From 21fc9618a75e1cf453372349f5ac0d96257898d5 Mon Sep 17 00:00:00 2001
From: DevelopmentCats <christofer@coder.com>
Date: Wed, 7 Jan 2026 15:49:44 -0600
Subject: [PATCH] feat: enhance version bump script and workflow for forked PRs

---
 .github/scripts/version-bump.sh     | 12 ++++++---
 .github/workflows/version-bump.yaml | 40 ++++++++++++++++++++++++-----
 2 files changed, 42 insertions(+), 10 deletions(-)

diff --git a/.github/scripts/version-bump.sh b/.github/scripts/version-bump.sh
index ec078fcc..7bae704b 100755
--- a/.github/scripts/version-bump.sh
+++ b/.github/scripts/version-bump.sh
@@ -1,26 +1,29 @@
 #!/bin/bash
 
 # Version Bump Script
-# Usage: ./version-bump.sh [--ci] <bump_type> [base_ref]
+# Usage: ./version-bump.sh [--ci] <bump_type> [base_ref] [head_ref]
 #   --ci: CI mode - run bump, check for changes, exit 1 if changes needed
 #   bump_type: patch, minor, or major
 #   base_ref: base reference for diff (default: origin/main)
+#   head_ref: head reference for diff (default: HEAD)
 
 set -euo pipefail
 
 CI_MODE=false
 
 usage() {
-  echo "Usage: $0 [--ci] <bump_type> [base_ref]"
+  echo "Usage: $0 [--ci] <bump_type> [base_ref] [head_ref]"
   echo "  --ci: CI mode - validates versions are already bumped (exits 1 if not)"
   echo "  bump_type: patch, minor, or major"
   echo "  base_ref: base reference for diff (default: origin/main)"
+  echo "  head_ref: head reference for diff (default: HEAD, used for fork PRs)"
   echo ""
   echo "Examples:"
   echo "  $0 patch                    # Update versions with patch bump"
   echo "  $0 minor                    # Update versions with minor bump"
   echo "  $0 major                    # Update versions with major bump"
   echo "  $0 --ci patch               # CI check: verify patch bump has been applied"
+  echo "  $0 --ci patch base_sha head_sha  # CI check with explicit refs (for fork PRs)"
   exit 1
 }
 
@@ -125,12 +128,13 @@ main() {
     shift
   fi
 
-  if [ $# -lt 1 ] || [ $# -gt 2 ]; then
+  if [ $# -lt 1 ] || [ $# -gt 3 ]; then
     usage
   fi
 
   local bump_type="$1"
   local base_ref="${2:-origin/main}"
+  local head_ref="${3:-HEAD}"
 
   case "$bump_type" in
     "patch" | "minor" | "major") ;;
@@ -144,7 +148,7 @@ main() {
   echo "🔍 Detecting modified modules..."
 
   local changed_files
-  changed_files=$(git diff --name-only "${base_ref}"...HEAD)
+  changed_files=$(git diff --name-only "${base_ref}".."${head_ref}")
   local modules
   modules=$(echo "$changed_files" | grep -E '^registry/[^/]+/modules/[^/]+/' | cut -d'/' -f1-4 | sort -u)
 
diff --git a/.github/workflows/version-bump.yaml b/.github/workflows/version-bump.yaml
index aff9e0a1..47f34e53 100644
--- a/.github/workflows/version-bump.yaml
+++ b/.github/workflows/version-bump.yaml
@@ -1,10 +1,11 @@
 name: Version Bump
 
+# Using pull_request_target to allow commenting on PRs from forks.
+# SECURITY: This workflow only checks out and runs code from the BASE branch,
+# never from the PR. The PR's changes are only used for git diff comparison.
 on:
-  pull_request:
+  pull_request_target:
     types: [labeled]
-    paths:
-      - "registry/**/modules/**"
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -19,24 +20,50 @@ jobs:
       pull-requests: write
       issues: write
     steps:
-      - name: Checkout code
+      - name: Checkout base branch
         uses: actions/checkout@v6
         with:
+          ref: ${{ github.event.pull_request.base.sha }}
           fetch-depth: 0
           token: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Fetch PR head
+        run: |
+          git fetch origin refs/pull/${{ github.event.pull_request.number }}/head:pr-head
+          echo "PR_HEAD_SHA=$(git rev-parse pr-head)" >> $GITHUB_ENV
+
+      - name: Check for module changes
+        id: check-modules
+        run: |
+          CHANGED_FILES=$(git diff --name-only ${{ github.event.pull_request.base.sha }}..pr-head)
+          if echo "$CHANGED_FILES" | grep -qE '^registry/[^/]+/modules/'; then
+            echo "has_module_changes=true" >> $GITHUB_OUTPUT
+            echo "✅ PR contains module changes"
+          else
+            echo "has_module_changes=false" >> $GITHUB_OUTPUT
+            echo "ℹ️ PR does not contain module changes, skipping version bump check"
+          fi
+
+      - name: Checkout PR module files
+        if: steps.check-modules.outputs.has_module_changes == 'true'
+        run: git checkout pr-head -- registry/
+
       - name: Set up Bun
+        if: steps.check-modules.outputs.has_module_changes == 'true'
         uses: oven-sh/setup-bun@v2
         with:
           bun-version: latest
 
       - name: Set up Terraform
+        if: steps.check-modules.outputs.has_module_changes == 'true'
         uses: coder/coder/.github/actions/setup-tf@main
 
       - name: Install dependencies
+        if: steps.check-modules.outputs.has_module_changes == 'true'
         run: bun install
 
       - name: Extract bump type from label
+        if: steps.check-modules.outputs.has_module_changes == 'true'
         id: bump-type
         run: |
           case "${{ github.event.label.name }}" in
@@ -56,10 +83,11 @@ jobs:
           esac
 
       - name: Check version bump
-        run: ./.github/scripts/version-bump.sh --ci "${{ steps.bump-type.outputs.type }}" origin/main
+        if: steps.check-modules.outputs.has_module_changes == 'true'
+        run: ./.github/scripts/version-bump.sh --ci "${{ steps.bump-type.outputs.type }}" ${{ github.event.pull_request.base.sha }} ${{ env.PR_HEAD_SHA }}
 
       - name: Comment on PR - Version bump required
-        if: failure()
+        if: failure() && steps.check-modules.outputs.has_module_changes == 'true'
         uses: actions/github-script@v8
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}