VRT Update - Apply #301
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: VRT Update - Apply | |
| # SECURITY: This workflow runs in trusted base repo context. | |
| # It treats the patch artifact as untrusted data, validates it contains only PNGs, | |
| # and safely applies it to the contributor's fork branch. | |
| on: | |
| workflow_run: | |
| workflows: ['VRT Update - Generate'] | |
| types: | |
| - completed | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| jobs: | |
| apply-vrt-updates: | |
| name: Apply VRT Updates | |
| runs-on: ubuntu-latest | |
| if: ${{ github.event.workflow_run.conclusion == 'success' }} | |
| steps: | |
| - name: Download patch artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| run-id: ${{ github.event.workflow_run.id }} | |
| pattern: vrt-patch-* | |
| path: /tmp/artifacts | |
| - name: Download metadata artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| run-id: ${{ github.event.workflow_run.id }} | |
| pattern: vrt-metadata-* | |
| path: /tmp/metadata | |
| - name: Extract metadata | |
| id: metadata | |
| run: | | |
| # Find the metadata directory (will be vrt-metadata-{PR_NUMBER}) | |
| METADATA_DIR=$(find /tmp/metadata -mindepth 1 -maxdepth 1 -type d | head -n 1) | |
| if [ -z "$METADATA_DIR" ]; then | |
| echo "No metadata found, skipping..." | |
| exit 0 | |
| fi | |
| PR_NUMBER=$(cat "$METADATA_DIR/pr-number.txt") | |
| HEAD_REF=$(cat "$METADATA_DIR/head-ref.txt") | |
| HEAD_REPO=$(cat "$METADATA_DIR/head-repo.txt") | |
| echo "pr_number=$PR_NUMBER" >> "$GITHUB_OUTPUT" | |
| echo "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT" | |
| echo "head_repo=$HEAD_REPO" >> "$GITHUB_OUTPUT" | |
| echo "Found PR #$PR_NUMBER: $HEAD_REPO @ $HEAD_REF" | |
| - name: Checkout fork branch | |
| if: steps.metadata.outputs.pr_number != '' | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: ${{ steps.metadata.outputs.head_repo }} | |
| ref: ${{ steps.metadata.outputs.head_ref }} | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| fetch-depth: 0 | |
| - name: Validate and apply patch | |
| if: steps.metadata.outputs.pr_number != '' | |
| id: apply | |
| run: | | |
| # Find the patch file | |
| PATCH_DIR=$(find /tmp/artifacts -mindepth 1 -maxdepth 1 -type d | head -n 1) | |
| PATCH_FILE="$PATCH_DIR/vrt-update.patch" | |
| if [ ! -f "$PATCH_FILE" ]; then | |
| echo "No patch file found" | |
| exit 0 | |
| fi | |
| echo "Found patch file: $PATCH_FILE" | |
| # Validate patch only contains PNG files | |
| echo "Validating patch contains only PNG files..." | |
| if grep -E '^(\+\+\+|---) [ab]/' "$PATCH_FILE" | grep -v '\.png$'; then | |
| echo "ERROR: Patch contains non-PNG files! Rejecting for security." | |
| echo "applied=false" >> "$GITHUB_OUTPUT" | |
| echo "error=Patch validation failed: contains non-PNG files" >> "$GITHUB_OUTPUT" | |
| exit 1 | |
| fi | |
| # Extract file list for verification | |
| FILES_CHANGED=$(grep -E '^\+\+\+ b/' "$PATCH_FILE" | sed 's/^+++ b\///' | wc -l) | |
| echo "Patch modifies $FILES_CHANGED PNG file(s)" | |
| # Configure git | |
| git config --global user.name "github-actions[bot]" | |
| git config --global user.email "github-actions[bot]@users.noreply.github.com" | |
| # Apply patch | |
| echo "Applying patch..." | |
| if git apply --check "$PATCH_FILE" 2>&1; then | |
| git apply "$PATCH_FILE" | |
| # Stage only PNG files (extra safety) | |
| git add "**/*.png" | |
| if git diff --staged --quiet; then | |
| echo "No changes after applying patch" | |
| echo "applied=false" >> "$GITHUB_OUTPUT" | |
| exit 0 | |
| fi | |
| # Commit | |
| git commit -m "Update VRT screenshots" -m "Auto-generated by VRT workflow" -m "PR: #${{ steps.metadata.outputs.pr_number }}" | |
| echo "applied=true" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "Patch could not be applied cleanly" | |
| echo "applied=false" >> "$GITHUB_OUTPUT" | |
| echo "error=Patch conflicts with current branch state" >> "$GITHUB_OUTPUT" | |
| exit 1 | |
| fi | |
| - name: Push changes | |
| if: steps.apply.outputs.applied == 'true' | |
| env: | |
| HEAD_REF: ${{ steps.metadata.outputs.head_ref }} | |
| HEAD_REPO: ${{ steps.metadata.outputs.head_repo }} | |
| run: | | |
| git push origin "HEAD:refs/heads/$HEAD_REF" | |
| echo "Successfully pushed VRT updates to $HEAD_REPO@$HEAD_REF" | |
| - name: Comment on PR - Success | |
| if: steps.apply.outputs.applied == 'true' | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| await github.rest.issues.createComment({ | |
| issue_number: ${{ steps.metadata.outputs.pr_number }}, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: '✅ VRT screenshots have been automatically updated.' | |
| }); | |
| - name: Comment on PR - Failure | |
| if: failure() && steps.metadata.outputs.pr_number != '' | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| const error = `${{ steps.apply.outputs.error }}` || 'Unknown error occurred'; | |
| await github.rest.issues.createComment({ | |
| issue_number: ${{ steps.metadata.outputs.pr_number }}, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: `❌ Failed to apply VRT updates: ${error}\n\nPlease check the workflow logs for details.` | |
| }); |