From 9b21ca815bf7bdf0fba1483b990b8e2107ad855e Mon Sep 17 00:00:00 2001 From: Francesco Gringl-Novy Date: Thu, 23 Apr 2026 13:14:29 +0200 Subject: [PATCH 1/3] chore(ci): Vendor nx-affected-list action, drop dkhunt27 dependency Replace the third-party dkhunt27/action-nx-affected-list@v6.1 with a lightweight composite action that runs `nx show projects --affected` directly. The external action was outdated (last release Sep 2024, uses Node.js 20) and all it did was shell out to the nx CLI. The vendored action is ~15 lines of bash with no Node.js runtime dependency. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/actions/nx-affected-list/action.yml | 35 +++++++++++++++++++++ .github/workflows/build.yml | 2 +- 2 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 .github/actions/nx-affected-list/action.yml diff --git a/.github/actions/nx-affected-list/action.yml b/.github/actions/nx-affected-list/action.yml new file mode 100644 index 000000000000..841d9fa6ccea --- /dev/null +++ b/.github/actions/nx-affected-list/action.yml @@ -0,0 +1,35 @@ +name: 'Nx Affected List' +description: 'Outputs a space-separated list of Nx projects affected by changes between base and head commits.' + +inputs: + base: + description: 'Base commit SHA' + required: false + head: + description: 'Head commit SHA' + required: false + +outputs: + affected: + description: 'Space-separated list of affected project names' + value: ${{ steps.affected.outputs.affected }} + +runs: + using: 'composite' + steps: + - name: Get affected Nx projects + id: affected + shell: bash + run: | + ARGS="" + if [ -n "${{ inputs.base }}" ]; then ARGS="$ARGS --base=${{ inputs.base }}"; fi + if [ -n "${{ inputs.head }}" ]; then ARGS="$ARGS --head=${{ inputs.head }}"; fi + + AFFECTED=$(./node_modules/.bin/nx show projects --affected $ARGS 2>/dev/null | tr '\n' ' ' | xargs) || true + echo "affected=$AFFECTED" >> "$GITHUB_OUTPUT" + + if [ -n "$AFFECTED" ]; then + echo "Affected projects: $AFFECTED" + else + echo "No affected projects found" + fi diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c556cc3fe357..2ecc9ef99801 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -103,7 +103,7 @@ jobs: id: install_dependencies - name: Check for Affected Nx Projects - uses: dkhunt27/action-nx-affected-list@v6.1 + uses: ./.github/actions/nx-affected-list id: checkForAffected if: github.event_name == 'pull_request' with: From 2ed845c62af7a3240af1b322cee0f2cb7763f42e Mon Sep 17 00:00:00 2001 From: Francesco Gringl-Novy Date: Fri, 24 Apr 2026 09:13:40 +0200 Subject: [PATCH 2/3] fix error handling --- .github/actions/nx-affected-list/action.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/actions/nx-affected-list/action.yml b/.github/actions/nx-affected-list/action.yml index 841d9fa6ccea..8be22b3331cb 100644 --- a/.github/actions/nx-affected-list/action.yml +++ b/.github/actions/nx-affected-list/action.yml @@ -21,11 +21,13 @@ runs: id: affected shell: bash run: | + set -euo pipefail ARGS="" if [ -n "${{ inputs.base }}" ]; then ARGS="$ARGS --base=${{ inputs.base }}"; fi if [ -n "${{ inputs.head }}" ]; then ARGS="$ARGS --head=${{ inputs.head }}"; fi - AFFECTED=$(./node_modules/.bin/nx show projects --affected $ARGS 2>/dev/null | tr '\n' ' ' | xargs) || true + # Fail the step on nx/git errors so empty output cannot skip integration jobs silently. + AFFECTED=$(./node_modules/.bin/nx show projects --affected $ARGS | tr '\n' ' ' | xargs) echo "affected=$AFFECTED" >> "$GITHUB_OUTPUT" if [ -n "$AFFECTED" ]; then From 2832b3716e66a06f5fd8b5df8caac1dd7ecca778 Mon Sep 17 00:00:00 2001 From: Francesco Gringl-Novy Date: Fri, 24 Apr 2026 09:16:46 +0200 Subject: [PATCH 3/3] better security --- .github/actions/nx-affected-list/action.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/.github/actions/nx-affected-list/action.yml b/.github/actions/nx-affected-list/action.yml index 8be22b3331cb..314386659540 100644 --- a/.github/actions/nx-affected-list/action.yml +++ b/.github/actions/nx-affected-list/action.yml @@ -20,14 +20,17 @@ runs: - name: Get affected Nx projects id: affected shell: bash + env: + INPUT_BASE: ${{ inputs.base }} + INPUT_HEAD: ${{ inputs.head }} run: | set -euo pipefail - ARGS="" - if [ -n "${{ inputs.base }}" ]; then ARGS="$ARGS --base=${{ inputs.base }}"; fi - if [ -n "${{ inputs.head }}" ]; then ARGS="$ARGS --head=${{ inputs.head }}"; fi + extra_args=() + if [ -n "${INPUT_BASE:-}" ]; then extra_args+=(--base="$INPUT_BASE"); fi + if [ -n "${INPUT_HEAD:-}" ]; then extra_args+=(--head="$INPUT_HEAD"); fi # Fail the step on nx/git errors so empty output cannot skip integration jobs silently. - AFFECTED=$(./node_modules/.bin/nx show projects --affected $ARGS | tr '\n' ' ' | xargs) + AFFECTED=$(./node_modules/.bin/nx show projects --affected "${extra_args[@]}" | tr '\n' ' ' | xargs) echo "affected=$AFFECTED" >> "$GITHUB_OUTPUT" if [ -n "$AFFECTED" ]; then