From 8f64034e815f88c154e118ab2ee431cd654bcea9 Mon Sep 17 00:00:00 2001 From: Marcin Stachniuk Date: Tue, 17 Dec 2024 15:59:31 +0100 Subject: [PATCH 1/2] SONARGO-56 Add common CN Github workflows --- .github/workflows/bump-versions.yaml | 26 ++++++++++ .github/workflows/dogfood.yml | 50 +++++++++++++++++++ .../workflows/mark-stale-pull-requests.yml | 16 ++++++ .github/workflows/rule-metadata-update.yml | 34 +++++++++++++ 4 files changed, 126 insertions(+) create mode 100644 .github/workflows/bump-versions.yaml create mode 100644 .github/workflows/dogfood.yml create mode 100644 .github/workflows/mark-stale-pull-requests.yml create mode 100644 .github/workflows/rule-metadata-update.yml diff --git a/.github/workflows/bump-versions.yaml b/.github/workflows/bump-versions.yaml new file mode 100644 index 0000000..252bc16 --- /dev/null +++ b/.github/workflows/bump-versions.yaml @@ -0,0 +1,26 @@ +name: bump-versions +on: + workflow_dispatch: + inputs: + version: + description: The new version + required: true + type: string + +jobs: + bump-version: + runs-on: ubuntu-latest + permissions: + contents: write # write for peter-evans/create-pull-request, read for actions/checkout + pull-requests: write # write for peter-evans/create-pull-request + steps: + - uses: actions/checkout@v4 + - run: | + sed -i 's/version=.*/version=${{ github.event.inputs.version }}/' gradle.properties + - uses: peter-evans/create-pull-request@v7 + with: + author: ${{ github.actor }} <${{ github.actor }}> + commit-message: Prepare next development iteration + title: Prepare next development iteration + branch: bot/bump-project-version + branch-suffix: timestamp diff --git a/.github/workflows/dogfood.yml b/.github/workflows/dogfood.yml new file mode 100644 index 0000000..e225891 --- /dev/null +++ b/.github/workflows/dogfood.yml @@ -0,0 +1,50 @@ +name: dogfood merge +# This workflow is triggered on pushes to master and dogfood branches +on: + push: + branches: + - master + - 'dogfood/*' + +env: + SLACK_CHANNEL: squad-cloud-notifs + SLACK_USERNAME: Dogfood build action + +jobs: + dogfood_merge: + runs-on: ubuntu-latest + name: Update dogfood branch + permissions: + id-token: write # required for SonarSource/vault-action-wrapper + steps: + - name: get secrets + id: secrets + uses: SonarSource/vault-action-wrapper@v3 + with: + secrets: | + development/kv/data/slack webhook | SLACK_WEBHOOK; + development/github/token/{REPO_OWNER_NAME_DASH}-dogfood-merge token | dogfood_token; + - name: git octopus step + env: + GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).dogfood_token }} + id: dogfood + uses: SonarSource/gh-action_dogfood_merge@956e6de335578d0d301884414772b1bdb7234351 + with: + dogfood-branch: 'dogfood-on-peach' + # Use the output from the `dogfood` step + - name: Get the name of the dogfood branch and its HEAD SHA1 + run: echo "The dogfood branch was `${{ steps.dogfood.outputs.dogfood-branch }}` and its HEAD SHA1 was `${{ steps.dogfood.outputs.sha1 }}`" + # Slack notifications + - name: Notify success on Slack + uses: Ilshidur/action-slack@2.1.0 + env: + SLACK_WEBHOOK: ${{ fromJSON(steps.secrets.outputs.vault).SLACK_WEBHOOK }} + with: + args: 'Dogfood build for `${{ steps.dogfood.outputs.sha1 }}`: *successful*' + - name: Notify failures on Slack + uses: Ilshidur/action-slack@2.1.0 + if: failure() + env: + SLACK_WEBHOOK: ${{ fromJSON(steps.secrets.outputs.vault).SLACK_WEBHOOK }} + with: + args: 'Dogfood build for `${{ steps.dogfood.outputs.sha1 }}`: *failed*, see the logs at https://github.com/SonarSource/sonar-iac/actions' diff --git a/.github/workflows/mark-stale-pull-requests.yml b/.github/workflows/mark-stale-pull-requests.yml new file mode 100644 index 0000000..43a8747 --- /dev/null +++ b/.github/workflows/mark-stale-pull-requests.yml @@ -0,0 +1,16 @@ +name: Mark stale issues and PRs +on: + schedule: + - cron: '30 1 * * *' + +jobs: + stale: + runs-on: ubuntu-latest + permissions: + issues: write + pull-requests: write + steps: + - uses: actions/stale@v9 + with: + days-before-stale: 60 + days-before-close: 14 diff --git a/.github/workflows/rule-metadata-update.yml b/.github/workflows/rule-metadata-update.yml new file mode 100644 index 0000000..f42de51 --- /dev/null +++ b/.github/workflows/rule-metadata-update.yml @@ -0,0 +1,34 @@ +name: rule-metadata-update +on: + workflow_dispatch: + +jobs: + rule-metadata-update: + runs-on: ubuntu-latest + permissions: + id-token: write # required by SonarSource/vault-action-wrapper + contents: write # write for peter-evans/create-pull-request, read for actions/checkout + pull-requests: write # write for peter-evans/create-pull-request + steps: + - uses: actions/checkout@v4 + - name: Get vault secrets + id: secrets + uses: SonarSource/vault-action-wrapper@v3 + with: + secrets: | + development/artifactory/token/{REPO_OWNER_NAME_DASH}-private-reader access_token | ARTIFACTORY_ACCESS_TOKEN; + development/artifactory/token/{REPO_OWNER_NAME_DASH}-private-reader role | ARTIFACTORY_ROLE; + - uses: gradle/actions/setup-gradle@v4 + - run: | + ./gradlew :ruleApiUpdate -PartifactoryUsername=${ARTIFACTORY_ROLE} -PartifactoryPassword=${ARTIFACTORY_ACCESS_TOKEN} + env: + ARTIFACTORY_ROLE: vault-${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ROLE }} + ARTIFACTORY_ACCESS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ACCESS_TOKEN }} + - uses: peter-evans/create-pull-request@v7 + with: + author: ${{ github.actor }} <${{ github.actor }}> + commit-message: Update rule metadata + title: Update rule metadata + base: master + branch: bot/rule-metadata-update + branch-suffix: timestamp From f209474a396fb540f6d4e2fec0c36444caa80b63 Mon Sep 17 00:00:00 2001 From: Marcin Stachniuk Date: Wed, 18 Dec 2024 14:00:40 +0100 Subject: [PATCH 2/2] Code review remarks --- .github/workflows/dogfood.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dogfood.yml b/.github/workflows/dogfood.yml index e225891..3a2a369 100644 --- a/.github/workflows/dogfood.yml +++ b/.github/workflows/dogfood.yml @@ -47,4 +47,4 @@ jobs: env: SLACK_WEBHOOK: ${{ fromJSON(steps.secrets.outputs.vault).SLACK_WEBHOOK }} with: - args: 'Dogfood build for `${{ steps.dogfood.outputs.sha1 }}`: *failed*, see the logs at https://github.com/SonarSource/sonar-iac/actions' + args: 'Dogfood build for `${{ steps.dogfood.outputs.sha1 }}`: *failed*, see the logs at https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID'