chore: harden sync workflow — pin OS, add timeout, npm ci #12
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Dry-run gate | |
| on: | |
| pull_request: | |
| branches: [main] | |
| permissions: | |
| contents: read | |
| jobs: | |
| dry-run: | |
| name: Safe-settings dry-run | |
| runs-on: ubuntu-24.04 | |
| timeout-minutes: 30 | |
| # Do not run on fork PRs — secrets are not available there | |
| if: github.event.pull_request.head.repo.full_name == github.repository | |
| env: | |
| SAFE_SETTINGS_VERSION: 2.1.17 | |
| SAFE_SETTINGS_CODE_DIR: ${{ github.workspace }}/.safe-settings-code | |
| steps: | |
| - name: Checkout PR branch | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| - name: Checkout safe-settings app | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: github/safe-settings | |
| ref: ${{ env.SAFE_SETTINGS_VERSION }} | |
| path: ${{ env.SAFE_SETTINGS_CODE_DIR }} | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: "20" | |
| cache: npm | |
| cache-dependency-path: ${{ env.SAFE_SETTINGS_CODE_DIR }}/package-lock.json | |
| - name: Install dependencies | |
| run: npm ci | |
| working-directory: ${{ env.SAFE_SETTINGS_CODE_DIR }} | |
| - name: Run dry-run (NOP) | |
| run: npm run full-sync 2>&1 | tee /tmp/dry-run.log | |
| working-directory: ${{ env.SAFE_SETTINGS_CODE_DIR }} | |
| env: | |
| GH_ORG: ${{ vars.SAFE_SETTINGS_GH_ORG }} | |
| APP_ID: ${{ vars.SAFE_SETTINGS_APP_ID }} | |
| PRIVATE_KEY: ${{ secrets.SAFE_SETTINGS_PRIVATE_KEY }} | |
| GITHUB_CLIENT_ID: ${{ vars.SAFE_SETTINGS_GITHUB_CLIENT_ID }} | |
| GITHUB_CLIENT_SECRET: ${{ secrets.SAFE_SETTINGS_GITHUB_CLIENT_SECRET }} | |
| WEBHOOK_SECRET: ${{ secrets.WEBHOOK_SECRET }} | |
| ADMIN_REPO: admin | |
| DEPLOYMENT_CONFIG_FILE: ${{ github.workspace }}/deployment-settings.yml | |
| FULL_SYNC_NOP: "true" | |
| LOG_LEVEL: debug | |
| # Runs even if the previous step crashed, so changes are always surfaced. | |
| # continue-on-error: finding diffs is informational, not a merge blocker — | |
| # a human must review but the PR is not blocked. | |
| - name: Report config changes | |
| if: always() | |
| continue-on-error: true | |
| run: | | |
| if grep -q "There are changes for branch" /tmp/dry-run.log; then | |
| echo "::warning::Config changes detected — human review required before merging" | |
| grep -A 2 "There are changes for branch" /tmp/dry-run.log | |
| exit 1 | |
| fi |