analysis-tools-dev
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 71 additions & 8 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 71 additions & 8 deletions
diff --git a/‎.github/workflows/pr-check.yml‎
Lines changed: 95 additions & 0 deletions b/‎.github/workflows/pr-check.yml‎
Lines changed: 95 additions & 0 deletions
diff --git a/‎.github/workflows/pr-comment.yml‎
Lines changed: 40 additions & 0 deletions b/‎.github/workflows/pr-comment.yml‎
Lines changed: 40 additions & 0 deletions
diff --git a/‎.github/workflows/render.yml‎
Lines changed: 7 additions & 4 deletions b/‎.github/workflows/render.yml‎
Lines changed: 7 additions & 4 deletions
diff --git a/‎.gitignore‎
Lines changed: 3 additions & 1 deletion b/‎.gitignore‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎.lycheeignore‎
Lines changed: 10 additions & 1 deletion b/‎.lycheeignore‎
Lines changed: 10 additions & 1 deletion
diff --git a/‎Makefile‎
Lines changed: 7 additions & 7 deletions b/‎Makefile‎
Lines changed: 7 additions & 7 deletions
@@ -5,17 +5,80 @@ on:
     branches: [master]
 
 jobs:
-  build:
+  readme-check:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+      contents: read
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Check README.md was not edited directly
+        id: readme
+        run: |
+          TRUSTED="mre jakubsacha"
+          AUTHOR="${{ github.event.pull_request.user.login }}"
+          for u in $TRUSTED; do
+            if [ "$AUTHOR" = "$u" ]; then
+              echo "trusted=true" >> "$GITHUB_OUTPUT"
+              exit 0
+            fi
+          done
+          if git diff --name-only origin/master...HEAD | grep -q "^README.md$"; then
+            echo "modified=true" >> "$GITHUB_OUTPUT"
+          fi
 
-      - name: Prevent file change
-        uses: xalvarez/prevent-file-change-action@v1
+      - name: Comment and fail on direct README edit
+        if: steps.readme.outputs.modified == 'true'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR: ${{ github.event.pull_request.number }}
+          REPO: ${{ github.repository }}
+        run: |
+          gh api "repos/$REPO/issues/$PR/comments" \
+            -f body="README.md was edited directly. The README is generated from the YAML files in \`data/tools/\`. Please add or edit the corresponding file in \`data/tools/\` instead and do not touch README.md." \
+            --silent
+          echo "README.md must not be edited directly." >&2
+          exit 1
+
+  render:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
         with:
-          githubToken: ${{ secrets.GITHUB_TOKEN }}
-          pattern: README.md
-          trustedAuthors: mre, jakubsacha
+          fetch-depth: 0
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
 
       - name: Render list
-        run: make render-skip-deprecated
+        id: render
+        run: |
+          make render-skip-deprecated 2>&1 | tee /tmp/render-output.txt
+          exit ${PIPESTATUS[0]}
+
+      - name: Comment render error on failure
+        if: failure() && steps.render.outcome == 'failure'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR: ${{ github.event.pull_request.number }}
+          REPO: ${{ github.repository }}
+        run: |
+          OUTPUT=$(grep -E "^Error" /tmp/render-output.txt | head -20)
+          {
+            echo "The render step failed with the following error:"
+            echo ""
+            echo '```'
+            echo "$OUTPUT"
+            echo '```'
+            echo ""
+            echo "Please check your YAML file in \`data/tools/\` against the format used by other tools in that directory."
+          } > /tmp/render-comment.txt
+          gh api "repos/$REPO/issues/$PR/comments" \
+            -f body=@/tmp/render-comment.txt \
+            --silent
@@ -0,0 +1,95 @@
+name: PR Check
+
+on:
+  pull_request:
+    branches: [master]
+    paths:
+      - "data/tools/**.yml"
+      - "ci/**"
+  workflow_dispatch:
+    inputs:
+      pr_number:
+        description: "PR number to check"
+        required: true
+      tool_files:
+        description: "Space-separated list of tool YAML files to check (e.g. data/tools/foo.yml)"
+        required: true
+
+jobs:
+  pr-check:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Check out PR head for manual runs
+        if: github.event_name == 'workflow_dispatch'
+        run: |
+          git fetch origin "refs/pull/${{ inputs.pr_number }}/head"
+          git checkout FETCH_HEAD -- ${{ inputs.tool_files }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Get changed tool files
+        id: changed
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            FILES="${{ inputs.tool_files }}"
+          else
+            FILES=$(git diff --name-only --diff-filter=A origin/master...HEAD -- 'data/tools/*.yml' 'data/tools/*.yaml' | tr '\n' ' ')
+          fi
+          echo "files=$FILES" >> "$GITHUB_OUTPUT"
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Cache cargo registry
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            ci/target
+          key: pr-check-${{ runner.os }}-${{ hashFiles('ci/Cargo.lock') }}
+          restore-keys: |
+            pr-check-${{ runner.os }}-
+
+      - name: Build pr-check
+        run: cargo build --release --manifest-path ci/Cargo.toml -p pr-check
+
+      - name: Run pr-check
+        id: run-check
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
+          PR_NUMBER: ${{ github.event_name == 'workflow_dispatch' && inputs.pr_number || github.event.pull_request.number }}
+          # For pull_request events (including forks), write the comment to a
+          # file instead of posting it directly. The fork's GITHUB_TOKEN does
+          # not have write access to the base repository, so direct posting
+          # returns 403. The pr-comment workflow picks up this artifact and
+          # posts the comment with the right permissions.
+          COMMENT_OUTPUT_FILE: ${{ github.event_name == 'pull_request' && 'pr-check-output/comment.md' || '' }}
+        run: |
+          mkdir -p pr-check-output
+          echo "$PR_NUMBER" > pr-check-output/pr_number.txt
+          if ci/target/release/pr-check ${{ steps.changed.outputs.files }}; then
+            echo "passed" > pr-check-output/result.txt
+          else
+            echo "failed" > pr-check-output/result.txt
+          fi
+
+      - name: Upload check results
+        if: always() && github.event_name == 'pull_request'
+        uses: actions/upload-artifact@v4
+        with:
+          name: pr-check-output
+          path: pr-check-output/
+
+      - name: Fail if checks did not pass
+        if: always()
+        run: |
+          result=$(cat pr-check-output/result.txt 2>/dev/null || echo "failed")
+          [ "$result" = "passed" ]
@@ -0,0 +1,40 @@
+name: PR Check Comment
+
+on:
+  workflow_run:
+    workflows: ["PR Check"]
+    types: [completed]
+
+jobs:
+  comment:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    steps:
+      - name: Download check results
+        uses: actions/download-artifact@v4
+        with:
+          name: pr-check-output
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          run-id: ${{ github.event.workflow_run.id }}
+        continue-on-error: true
+
+      - name: Post or update PR comment
+        if: hashFiles('pr_number.txt') != '' && hashFiles('comment.md') != ''
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_REPO: ${{ github.repository }}
+        run: |
+          PR_NUMBER=$(cat pr_number.txt)
+          COMMENT_BODY=$(cat comment.md)
+
+          EXISTING_ID=$(gh api "repos/$GH_REPO/issues/$PR_NUMBER/comments" \
+            --jq '[.[] | select(.body | contains("<!-- pr-check-bot -->"))] | first | .id // empty')
+
+          if [ -n "$EXISTING_ID" ]; then
+            gh api --method PATCH "repos/$GH_REPO/issues/comments/$EXISTING_ID" \
+              --field body="$COMMENT_BODY"
+          else
+            gh api --method POST "repos/$GH_REPO/issues/$PR_NUMBER/comments" \
+              --field body="$COMMENT_BODY"
+          fi
@@ -7,20 +7,23 @@ on:
 jobs:
   build:
     runs-on: ubuntu-latest
-    
+
     permissions:
       # Give the default GITHUB_TOKEN write permission to commit and push the
       # added or changed files to the repository.
       contents: write
 
     steps:
-      - uses: actions/checkout@v3
-        
+      - uses: actions/checkout@v4
+
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+
       - name: Render list
         run: make render
         env:
           GITHUB_TOKEN: ${{ github.token }}
-        
+
       - uses: stefanzweifel/git-auto-commit-action@v4.1.2
         with:
           commit_message: Commit list
 
@@ -1,2 +1,4 @@
 logcli-linux-amd64
-logcli.zip
+logcli.zip
+ci/target/
+ci/pr-check/target/
@@ -4,4 +4,13 @@ mathworks.com
 https://www.freepik.com/
 # (Occasional) Timeouts
 https://npo-echelon.ru/en/solutions/appchecker.php
-https://www.qualys.com/apps/container-security
+https://www.qualys.com/apps/container-security
+# 415 Unsupported Media Type (site works in browser)
+dickgrune.com
+zigrin.com
+# Cloudflare bot protection
+spinroot.com
+# npmjs.com blocks automated requests
+https://www.npmjs.com/package/tslint-clean-code
+# GitHub wiki intermittent 502
+https://github.com/flowr-analysis/flowr/wiki/Terminology#program-slice
@@ -16,23 +16,23 @@ help:
 
 # Main rendering targets
 render:
-	cargo run --manifest-path data/render/Cargo.toml -- --tags data/tags.yml --tools data/tools --md-out README.md --json-out data/api
+	cargo run --manifest-path ci/Cargo.toml -p render -- --tags data/tags.yml --tools data/tools --md-out README.md --json-out data/api
 
 render-skip-deprecated:
-	cargo run --manifest-path data/render/Cargo.toml -- --tags data/tags.yml --tools data/tools --md-out README.md --json-out data/api --skip-deprecated
+	cargo run --manifest-path ci/Cargo.toml -p render -- --tags data/tags.yml --tools data/tools --md-out README.md --json-out data/api --skip-deprecated
 
 # Development targets
 check:
-	cargo check --manifest-path data/render/Cargo.toml
+	cargo check --manifest-path ci/Cargo.toml
 
 clippy:
-	cargo clippy --manifest-path data/render/Cargo.toml -- -D warnings
+	cargo clippy --manifest-path ci/Cargo.toml -- -D warnings
 
 fmt:
-	cargo fmt --manifest-path data/render/Cargo.toml
+	cargo fmt --manifest-path ci/Cargo.toml
 
 test:
-	cargo test --manifest-path data/render/Cargo.toml
+	cargo test --manifest-path ci/Cargo.toml
 
 clean:
-	cargo clean --manifest-path data/render/Cargo.toml
+	cargo clean --manifest-path ci/Cargo.toml