sentry/.github/workflows/visual-diff.yml

name: visual diff
on:
  # This allows PRs opened from forks to execute the Visual Snapshots
  # since secrets are not passed to workflows when triggered via forks
  # Using workflow_run is less preferred since it executes even when jobs
  # do not pass
  workflow_run:
    workflows:
      - acceptance
    types:
      - completed

jobs:
  files-changed:
    name: detect what files changed
    runs-on: ubuntu-20.04
    timeout-minutes: 3
    # Map a step output to a job output
    outputs:
      acceptance: ${{ steps.changes.outputs.acceptance }}
    steps:
      - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8  # v3.1.0

      - name: Check for files changed
        uses: getsentry/paths-filter@4512585405083f25c027a35db413c2b3b9006d50  # v2.11.1
        id: changes
        with:
          token: ${{ github.token }}
          filters: .github/file-filters.yml

  visual-diff:
    needs: files-changed
    # Only execute this check when a PR is opened from a fork rather than the upstream repo
    if: github.event.workflow_run.head_repository.full_name != 'getsentry/sentry' && needs.files-changed.outputs.acceptance == 'true'
    runs-on: ubuntu-20.04
    timeout-minutes: 20

    steps:
      - name: Diff snapshots
        id: visual-snapshots-diff
        uses: getsentry/action-visual-snapshot@5811b6c34e1ec3b9fc30613d4b55ef740fec6086  # main
        with:
          api-token: ${{ secrets.VISUAL_SNAPSHOT_SECRET }}
          gcs-bucket: 'sentry-visual-snapshots'
          gcp-service-account-key: ${{ secrets.SNAPSHOT_GOOGLE_SERVICE_ACCOUNT_KEY }}