name: Version Bump # Using pull_request_target to allow commenting on PRs from forks. # SECURITY: Executable code (scripts, package.json) comes from the BASE branch only. # Only the registry/ directory (data files) is checked out from the PR for version checking. on: pull_request_target: types: [labeled] concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number }} cancel-in-progress: true jobs: version-bump: if: github.event.label.name == 'version:patch' || github.event.label.name == 'version:minor' || github.event.label.name == 'version:major' runs-on: ubuntu-latest permissions: contents: read pull-requests: write issues: write steps: - name: Checkout base branch uses: actions/checkout@v6 with: ref: ${{ github.event.pull_request.base.sha }} fetch-depth: 0 token: ${{ secrets.GITHUB_TOKEN }} - name: Fetch PR head run: | git fetch origin refs/pull/${{ github.event.pull_request.number }}/head:pr-head echo "PR_HEAD_SHA=$(git rev-parse pr-head)" >> $GITHUB_ENV - name: Check for module changes id: check-modules run: | CHANGED_FILES=$(git diff --name-only ${{ github.event.pull_request.base.sha }}..pr-head) if echo "$CHANGED_FILES" | grep -qE '^registry/[^/]+/modules/'; then echo "has_module_changes=true" >> $GITHUB_OUTPUT echo "✅ PR contains module changes" else echo "has_module_changes=false" >> $GITHUB_OUTPUT echo "ℹ️ PR does not contain module changes, skipping version bump check" fi - name: Checkout PR module files if: steps.check-modules.outputs.has_module_changes == 'true' run: git checkout pr-head -- registry/ - name: Set up Bun if: steps.check-modules.outputs.has_module_changes == 'true' uses: oven-sh/setup-bun@v2 with: bun-version: latest - name: Set up Terraform if: steps.check-modules.outputs.has_module_changes == 'true' uses: coder/coder/.github/actions/setup-tf@main - name: Install dependencies if: steps.check-modules.outputs.has_module_changes == 'true' run: bun install - name: Extract bump type from label if: steps.check-modules.outputs.has_module_changes == 'true' id: bump-type run: | case "${{ github.event.label.name }}" in "version:patch") echo "type=patch" >> $GITHUB_OUTPUT ;; "version:minor") echo "type=minor" >> $GITHUB_OUTPUT ;; "version:major") echo "type=major" >> $GITHUB_OUTPUT ;; *) echo "Invalid version label: ${{ github.event.label.name }}" exit 1 ;; esac - name: Check version bump if: steps.check-modules.outputs.has_module_changes == 'true' run: ./.github/scripts/version-bump.sh --ci "${{ steps.bump-type.outputs.type }}" ${{ github.event.pull_request.base.sha }} ${{ env.PR_HEAD_SHA }} - name: Comment on PR - Version bump required if: failure() && steps.check-modules.outputs.has_module_changes == 'true' uses: actions/github-script@v8 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | const bumpType = `${{ steps.bump-type.outputs.type }}`; const comment = [ '## Version Bump Required', '', 'One or more modules in this PR need their versions updated.', '', '**To fix this:**', '1. Run the version bump script locally:', ' ```bash', ` ./.github/scripts/version-bump.sh ${bumpType}`, ' ```', '2. Commit the changes:', ' ```bash', ` git add . && git commit -m "chore: bump module versions (${bumpType})"`, ' ```', '3. Push your changes', '', 'The CI will automatically re-run once you push the updated versions.' ].join('\n'); github.rest.issues.createComment({ issue_number: context.issue.number, owner: context.repo.owner, repo: context.repo.repo, body: comment });