-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
77 lines (69 loc) · 2.98 KB
/
size-compare.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
name: Compare Sizes
##########################################################################################
# WARNING! This workflow uses the 'pull_request_target' event. That mans that it will #
# always run in the context of the main actualbudget/actual repo, even if the PR is from #
# a fork. This is necessary to get access to a GitHub token that can post a comment on #
# the PR. Be VERY CAREFUL about adding things to this workflow, since forks can inject #
# arbitrary code into their branch, and can pollute the artifacts we download. Arbitrary #
# code execution in this workflow could lead to a compromise of the main repo. #
##########################################################################################
# See: https://securitylab.github.com/research/github-actions-preventing-pwn-requests #
##########################################################################################
on:
pull_request_target:
jobs:
compare:
runs-on: ubuntu-latest
permissions:
pull-requests: write
steps:
- name: Wait for ${{github.base_ref}} build to succeed
uses: fountainhead/[email protected]
id: master-build
with:
token: ${{ secrets.GITHUB_TOKEN }}
checkName: web
ref: ${{github.base_ref}}
- name: Wait for PR build to succeed
uses: fountainhead/[email protected]
id: wait-for-build
with:
token: ${{ secrets.GITHUB_TOKEN }}
checkName: web
ref: ${{github.event.pull_request.head.sha}}
- name: Report build failure
if: steps.wait-for-build.outputs.conclusion == 'failure'
run: |
echo "Build failed on PR branch or ${{github.base_ref}}"
exit 1
- name: Download build artifact from ${{github.base_ref}}
uses: dawidd6/action-download-artifact@v2
id: pr-build
with:
branch: ${{github.base_ref}}
workflow: build.yml
name: build-stats
path: base
- name: Download build artifact from PR
uses: dawidd6/action-download-artifact@v2
with:
pr: ${{github.event.pull_request.number}}
workflow: build.yml
name: build-stats
path: head
- name: Strip content hashes from stats files
run: |
sed -i -E 's/\.[0-9a-f]{8,}\././g' ./head/*.json
sed -i -E 's/\.[0-9a-f]{8,}\././g' ./base/*.json
- uses: github/[email protected]
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
current-stats-json-path: ./head/desktop-client-stats.json
base-stats-json-path: ./base/desktop-client-stats.json
title: desktop-client
- uses: github/[email protected]
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
current-stats-json-path: ./head/loot-core-stats.json
base-stats-json-path: ./base/loot-core-stats.json
title: loot-core