generated from kyma-project/template-repository
-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add bump-sec-scanners-config-reusable.yml (#56)
* add bump-sec-scanners-config-reusable.yml * fix seplling * add missing if-statements * fix typos * fix typo * add step to print out file content * fix typo * add version tag * address some review comments * handle closed PRs * exit 1 if pr was closed
- Loading branch information
1 parent
4bf48de
commit b34c71c
Showing
1 changed file
with
183 additions
and
0 deletions.
There are no files selected for viewing
183 changes: 183 additions & 0 deletions
183
.github/workflows/bump-sec-scanners-config-reusable.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,183 @@ | ||
| # This is a reusable workflow to bump the 'sec-scanners-config.yaml' | ||
| # | ||
| # It will do so by using the script `hack/scripts/render-sec-scanners-config.sh`, that is not part of the workflow. | ||
| # If you want to run this workflow against a repo the script must exist in that repo. This is by design, because every repo | ||
| # will require a specfic sec-scanners-config.yaml. | ||
| # | ||
| # The script `render-sec-scanners-config.sh` will in all cases require a version that is used to tag the corresponding image | ||
| # of the controller. For this reason, passing the input `version_tag` is required. | ||
| # | ||
| # To create a PR and monitor it, this workflow will require a classic github personal access token (pat) passed | ||
| # as a secret named `BOT_PAT`. The token must be configured to have all rights for `repo`, `user` and `workflow`. | ||
| # Further reads: | ||
| # Setting a secret for a repo: https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions | ||
| # | ||
| # If changes were done by the script, the workflow will create a PR and wait for it to be merged. | ||
| # The waiting will happen with a timeout that can be set via the input of `timeout`. The units are seconds. | ||
| # It has a default value of 3600 (seconds (= 1 hour)). Note that GitHub Action jobs will automatically fail after 6 hours: | ||
| # Further reads: | ||
| # Default limits for GitHub Actions: https://docs.github.com/en/actions/learn-github-actions/usage-limits-billing-and-administration#usage-limits | ||
| # | ||
| # Examples of using this workflow: | ||
| # 1. Set all awailable inputs and secrets. | ||
| # | ||
| # jobs: | ||
| # call-this-workflow: | ||
| # uses: kyma-project/eventing-tools/.github/workflows/bump-sec-scanners-config-reusable.yml@main | ||
| # with: | ||
| # version_tag: 2.3.4 | ||
| # timeout: 3600 # 1 hour | ||
| # secrets: | ||
| # BOT_PAT: ${{ secrets.my_pat }} | ||
| # | ||
| # 2. Minimal setup: | ||
| # | ||
| # jobs: | ||
| # call-this-workflow::working_dir: g | ||
| # uses: kyma-project/eventing-tools/.github/workflows/bump-sec-scanners-config-reusable.yml@main | ||
| # with: | ||
| # version_tag: 2.3.4 | ||
| # secrets: | ||
| # BOT_PAT: ${{ secrets.my_pat }} | ||
|
|
||
| name: bump sec-scanners-config.yaml (reusable) | ||
|
|
||
| on: | ||
| workflow_call: | ||
| inputs: | ||
| version_tag: | ||
| required: true | ||
| type: string | ||
| description: The semantic version number, that will be used to tag the main image in the sec scanner config. | ||
| timeout: | ||
| required: false | ||
| type: number | ||
| description: The time in seconds this workflow will wait for a resulting PR to be merged. | ||
| default: 3600 # 1 hour | ||
| secrets: | ||
| BOT_PAT: | ||
| required: true | ||
|
|
||
| jobs: | ||
| bump: | ||
| name: Bump sec-scanners-config.yaml | ||
| runs-on: ubuntu-latest | ||
| env: | ||
| REPO: ${{ github.repository }} | ||
|
|
||
| steps: | ||
| - name: Checkout Code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Render sec-scanners-config.yaml | ||
| env: | ||
| VERSION_TAG: ${{ inputs.version_tag }} | ||
| shell: bash | ||
| # Where ever you use this workflow, the script hack/scripts/render-sec-scanners-config.sh must exist. | ||
| run: ./hack/scripts/render-sec-scanners-config.sh "${VERSION_TAG}" | ||
|
|
||
| # Check if there are changes so we can determin if all following steps can be skipped. | ||
| - name: Check For Changes | ||
| shell: bash | ||
| run: | | ||
| if [ -z "$(git status --porcelain)" ]; then | ||
| echo "No changes found. No need to create a PR" | ||
| else | ||
| echo "Changes found. Creating a PR and waiting for it to be merged." | ||
| echo "CREATE_PR=true" >> $GITHUB_ENV | ||
| fi | ||
| - name: Print Content of sec-scanners-config.yaml | ||
| if: ${{ always() }} | ||
| shell: bash | ||
| run: | | ||
| FILE="sec-scanners-config.yaml" | ||
| [ -f "${FILE}" ] && cat "${FILE}" || echo "${FILE} not found." | ||
| - name: Set Up Git | ||
| if: ${{ env.CREATE_PR == 'true' }} | ||
| env: | ||
| GH_TOKEN: ${{ secrets.BOT_PAT }} | ||
| shell: bash | ||
| run: | | ||
| # set git username | ||
| ghusername=$(curl -H "Authorization: token ${GH_TOKEN}" https://api.github.com/user) | ||
| git config user.name "${ghusername}" | ||
| # set git mail address | ||
| ghmailaddress=$(curl -H "Authorization: token ${GH_TOKEN}" https://api.github.com/email) | ||
| git config user.email "${ghmailaddress}" | ||
| # set remote url | ||
| git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${REPO}.git" | ||
| - name: Set All Variables | ||
| if: ${{ env.CREATE_PR == 'true' }} | ||
| shell: bash | ||
| run: | | ||
| CURRENT_BRANCH="$(git rev-parse --abbrev-ref HEAD)" | ||
| echo "current branch: ${CURRENT_BRANCH}" | ||
| echo "CURRENT_BRANCH=${CURRENT_BRANCH}" >> $GITHUB_ENV | ||
| PR_DATE="$(date '+%Y-%m-%d-%H-%M-%S')" | ||
| echo "pr date: ${PR_DATE}" | ||
| echo "PR_DATE=${PR_DATE}" >> $GITHUB_ENV | ||
| BRANCH_NAME="sec-scanners-bump-${CURRENT_BRANCH}-${PR_DATE}" | ||
| echo "name of the new branch: ${BRANCH_NAME}" | ||
| echo "BRANCH_NAME=${BRANCH_NAME}" >> $GITHUB_ENV | ||
| - name: Create a Pull Request | ||
| if: ${{ env.CREATE_PR == 'true' }} | ||
| env: | ||
| CURRENT_BRANCH: ${{ env.CURRENT_BRANCH }} | ||
| PR_DATE: ${{ env.PR_DATE }} | ||
| BRANCH_NAME: ${{ env.BRANCH_NAME }} | ||
| GH_TOKEN: ${{ secrets.BOT_PAT }} | ||
| shell: bash | ||
| run: | | ||
| # Create a new branch for our changes. | ||
| git checkout -b "${BRANCH_NAME}" | ||
| # Stage the changes to sec-scanner-config.yaml and create a commit. | ||
| git add sec-scanners-config.yaml | ||
| git commit -m "auto-bump sec-scanners-config: ${PR_DATE}" | ||
| # Push the changes to origin, as defined earlier. | ||
| git push origin "$BRANCH_NAME" | ||
| # Create a PR. | ||
| BODY="This is an auto-generated PR to bump the sec-scanners-config.yml on ${REPO}." | ||
| PR_URL=$(gh pr create --base "${CURRENT_BRANCH}" --head "${BRANCH_NAME}" --title "Bump sec-scanners-config on ${CURRENT_BRANCH}" --body "${BODY}") | ||
| echo "PR_URL=${PR_URL}" >> $GITHUB_ENV | ||
| - name: USER INTERACTION REQUIRED | ||
| if: ${{ env.CREATE_PR == 'true' }} | ||
| shell: bash | ||
| env: | ||
| PR_URL: ${{ env.PR_URL }} | ||
| run: | | ||
| echo "please review ${PR_URL}" | ||
| - name: Wait for PR to be Merged | ||
| if: ${{ env.CREATE_PR == 'true' }} | ||
| shell: bash | ||
| env: | ||
| TIMEOUT: ${{ inputs.timeout }} | ||
| PR_URL: ${{ env.PR_URL }} | ||
| GH_TOKEN: ${{ secrets.BOT_PAT }} | ||
| run: | | ||
| end_time=$((SECONDS+${TIMEOUT})) | ||
| while [ $SECONDS -lt $end_time ]; do | ||
| pr_state=$(gh pr view ${PR_URL} --json state --jq '.state') | ||
| if [ "$pr_state" == "CLOSED" ]; then | ||
| echo "ERROR! PR has been closed!" | ||
| exit 1 | ||
| elif [ "$pr_state" == "MERGED" ]; then | ||
| echo "PR has been merged!" | ||
| exit 0 | ||
| fi | ||
| sleep 10 | ||
| done | ||
| echo "Timeout reached. PR not merged within the specified time." | ||
| exit 1 |