`);
} catch (error) {
if (error.status === 422) {
core.info(`Branch '${baseBranchName}' in base repo already deleted. No action needed.`);
} else {
console.error(`Error deleting branch '${baseBranchName}' from base repo: ${error.message}`);
}
}

- name: Delete branch from the fork repository (adhoc-dev)
if: ${{ steps.pr_data_fetcher.outputs.validation_passed == 'true' }}
uses: actions/github-script@v6
with:
github-token: ${{ secrets.EXTERNAL_REPO_TOKEN_CLEANER_ADHOC_DEV || github.token }}
script: |
const baseBranchName = `${{ steps.pr_data_fetcher.outputs.base_branch_name }}`;
const headRepoOwner = 'adhoc-dev';
const headRepoName = `${{ steps.pr_data_fetcher.outputs.head_repo_name }}`;

try {
core.info(`PR comes from a fork. Attempting to delete branch from fork repo '${headRepoOwner}/${headRepoName}'`);
await github.rest.git.deleteRef({
owner: headRepoOwner,
repo: headRepoName,
ref: `heads/${baseBranchName}`,
});
core.info(`Branch '${baseBranchName}' deleted from fork repo successfully.`);
} catch (error) {
if (error.status === 422) {
core.info(`Branch '${baseBranchName}' in fork repo already deleted. No action needed.`);
} else {
console.error(`Error deleting branch '${baseBranchName}' from fork repo: ${error.message}`);
}
}

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 5 months ago

To fix the problem, add a permissions block to the workflow to restrict the GITHUB_TOKEN permissions to the minimum required. In this case, the workflow deletes branches, which requires contents: write permission. No other permissions are needed for the described actions. The best way to fix this is to add a permissions block at the root level of the workflow (before jobs:), so it applies to all jobs unless overridden. Edit .github/workflows/cleaner.yml to insert:

permissions:
  contents: write

after the name: and before the on: block. No additional imports or definitions are needed.

Suggested changeset 1
.github/workflows/cleaner.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/cleaner.yml b/.github/workflows/cleaner.yml
--- a/.github/workflows/cleaner.yml
+++ b/.github/workflows/cleaner.yml
@@ -4,6 +4,9 @@
 
 name: Delete PR branch from fork and base repo
 
+permissions:
+  contents: write
+
 on:
 
   deployment_status:
EOF
@@ -4,6 +4,9 @@

name: Delete PR branch from fork and base repo

permissions:
contents: write

on:

deployment_status:
Copilot is powered by AI and may make mistakes. Always verify output.
@vib-adhoc vib-adhoc closed this Aug 18, 2025
@vib-adhoc vib-adhoc deleted the 18.0-update-aeroo_reports branch August 18, 2025 23:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@vib-adhoc @roboadhoc