- orchestrates the contributor path (#766) #13
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ── JOB 3: JSON INTEGRITY ─────────────────────────────────────── | ||
| # Runs on every PR regardless of version bumps. | ||
| # pack_catalog.json is a repo-level file — always checked. | ||
| # Dependency version check is scoped to the single changed pack. | ||
| # On mismatch: posts a PR comment with per-dependency fix/pin options. | ||
| # Does NOT hard-fail — the contributor chooses the action via slash command. | ||
| json-integrity: | ||
| name: JSON integrity — catalog + xsoar_config | ||
| needs: detect | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| pull-requests: write | ||
| steps: | ||
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | ||
| - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 | ||
| with: | ||
| python-version: "3.10" | ||
| - name: Validate pack_catalog.json | ||
| run: | | ||
| python tools/validate_pack_catalog.py | ||
| - name: Validate xsoar_config.json files | ||
| env: | ||
| CHANGED_PACKS: ${{ needs.detect.outputs.packs }} | ||
| run: | | ||
| if [ -n "$CHANGED_PACKS" ]; then | ||
| python tools/validate_xsoar_configs.py --packs "$CHANGED_PACKS" | ||
| else | ||
| python tools/validate_xsoar_configs.py | ||
| fi | ||
| - name: Check cross-pack dependency versions | ||
| env: | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| PR_NUMBER: ${{ github.event.pull_request.number }} | ||
| REPO: ${{ github.repository }} | ||
| CHANGED_PACKS: ${{ needs.detect.outputs.packs }} | ||
| run: | | ||
| python - << 'PY' | ||
| import os, subprocess, sys | ||
| changed = os.environ["CHANGED_PACKS"].strip() | ||
| pr_number = os.environ["PR_NUMBER"] | ||
| repo = os.environ["REPO"] | ||
| # Single pack guaranteed by the single-pack PR gate upstream. | ||
| # Scope the check to that pack only. | ||
| cmd = ["python", "tools/check_dependency_versions.py", "--output-format", "github-comment"] | ||
| if changed: | ||
| cmd += ["--pack", changed] | ||
| result = subprocess.run(cmd, capture_output=True, text=True) | ||
| output = result.stdout.strip() | ||
| print(output) | ||
| # If the script produced a github-comment block, post it to the PR | ||
| if "Stale dependency versions" in output: | ||
| subprocess.run( | ||
| ["gh", "pr", "comment", pr_number, | ||
| "--repo", repo, | ||
| "--body", output], | ||
| check=True | ||
| ) | ||
| # Warn in the check log but do not fail the gate. | ||
| # The contributor resolves via /fix-deps, /fix-dep, or /pin-dep. | ||
| print("::warning::Stale dependency versions detected. " | ||
| "See PR comment for fix/pin options.") | ||
| PY | ||
