diff --git a/.github/workflows/bump-sec-scanners-config-reusable.yml b/.github/workflows/bump-sec-scanners-config-reusable.yml new file mode 100644 index 0000000..8bcc5e0 --- /dev/null +++ b/.github/workflows/bump-sec-scanners-config-reusable.yml @@ -0,0 +1,183 @@ +# This is a reusable workflow to bump the 'sec-scanners-config.yaml' +# +# It will do so by using the script `hack/scripts/render-sec-scanners-config.sh`, that is not part of the workflow. +# If you want to run this workflow against a repo the script must exist in that repo. This is by design, because every repo +# will require a specfic sec-scanners-config.yaml. +# +# The script `render-sec-scanners-config.sh` will in all cases require a version that is used to tag the corresponding image +# of the controller. For this reason, passing the input `version_tag` is required. +# +# To create a PR and monitor it, this workflow will require a classic github personal access token (pat) passed +# as a secret named `BOT_PAT`. The token must be configured to have all rights for `repo`, `user` and `workflow`. +# Further reads: +# Setting a secret for a repo: https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions +# +# If changes were done by the script, the workflow will create a PR and wait for it to be merged. +# The waiting will happen with a timeout that can be set via the input of `timeout`. The units are seconds. +# It has a default value of 3600 (seconds (= 1 hour)). Note that GitHub Action jobs will automatically fail after 6 hours: +# Further reads: +# Default limits for GitHub Actions: https://docs.github.com/en/actions/learn-github-actions/usage-limits-billing-and-administration#usage-limits +# +# Examples of using this workflow: +# 1. Set all awailable inputs and secrets. +# +# jobs: +# call-this-workflow: +# uses: kyma-project/eventing-tools/.github/workflows/bump-sec-scanners-config-reusable.yml@main +# with: +# version_tag: 2.3.4 +# timeout: 3600 # 1 hour +# secrets: +# BOT_PAT: ${{ secrets.my_pat }} +# +# 2. Minimal setup: +# +# jobs: +# call-this-workflow::working_dir: g +# uses: kyma-project/eventing-tools/.github/workflows/bump-sec-scanners-config-reusable.yml@main +# with: +# version_tag: 2.3.4 +# secrets: +# BOT_PAT: ${{ secrets.my_pat }} + +name: bump sec-scanners-config.yaml (reusable) + +on: + workflow_call: + inputs: + version_tag: + required: true + type: string + description: The semantic version number, that will be used to tag the main image in the sec scanner config. + timeout: + required: false + type: number + description: The time in seconds this workflow will wait for a resulting PR to be merged. + default: 3600 # 1 hour + secrets: + BOT_PAT: + required: true + +jobs: + bump: + name: Bump sec-scanners-config.yaml + runs-on: ubuntu-latest + env: + REPO: ${{ github.repository }} + + steps: + - name: Checkout Code + uses: actions/checkout@v4 + + - name: Render sec-scanners-config.yaml + env: + VERSION_TAG: ${{ inputs.version_tag }} + shell: bash + # Where ever you use this workflow, the script hack/scripts/render-sec-scanners-config.sh must exist. + run: ./hack/scripts/render-sec-scanners-config.sh "${VERSION_TAG}" + + # Check if there are changes so we can determin if all following steps can be skipped. + - name: Check For Changes + shell: bash + run: | + if [ -z "$(git status --porcelain)" ]; then + echo "No changes found. No need to create a PR" + else + echo "Changes found. Creating a PR and waiting for it to be merged." + echo "CREATE_PR=true" >> $GITHUB_ENV + fi + + - name: Print Content of sec-scanners-config.yaml + if: ${{ always() }} + shell: bash + run: | + FILE="sec-scanners-config.yaml" + [ -f "${FILE}" ] && cat "${FILE}" || echo "${FILE} not found." + + - name: Set Up Git + if: ${{ env.CREATE_PR == 'true' }} + env: + GH_TOKEN: ${{ secrets.BOT_PAT }} + shell: bash + run: | + # set git username + ghusername=$(curl -H "Authorization: token ${GH_TOKEN}" https://api.github.com/user) + git config user.name "${ghusername}" + # set git mail address + ghmailaddress=$(curl -H "Authorization: token ${GH_TOKEN}" https://api.github.com/email) + git config user.email "${ghmailaddress}" + # set remote url + git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${REPO}.git" + + - name: Set All Variables + if: ${{ env.CREATE_PR == 'true' }} + shell: bash + run: | + CURRENT_BRANCH="$(git rev-parse --abbrev-ref HEAD)" + echo "current branch: ${CURRENT_BRANCH}" + echo "CURRENT_BRANCH=${CURRENT_BRANCH}" >> $GITHUB_ENV + + PR_DATE="$(date '+%Y-%m-%d-%H-%M-%S')" + echo "pr date: ${PR_DATE}" + echo "PR_DATE=${PR_DATE}" >> $GITHUB_ENV + + BRANCH_NAME="sec-scanners-bump-${CURRENT_BRANCH}-${PR_DATE}" + echo "name of the new branch: ${BRANCH_NAME}" + echo "BRANCH_NAME=${BRANCH_NAME}" >> $GITHUB_ENV + + - name: Create a Pull Request + if: ${{ env.CREATE_PR == 'true' }} + env: + CURRENT_BRANCH: ${{ env.CURRENT_BRANCH }} + PR_DATE: ${{ env.PR_DATE }} + BRANCH_NAME: ${{ env.BRANCH_NAME }} + GH_TOKEN: ${{ secrets.BOT_PAT }} + shell: bash + run: | + # Create a new branch for our changes. + git checkout -b "${BRANCH_NAME}" + + # Stage the changes to sec-scanner-config.yaml and create a commit. + git add sec-scanners-config.yaml + git commit -m "auto-bump sec-scanners-config: ${PR_DATE}" + + # Push the changes to origin, as defined earlier. + git push origin "$BRANCH_NAME" + + # Create a PR. + BODY="This is an auto-generated PR to bump the sec-scanners-config.yml on ${REPO}." + PR_URL=$(gh pr create --base "${CURRENT_BRANCH}" --head "${BRANCH_NAME}" --title "Bump sec-scanners-config on ${CURRENT_BRANCH}" --body "${BODY}") + echo "PR_URL=${PR_URL}" >> $GITHUB_ENV + + - name: USER INTERACTION REQUIRED + if: ${{ env.CREATE_PR == 'true' }} + shell: bash + env: + PR_URL: ${{ env.PR_URL }} + run: | + echo "please review ${PR_URL}" + + - name: Wait for PR to be Merged + if: ${{ env.CREATE_PR == 'true' }} + shell: bash + env: + TIMEOUT: ${{ inputs.timeout }} + PR_URL: ${{ env.PR_URL }} + GH_TOKEN: ${{ secrets.BOT_PAT }} + run: | + end_time=$((SECONDS+${TIMEOUT})) + + while [ $SECONDS -lt $end_time ]; do + pr_state=$(gh pr view ${PR_URL} --json state --jq '.state') + if [ "$pr_state" == "CLOSED" ]; then + echo "ERROR! PR has been closed!" + exit 1 + elif [ "$pr_state" == "MERGED" ]; then + echo "PR has been merged!" + exit 0 + fi + sleep 10 + done + + echo "Timeout reached. PR not merged within the specified time." + exit 1