Skip to content
Content Quality Assessment

chore: fix copyrights/exec lines for the various scripts; add one for running the cqa so we can check that locally too #676

Sign in to view logs

chore: fix copyrights/exec lines for the various scripts; add one for running the cqa so we can check that locally too

chore: fix copyrights/exec lines for the various scripts; add one for running the cqa so we can check that locally too #676

Workflow file for this run

.github/workflows/content-quality-assessment.yml at 4a10d4d
---
name: Content Quality Assessment
on:
# /!\ Warning: using the pull_request_target event to be able to read secrets. But using this event without the cautionary measures described below
# may allow unauthorized GitHub users to open a "pwn request" and exfiltrate secrets.
# As recommended in https://iterative.ai/blog/testing-external-contributions-using-github-actions-secrets,
# we are adding an 'authorize' job that checks if the workflow was triggered from a fork PR. In that case, the "external" environment
# will prevent the job from running until it's approved manually by human intervention.
pull_request_target:
types: [opened, synchronize, reopened, ready_for_review]
paths:
- '**.adoc'
- 'assemblies/**'
- 'modules/**'
- 'artifacts/**'
- 'images/**'
- 'build/scripts/**'
branches:
- main
- release-1.9-post-cqa
- release-1.10
- release-2.**
concurrency:
group: ${{ github.workflow }}-${{ github.event.number || github.event.pull_request.head.ref }}
cancel-in-progress: true
env:
GH_TEAM: rhdh
GH_ORGANIZATION: redhat-developer
jobs:
check-commit-author:
runs-on: ubuntu-latest
outputs:
is_authorized: ${{ steps.check-team-membership.outputs.is_active_member }}
steps:
- name: Generate GitHub App Token
id: app-token
uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
with:
app-id: ${{ secrets.RHDH_GITHUB_APP_ID }}
private-key: ${{ secrets.RHDH_GITHUB_APP_PRIVATE_KEY }}
- name: Check team membership
uses: redhat-developer/rhdh/.github/actions/check-author@main
id: check-team-membership
with:
team: ${{ env.GH_TEAM }}
organization: ${{ env.GH_ORGANIZATION }}
gh_token: ${{ steps.app-token.outputs.token }}
author: ${{ github.event.pull_request.user.login }}
authorize:
# The 'external' environment is configured with the rhdh-content team as required reviewers.
# All the subsequent jobs in this workflow 'need' this job, which will require manual approval for PRs coming from external forks outside of the rhdh team
needs: check-commit-author
environment:
${{ (needs.check-commit-author.outputs.is_authorized == 'true' || github.event.pull_request.head.repo.full_name == github.repository) && 'internal' || 'external' }}
runs-on: ubuntu-latest
steps:
- name: Check if internal PR
id: check
run: |
if [[ "${{ needs.check-commit-author.outputs.is_authorized }}" == "true" ]]; then
echo "Commit author is in rhdh team - using internal environment"
elif [[ "${{ github.event.pull_request.head.repo.full_name }}" == "${{ github.repository }}" ]]; then
echo "Internal PR (not from fork) - using internal environment"
else
echo "External PR from fork from non-rhdh team member - using external environment for security"
fi
cqa-check:
name: CQA Automated Checks
runs-on: ubuntu-latest
needs: authorize
permissions:
contents: read
pull-requests: write
steps:
- name: Checkout main branch for trusted scripts
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
ref: main
path: trusted-scripts
sparse-checkout: build/scripts
- name: Checkout PR branch for content
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
ref: ${{ github.event.pull_request.head.ref }}
repository: ${{ github.event.pull_request.head.repo.full_name }}
fetch-depth: 0
path: pr-content
- name: Copy trusted scripts into PR content
run: |
rm -rf pr-content/build/scripts/cqa
cp -r trusted-scripts/build/scripts/cqa pr-content/build/scripts/cqa
- name: Set up Node.js
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
with:
node-version: '20'
- name: Install Vale
run: |
wget -q https://github.com/errata-ai/vale/releases/download/v3.9.5/vale_3.9.5_Linux_64-bit.tar.gz
tar -xzf vale_3.9.5_Linux_64-bit.tar.gz -C /usr/local/bin vale
vale --version
- name: Sync Vale styles
run: |
cd pr-content
vale sync
- name: Run CQA checks (checklist)
id: cqa-checklist
env:
CQA_BASE_REF: base/${{ github.event.pull_request.base.ref }}
run: |
cd pr-content
git remote add base https://github.com/${{ github.event.pull_request.base.repo.full_name }}.git
git fetch base ${{ github.event.pull_request.base.ref }}
OUTPUT=$(node build/scripts/cqa/index.js --all 2>&1) || CQA_EXIT=$?
echo "output<<EOF" >> $GITHUB_OUTPUT
echo "$OUTPUT" >> $GITHUB_OUTPUT
echo "EOF" >> $GITHUB_OUTPUT
exit ${CQA_EXIT:-0}
- name: Post CQA checklist as PR comment
if: always()
uses: actions/github-script@v7
env:
CQA_OUTPUT: ${{ steps.cqa-checklist.outputs.output }}
with:
github-token: ${{ secrets.RHDH_BOT_TOKEN || secrets.GITHUB_TOKEN }}
script: |
const cqaOutput = process.env.CQA_OUTPUT;
let comment = '## Content Quality Assessment Results\n\n';
comment += cqaOutput;
const now = new Date().toISOString().replace('T', ' ').replace(/\.\d+Z$/, ' UTC');
comment += '\n\n---\n';
comment += `*Automated CQA check run on the entire repository — ${now}*\n`;
// Find existing CQA comment and update or create
const { data: comments } = await github.rest.issues.listComments({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
});
const botComment = comments.find(c =>
c.body.includes('Content Quality Assessment Results')
);
if (botComment) {
await github.rest.issues.updateComment({
owner: context.repo.owner,
repo: context.repo.repo,
comment_id: botComment.id,
body: comment
});
} else {
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
body: comment
});
}