GH action security updates #96
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Add Netlify Links To Changed Pages | |
| on: | |
| workflow_call: | |
| pull_request_target: | |
| jobs: | |
| get-pr-changes: | |
| name: Get Changed Files & Update PR Description | |
| runs-on: ubuntu-latest | |
| permissions: | |
| issues: write | |
| contents: write | |
| pull-requests: write | |
| repository-projects: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Get Changed Files | |
| id: changed-files | |
| # pin to a specific commit to ensure stability | |
| uses: tj-actions/changed-files@c65cd883420fd2eb864698a825fc4162dd94482c | |
| with: | |
| separator: "," | |
| files: source/** | |
| - name: Build Netlify Links for Changed Pages | |
| id: build_page_links | |
| env: | |
| CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }} | |
| run: | | |
| # Function to validate file paths | |
| validate_file_path() { | |
| local file_path="$1" | |
| # Allow only alphanumeric characters, _ . / and - | |
| if [[ ! "$file_path" =~ ^[a-zA-Z0-9._/-]+$ ]]; then | |
| echo "Invalid file path detected: $file_path" >&2 | |
| return 1 | |
| fi | |
| } | |
| new_links="" | |
| base_link='https://deploy-preview-${{ github.event.number }}--mongodb-docs-csharp.netlify.app' | |
| files=$(echo "$CHANGED_FILES" | tr "," "\n") | |
| for file in $files; do | |
| echo "processing ${file}" | |
| # Validate file path and skip if invalid | |
| validate_file_path "$file" | |
| if [ $? -ne 0 ]; then | |
| continue | |
| fi | |
| if (! grep -s "includes/" <<< "$file") && | |
| (! grep -s "images/" <<< "$file") && | |
| (! grep -s "examples/" <<< "$file"); then | |
| file="${file#source}" | |
| file="${file%.txt}" | |
| filenoslash="${file:1}" | |
| echo "${base_link}${file}" | |
| new_links+="<li><a href=${base_link}${file}>${filenoslash}</a></li>" | |
| else | |
| echo "(file skipped)" | |
| fi | |
| done | |
| if [ "$new_links" == "" ]; then | |
| new_links="No pages to preview" | |
| fi | |
| echo "Final new_links string: " | |
| echo "${new_links}" | |
| echo "staging_links=${new_links}" >> "$GITHUB_OUTPUT" | |
| - name: Update the PR Description | |
| uses: MongoCaleb/pr-description-action@master | |
| with: | |
| regex: "<!-- start insert-links -->.*<!-- end insert-links -->" | |
| appendContentOnMatchOnly: true | |
| regexFlags: is | |
| content: "<!-- start insert-links -->\n${{ steps.build_page_links.outputs.staging_links }}\n<!-- end insert-links -->" | |
| token: ${{ secrets.GITHUB_TOKEN }} |