Cleanup permissions for shipyard maintained repos #790
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Fix | |
on: | |
pull_request_target: | |
branches: [master] | |
workflow_dispatch: | |
workflow_run: | |
workflows: | |
- "Apply" | |
types: | |
- completed | |
defaults: | |
run: | |
shell: bash | |
concurrency: | |
group: fix-${{ github.event.pull_request.number || github.ref }} | |
cancel-in-progress: true # we only care about the most recent fix run for any given PR/ref | |
jobs: | |
prepare: | |
# not starting for PRs if repo is private because we cannot write to private forks | |
if: github.event_name == 'workflow_dispatch' || | |
(github.event_name == 'pull_request_target' && | |
github.event.pull_request.head.repo.private == false) || | |
(github.event_name == 'workflow_run' && | |
github.event.workflow_run.conclusion == 'success') | |
permissions: | |
contents: read | |
pull-requests: read | |
name: Prepare | |
runs-on: ubuntu-latest | |
outputs: | |
workspaces: ${{ steps.workspaces.outputs.this }} | |
skip-fix: ${{ steps.skip-fix.outputs.this }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- if: github.event_name == 'pull_request_target' | |
env: | |
NUMBER: ${{ github.event.pull_request.number }} | |
SHA: ${{ github.event.pull_request.head.sha }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: | | |
git fetch origin "pull/${NUMBER}/head" | |
rm -rf github && git checkout "${SHA}" -- github | |
- name: Discover workspaces | |
id: workspaces | |
run: echo "this=$(ls github | jq --raw-input '[.[0:-4]]' | jq -sc add)" >> $GITHUB_OUTPUT | |
- name: Check last commit | |
id: skip-fix | |
env: | |
SHA: ${{ github.event.pull_request.head.sha || github.sha }} | |
run: | | |
# this workflow doesn't continue if the last commit has [skip fix] suffix or there are no user defined fix rules | |
if [[ "$(git log --format=%B -n 1 "${SHA}" | head -n 1)" == *"[skip fix]" ]] || ! test -f scripts/src/actions/fix-yaml-config.ts 2> /dev/null; then | |
echo "this=true" >> $GITHUB_OUTPUT | |
else | |
echo "this=false" >> $GITHUB_OUTPUT | |
fi | |
fix: | |
needs: [prepare] | |
if: needs.prepare.outputs.skip-fix == 'false' | |
permissions: | |
contents: read | |
pull-requests: write | |
strategy: | |
fail-fast: false | |
matrix: | |
workspace: ${{ fromJson(needs.prepare.outputs.workspaces || '[]') }} | |
name: Fix | |
runs-on: ubuntu-latest | |
env: | |
TF_IN_AUTOMATION: 1 | |
TF_INPUT: 0 | |
TF_WORKSPACE: ${{ matrix.workspace }} | |
AWS_ACCESS_KEY_ID: ${{ secrets.RO_AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.RO_AWS_SECRET_ACCESS_KEY }} | |
GITHUB_APP_ID: ${{ secrets.RO_GITHUB_APP_ID }} | |
GITHUB_APP_INSTALLATION_ID: ${{ secrets[format('RO_GITHUB_APP_INSTALLATION_ID_{0}', matrix.workspace)] || secrets.RO_GITHUB_APP_INSTALLATION_ID }} | |
GITHUB_APP_PEM_FILE: ${{ secrets.RO_GITHUB_APP_PEM_FILE }} | |
TF_VAR_write_delay_ms: 300 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- if: github.event_name == 'pull_request_target' | |
env: | |
NUMBER: ${{ github.event.pull_request.number }} | |
SHA: ${{ github.event.pull_request.head.sha }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: | | |
# only checking out github directory from the PR | |
git fetch origin "pull/${NUMBER}/head" | |
rm -rf github && git checkout "${SHA}" -- github | |
- name: Setup terraform | |
uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3 | |
with: | |
terraform_version: 1.2.9 | |
terraform_wrapper: false | |
- name: Initialize terraform | |
run: terraform init | |
working-directory: terraform | |
- name: Initialize scripts | |
run: npm ci && npm run build | |
working-directory: scripts | |
- name: Fix | |
id: fix | |
run: node lib/actions/fix-yaml-config.js | |
working-directory: scripts | |
- name: Upload YAML config | |
uses: actions/upload-artifact@v3 | |
with: | |
name: ${{ env.TF_WORKSPACE }}.yml | |
path: github/${{ env.TF_WORKSPACE }}.yml | |
if-no-files-found: error | |
retention-days: 1 | |
# NOTE(galargh, 2024-02-15): This will only work if GitHub as Code is used for a single organization | |
- name: Comment on pull request | |
if: github.event_name == 'pull_request_target' && steps.fix.outputs.comment | |
uses: marocchino/sticky-pull-request-comment@fcf6fe9e4a0409cd9316a5011435be0f3327f1e1 # v2.3.1 | |
with: | |
header: fix | |
number: ${{ github.event.pull_request.number }} | |
message: ${{ steps.fix.outputs.comment }} | |
push: | |
needs: [prepare, fix] | |
permissions: | |
contents: read | |
name: Push | |
runs-on: ubuntu-latest | |
env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.RO_AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.RO_AWS_SECRET_ACCESS_KEY }} | |
steps: | |
- name: Generate app token | |
id: token | |
uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0 | |
with: | |
app_id: ${{ secrets.RW_GITHUB_APP_ID }} | |
installation_id: ${{ secrets[format('RW_GITHUB_APP_INSTALLATION_ID_{0}', github.repository_owner)] || secrets.RW_GITHUB_APP_INSTALLATION_ID }} | |
private_key: ${{ secrets.RW_GITHUB_APP_PEM_FILE }} | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }} | |
ref: ${{ github.event.pull_request.head.sha || github.sha }} | |
token: ${{ steps.token.outputs.token }} | |
path: head | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
path: base | |
- name: Download YAML configs | |
uses: actions/download-artifact@v3 | |
with: | |
path: artifacts | |
- name: Copy YAML configs | |
run: cp artifacts/**/*.yml head/github | |
- name: Check if github was modified | |
id: github-modified | |
run: | | |
if [ -z "$(git status --porcelain -- github)" ]; then | |
echo "this=false" >> $GITHUB_OUTPUT | |
else | |
echo "this=true" >> $GITHUB_OUTPUT | |
fi | |
working-directory: head | |
- uses: ./base/.github/actions/git-config-user | |
if: steps.github-modified.outputs.this == 'true' | |
- if: steps.github-modified.outputs.this == 'true' | |
run: | | |
git add --all -- github | |
git commit -m "fix@${GITHUB_RUN_ID} [skip fix]" | |
working-directory: head | |
- if: steps.github-modified.outputs.this == 'true' && github.event_name == 'pull_request_target' | |
env: | |
REF: ${{ github.event.pull_request.head.ref }} | |
run: | | |
git checkout -B "${REF}" | |
git push origin "${REF}" | |
working-directory: head | |
- if: steps.github-modified.outputs.this == 'true' && github.event_name != 'pull_request_target' | |
uses: ./base/.github/actions/git-push | |
env: | |
GITHUB_TOKEN: ${{ steps.token.outputs.token }} | |
with: | |
suffix: fix | |
working-directory: head |