Agentics Standards TAG feedback #104
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Check README Changes | |
| # SECURITY WARNING: This workflow uses pull_request_target, which runs in the context | |
| # of the base repository with write permissions. This is safe ONLY because: | |
| # 1. We do NOT checkout any code from the PR | |
| # 2. We only read file metadata via the GitHub API | |
| # 3. We only post comments (no execution of PR-controlled code) | |
| # DO NOT add a checkout step or execute any PR-controlled scripts in this workflow! | |
| on: | |
| pull_request_target: | |
| types: [opened, synchronize, reopened] | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| jobs: | |
| check-readme-changes: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| pull-requests: write | |
| issues: write | |
| contents: read | |
| steps: | |
| - name: Comment on PR if autogenerated README files were edited | |
| uses: actions/github-script@v7 | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| script: | | |
| const owner = context.repo.owner; | |
| const repo = context.repo.repo; | |
| const pull_number = context.issue.number; | |
| // Get changed files via GitHub API (works for fork PRs; no checkout needed). | |
| const files = await github.paginate(github.rest.pulls.listFiles, { | |
| owner, | |
| repo, | |
| pull_number, | |
| per_page: 100, | |
| }); | |
| const readmeFiles = files | |
| .map(f => f.filename) | |
| .filter(f => | |
| /^tags\/[^/]+\/README\.md$/.test(f) || | |
| /^toc_subprojects\/[^/]+\/README\.md$/.test(f) | |
| ); | |
| if (readmeFiles.length === 0) { | |
| core.info("No autogenerated README files changed; skipping PR comment."); | |
| return; | |
| } | |
| const filesList = readmeFiles | |
| .map(f => `- <code>${f}</code>`) | |
| .join("\n"); | |
| const commentBody = | |
| `## ⚠️ README Files Should Be Updated via tags.yaml\n\n` + | |
| `The following TAG or TOC subproject README files have been directly edited:\n\n` + | |
| `${filesList}\n\n` + | |
| `These README files are auto-generated from the \`tags.yaml\` file using the generator script. **Please update the \`tags.yaml\` file instead** of editing the README files directly.\n\n` + | |
| `For more information on how to update these files, please see the [generator README](https://github.com/cncf/toc/blob/main/generator/README.md).\n\n` + | |
| `Once you update \`tags.yaml\`, the README files will be automatically regenerated by the existing automation workflow.`; | |
| // Check if we've already commented on this PR | |
| const comments = await github.paginate(github.rest.issues.listComments, { | |
| owner, | |
| repo, | |
| issue_number: pull_number, | |
| per_page: 100, | |
| }); | |
| const marker = 'README Files Should Be Updated via tags.yaml'; | |
| const botComment = comments.find(c => | |
| c?.user?.login === 'github-actions[bot]' && | |
| typeof c?.body === 'string' && | |
| c.body.includes(marker) | |
| ); | |
| if (botComment) { | |
| // Update existing comment | |
| await github.rest.issues.updateComment({ | |
| owner, | |
| repo, | |
| comment_id: botComment.id, | |
| body: commentBody | |
| }); | |
| } else { | |
| // Create new comment | |
| await github.rest.issues.createComment({ | |
| owner, | |
| repo, | |
| issue_number: pull_number, | |
| body: commentBody | |
| }); | |
| } |