code/.github/workflows/react-doctor.yml at main · PostHog/code · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
name: React Doctor

on:
  pull_request:
    types: [opened, synchronize, reopened, ready_for_review]
    # Workflow-level paths only work because react-doctor is not a required
    # check. If it ever becomes required, move the skip into a gate job like
    # test.yml, or path-skipped PRs will wait on it forever.
    paths:
      - "**/*.ts"
      - "**/*.tsx"
      - "**/*.jsx"
      - ".github/workflows/react-doctor.yml"
      - ".github/scripts/react-doctor-comment.mjs"

permissions:
  contents: read
  pull-requests: write

concurrency:
  group: react-doctor-${{ github.head_ref || github.ref }}
  cancel-in-progress: true

jobs:
  react-doctor:
    runs-on: ubuntu-latest
    timeout-minutes: 15
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          persist-credentials: false

      - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
        with:
          node-version: 22
          package-manager-cache: false

      - id: scan
        name: Run react-doctor on changed files
        shell: bash
        env:
          NO_COLOR: "1"
          REACT_DOCTOR_BASE_SHA: ${{ github.event.pull_request.base.sha }}
          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
        run: |
          # -e omitted: exit codes are captured and inspected explicitly.
          set -uo pipefail
          CHANGED="${RUNNER_TEMP}/react-doctor-changed-files.txt"
          if ! git diff --name-only --diff-filter=ACMR "${REACT_DOCTOR_BASE_SHA}...${HEAD_SHA}" > "$CHANGED"; then
            echo "Could not diff ${REACT_DOCTOR_BASE_SHA}...${HEAD_SHA}; failing rather than skipping the scan." >&2
            echo "exit-code=1" >> "$GITHUB_OUTPUT"
            exit 1
          fi
          if [ ! -s "$CHANGED" ]; then
            echo "No changed files; nothing for react-doctor to scan."
            echo "exit-code=0" >> "$GITHUB_OUTPUT"
            exit 0
          fi
          REPORT="${RUNNER_TEMP}/react-doctor-report.json"
          status=0
          npx --yes react-doctor@0.5.4 . --blocking error --changed-files-from "$CHANGED" --json --json-compact --no-telemetry > "$REPORT" || status=$?
          echo "exit-code=$status" >> "$GITHUB_OUTPUT"
          echo "report=$REPORT" >> "$GITHUB_OUTPUT"
          if [ "$status" -ne 0 ]; then
            echo "react-doctor exited with status ${status}; report follows." >&2
            cat "$REPORT" >&2 || true
          fi

      - name: Upsert sticky PR comment
        if: ${{ always() && steps.scan.outputs.report != '' }}
        continue-on-error: true
        shell: bash
        env:
          GH_TOKEN: ${{ github.token }}
          GITHUB_REPOSITORY: ${{ github.repository }}
          GITHUB_SERVER_URL: ${{ github.server_url }}
          REACT_DOCTOR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
          PR_NUMBER: ${{ github.event.pull_request.number }}
          REPORT: ${{ steps.scan.outputs.report }}
        run: |
          set -uo pipefail
          BODY="${RUNNER_TEMP}/react-doctor-comment.md"
          node "${GITHUB_WORKSPACE}/.github/scripts/react-doctor-comment.mjs" "$REPORT" "$BODY"
          cat "$BODY" >> "$GITHUB_STEP_SUMMARY"
          jq -Rs '{body: .}' "$BODY" > "${RUNNER_TEMP}/react-doctor-payload.json"
          marker="<!-- react-doctor:summary -->"
          existing=$(gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" --paginate \
            --jq ".[] | select(.body | startswith(\"${marker}\")) | .id" | head -n1 || true)
          if [ -n "$existing" ]; then
            gh api -X PATCH "repos/${GITHUB_REPOSITORY}/issues/comments/${existing}" --input "${RUNNER_TEMP}/react-doctor-payload.json" >/dev/null
          else
            gh api -X POST "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" --input "${RUNNER_TEMP}/react-doctor-payload.json" >/dev/null
          fi

      - name: Enforce blocking findings
        if: ${{ always() }}
        shell: bash
        env:
          STATUS: ${{ steps.scan.outputs.exit-code }}
          REPORT: ${{ steps.scan.outputs.report }}
        run: |
          # -e omitted: exit codes are captured and inspected explicitly.
          set -uo pipefail
          if [ "${STATUS:-1}" = "0" ]; then
            exit 0
          fi
          if [ -n "${REPORT:-}" ]; then
            if ! jq -e . "$REPORT" >/dev/null 2>&1; then
              echo "::warning title=React Doctor::Scanner exited ${STATUS:-1} without a valid JSON report; not blocking the PR on a scanner failure."
              exit 0
            fi
            if jq -e '.ok == false' "$REPORT" >/dev/null 2>&1; then
              # Strip newlines so the message cannot end the ::warning command early.
              message=$(jq -r '.error.message // "unknown error"' "$REPORT" | tr -d '\n')
              echo "::warning title=React Doctor::Scanner crashed (${message}); not blocking the PR on a scanner failure."
              exit 0
            fi
          fi
          exit "${STATUS:-1}"