SONARGO-56 Add common CN Github workflows (#51)

SonarSource · Dec 18, 2024 · 0850e67 · 0850e67
1 parent a94cbbd
commit 0850e67
Show file tree

Hide file tree

Showing 4 changed files with 126 additions and 0 deletions.
diff --git a/.github/workflows/bump-versions.yaml b/.github/workflows/bump-versions.yaml
@@ -0,0 +1,26 @@
+name: bump-versions
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: The new version
+        required: true
+        type: string
+
+jobs:
+  bump-version:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write # write for peter-evans/create-pull-request, read for actions/checkout
+      pull-requests: write # write for peter-evans/create-pull-request
+    steps:
+      - uses: actions/checkout@v4
+      - run: |
+          sed -i 's/version=.*/version=${{ github.event.inputs.version }}/' gradle.properties
+      - uses: peter-evans/create-pull-request@v7
+        with:
+          author: ${{ github.actor }} <${{ github.actor }}>
+          commit-message: Prepare next development iteration
+          title: Prepare next development iteration
+          branch: bot/bump-project-version
+          branch-suffix: timestamp
diff --git a/.github/workflows/dogfood.yml b/.github/workflows/dogfood.yml
@@ -0,0 +1,50 @@
+name: dogfood merge
+# This workflow is triggered on pushes to master and dogfood branches
+on:
+  push:
+    branches:
+      - master
+      - 'dogfood/*'
+
+env:
+  SLACK_CHANNEL: squad-cloud-notifs
+  SLACK_USERNAME: Dogfood build action
+
+jobs:
+  dogfood_merge:
+    runs-on: ubuntu-latest
+    name: Update dogfood branch
+    permissions:
+      id-token: write # required for SonarSource/vault-action-wrapper
+    steps:
+      - name: get secrets
+        id: secrets
+        uses: SonarSource/vault-action-wrapper@v3
+        with:
+          secrets: |
+            development/kv/data/slack webhook | SLACK_WEBHOOK;
+            development/github/token/{REPO_OWNER_NAME_DASH}-dogfood-merge token | dogfood_token;
+      - name: git octopus step
+        env:
+          GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).dogfood_token }}
+        id: dogfood
+        uses: SonarSource/gh-action_dogfood_merge@956e6de335578d0d301884414772b1bdb7234351
+        with:
+          dogfood-branch: 'dogfood-on-peach'
+      # Use the output from the `dogfood` step
+      - name: Get the name of the dogfood branch and its HEAD SHA1
+        run: echo "The dogfood branch was `${{ steps.dogfood.outputs.dogfood-branch }}` and its HEAD SHA1 was `${{ steps.dogfood.outputs.sha1 }}`"
+      # Slack notifications
+      - name: Notify success on Slack
+        uses: Ilshidur/[email protected]
+        env:
+          SLACK_WEBHOOK: ${{ fromJSON(steps.secrets.outputs.vault).SLACK_WEBHOOK }}
+        with:
+          args: 'Dogfood build for `${{ steps.dogfood.outputs.sha1 }}`: *successful*'
+      - name: Notify failures on Slack
+        uses: Ilshidur/[email protected]
+        if: failure()
+        env:
+          SLACK_WEBHOOK: ${{ fromJSON(steps.secrets.outputs.vault).SLACK_WEBHOOK }}
+        with:
+          args: 'Dogfood build for `${{ steps.dogfood.outputs.sha1 }}`: *failed*, see the logs at https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID'
diff --git a/.github/workflows/mark-stale-pull-requests.yml b/.github/workflows/mark-stale-pull-requests.yml
@@ -0,0 +1,16 @@
+name: Mark stale issues and PRs
+on:
+  schedule:
+    - cron: '30 1 * * *'
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+    steps:
+      - uses: actions/stale@v9
+        with:
+          days-before-stale: 60
+          days-before-close: 14
diff --git a/.github/workflows/rule-metadata-update.yml b/.github/workflows/rule-metadata-update.yml
@@ -0,0 +1,34 @@
+name: rule-metadata-update
+on:
+  workflow_dispatch:
+
+jobs:
+  rule-metadata-update:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write     # required by SonarSource/vault-action-wrapper
+      contents: write # write for peter-evans/create-pull-request, read for actions/checkout
+      pull-requests: write # write for peter-evans/create-pull-request
+    steps:
+      - uses: actions/checkout@v4
+      - name: Get vault secrets
+        id: secrets
+        uses: SonarSource/vault-action-wrapper@v3
+        with:
+          secrets: |
+            development/artifactory/token/{REPO_OWNER_NAME_DASH}-private-reader access_token | ARTIFACTORY_ACCESS_TOKEN;
+            development/artifactory/token/{REPO_OWNER_NAME_DASH}-private-reader role | ARTIFACTORY_ROLE;
+      - uses: gradle/actions/setup-gradle@v4
+      - run: |
+          ./gradlew :ruleApiUpdate -PartifactoryUsername=${ARTIFACTORY_ROLE} -PartifactoryPassword=${ARTIFACTORY_ACCESS_TOKEN}
+        env:
+          ARTIFACTORY_ROLE: vault-${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ROLE }}
+          ARTIFACTORY_ACCESS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ACCESS_TOKEN }}
+      - uses: peter-evans/create-pull-request@v7
+        with:
+          author: ${{ github.actor }} <${{ github.actor }}>
+          commit-message: Update rule metadata
+          title: Update rule metadata
+          base: master
+          branch: bot/rule-metadata-update
+          branch-suffix: timestamp