diff --git a/.github/workflows/update-integration-tests.yml b/.github/workflows/update-integration-tests.yml index 7ea5a66..1cae0ed 100644 --- a/.github/workflows/update-integration-tests.yml +++ b/.github/workflows/update-integration-tests.yml @@ -10,7 +10,12 @@ permissions: jobs: update-snapshots: - if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, 'please update snapshots') }} + if: > + ( + github.event.issue.author_association == 'OWNER' || + github.event.issue.author_association == 'COLLABORATOR' || + github.event.issue.author_association == 'MEMBER' + ) && github.event.issue.pull_request && contains(github.event.comment.body, 'please update snapshots') runs-on: ubuntu-latest steps: @@ -25,10 +30,40 @@ jobs: with: token: ${{ secrets.GITHUB_TOKEN }} + - name: Get PR Info + id: pr + env: + PR_NUMBER: ${{ github.event.issue.number }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_REPO: ${{ github.repository }} + COMMENT_AT: ${{ github.event.comment.created_at }} + run: | + pr="$(gh api /repos/${GH_REPO}/pulls/${PR_NUMBER})" + head_sha="$(echo "$pr" | jq -r .head.sha)" + pushed_at="$(echo "$pr" | jq -r .pushed_at)" + + if [[ $(date -d "$pushed_at" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then + echo "Updating is not allowed because the PR was pushed to (at $pushed_at) after the triggering comment was issued (at $COMMENT_AT)" + exit 1 + fi + + echo "head_sha=$head_sha" >> $GITHUB_OUTPUT + - name: Checkout the branch from the PR that triggered the job - run: gh pr checkout ${{ github.event.issue.number }} env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: gh pr checkout ${{ github.event.issue.number }} + + - name: Validate the fetched branch HEAD revision + env: + EXPECTED_SHA: ${{ steps.pr.outputs.head_sha }} + run: | + actual_sha="$(git rev-parse HEAD)" + + if [[ "$actual_sha" != "$EXPECTED_SHA" ]]; then + echo "The HEAD of the checked out branch ($actual_sha) differs from the HEAD commit available at the time when trigger comment was submitted ($EXPECTED_SHA)" + exit 1 + fi - name: Base Setup uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1 @@ -48,3 +83,4 @@ jobs: # Playwright knows how to start JupyterLab server start_server_script: 'null' test_folder: ui-tests + npm_client: jlpm diff --git a/package.json b/package.json index ccafed7..3220126 100644 --- a/package.json +++ b/package.json @@ -65,6 +65,7 @@ "watch:labextension": "jupyter labextension watch .", "watch:src": "tsc -w" }, + "packageManager": "yarn@3.5.0", "dependencies": { "@jupyterlab/application": "^4.0.9", "@jupyterlab/settingregistry": "^4.0.9",