From de83502165cfa2b813181d6b7f8f0358b871ab83 Mon Sep 17 00:00:00 2001
From: Jeff Widman <jeff@jeffwidman.com>
Date: Wed, 2 Nov 2022 14:24:34 -0700
Subject: [PATCH] Check for uncommitted files beyond `dist/` directory

This checks for _any_ delta in the git repo, not just the `dist/`
directory. Any change should fail CI until it's either committed or
added to `.gitignore`.

Additionally, I clarified the script name/code slightly to explain why
it's needed/handled separately from checking for uncommitted files.
---
 .../{check-dist.yml => check-uncommitted.yml}  | 18 +++++++++++++++---
 bin/check-build-output-in-dist-directory       | 14 ++++++++++++++
 bin/check-diff                                 | 11 -----------
 3 files changed, 29 insertions(+), 14 deletions(-)
 rename .github/workflows/{check-dist.yml => check-uncommitted.yml} (54%)
 create mode 100755 bin/check-build-output-in-dist-directory
 delete mode 100755 bin/check-diff

diff --git a/.github/workflows/check-dist.yml b/.github/workflows/check-uncommitted.yml
similarity index 54%
rename from .github/workflows/check-dist.yml
rename to .github/workflows/check-uncommitted.yml
index c86707bd..aeba4e16 100644
--- a/.github/workflows/check-dist.yml
+++ b/.github/workflows/check-uncommitted.yml
@@ -1,4 +1,4 @@
-name: Check dist
+name: Check for uncommitted files
 
 on:
   pull_request:
@@ -8,7 +8,8 @@ on:
       - 'releases/*'
 
 jobs:
-  verify-build: # make sure the checked in dist/ folder matches the output of a rebuild
+  # This ensures a rebuild matches the checked-in dist/ folder
+  verify-build:
     runs-on: ubuntu-latest
 
     steps:
@@ -28,4 +29,15 @@ jobs:
         run: npm run build
 
       - name: Compare the expected and actual dist/ directories
-        run: bin/check-diff
+        run: bin/check-build-output-in-dist-directory
+
+  check-for-uncommitted-files:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Compare the expected vs actual files
+        run: test -z "$(git status --porcelain)"
diff --git a/bin/check-build-output-in-dist-directory b/bin/check-build-output-in-dist-directory
new file mode 100755
index 00000000..833d62b8
--- /dev/null
+++ b/bin/check-build-output-in-dist-directory
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+# Make sure we notice any untracked files generated by the build in the dist/ directory
+git add --intent-to-add .
+git diff --quiet dist/
+retVal=$?
+if [ $retVal -ne 0 ]; then
+  echo "Detected uncommitted changes after build:"
+  # The contents of the diff/ folder are marked as generated:
+  # https://github.com/dependabot/fetch-metadata/blob/6c2bf2fe33cc133b474165107a8b29ccc265dc96/.gitattributes#L1
+  # so this ensures we spit out the actual change in the obfuscated JS.
+  git --no-pager diff dist/
+  exit 1
+fi
diff --git a/bin/check-diff b/bin/check-diff
deleted file mode 100755
index c68ccf20..00000000
--- a/bin/check-diff
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/bash
-
-# Make sure we notice any untracked files generated by the build
-git add --intent-to-add .
-git diff --quiet dist/
-retVal=$?
-if [ $retVal -ne 0 ]; then
-  echo "Detected uncommitted changes after build:"
-  git --no-pager diff dist/
-  exit 1
-fi