Skip to content

updating specs repo permissions #427

updating specs repo permissions

updating specs repo permissions #427

Workflow file for this run

name: Fix
on:
pull_request_target:
branches: [master]
workflow_dispatch:
workflow_run:
workflows:
- "Apply"
types:
- completed
defaults:
run:
shell: bash
concurrency:
group: fix-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true # we only care about the most recent fix run for any given PR/ref
jobs:
prepare:
# WARN: writing to private forks is not supported
if: github.event_name == 'workflow_dispatch' ||
github.event_name == 'pull_request_target' ||
(github.event_name == 'workflow_run' &&
github.event.workflow_run.conclusion == 'success')
permissions:
contents: read
pull-requests: read
name: Prepare
runs-on: ubuntu-latest
outputs:
workspaces: ${{ steps.workspaces.outputs.this }}
skip-fix: ${{ steps.skip-fix.outputs.this }}
steps:
- name: Checkout
uses: actions/checkout@v4
- if: github.event_name == 'pull_request_target'
env:
NUMBER: ${{ github.event.pull_request.number }}
SHA: ${{ github.event.pull_request.head.sha }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
git fetch origin "pull/${NUMBER}/head"
rm -rf github && git checkout "${SHA}" -- github
- name: Discover workspaces
id: workspaces
run: echo "this=$(ls github | jq --raw-input '[.[0:-4]]' | jq -sc add)" >> $GITHUB_OUTPUT
- name: Check last commit
id: skip-fix
env:
SHA: ${{ github.event.pull_request.head.sha || github.sha }}
run: |
# this workflow doesn't continue if the last commit has [skip fix] suffix or there are no user defined fix rules
if [[ "$(git log --format=%B -n 1 "${SHA}" | head -n 1)" == *"[skip fix]" ]] || ! test -f scripts/src/actions/fix-yaml-config.ts 2> /dev/null; then
echo "this=true" >> $GITHUB_OUTPUT
else
echo "this=false" >> $GITHUB_OUTPUT
fi
fix:
needs: [prepare]
if: needs.prepare.outputs.skip-fix == 'false'
permissions:
contents: read
pull-requests: write
strategy:
fail-fast: false
matrix:
workspace: ${{ fromJson(needs.prepare.outputs.workspaces || '[]') }}
name: Fix
runs-on: ubuntu-latest
env:
TF_IN_AUTOMATION: 1
TF_INPUT: 0
TF_WORKSPACE: ${{ matrix.workspace }}
AWS_ACCESS_KEY_ID: ${{ secrets.RO_AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.RO_AWS_SECRET_ACCESS_KEY }}
GITHUB_APP_ID: ${{ secrets.RO_GITHUB_APP_ID }}
GITHUB_APP_INSTALLATION_ID: ${{ secrets[format('RO_GITHUB_APP_INSTALLATION_ID_{0}', matrix.workspace)] || secrets.RO_GITHUB_APP_INSTALLATION_ID }}
GITHUB_APP_PEM_FILE: ${{ secrets.RO_GITHUB_APP_PEM_FILE }}
TF_VAR_write_delay_ms: 300
steps:
- name: Checkout
uses: actions/checkout@v4
- if: github.event_name == 'pull_request_target'
env:
NUMBER: ${{ github.event.pull_request.number }}
SHA: ${{ github.event.pull_request.head.sha }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
# only checking out github directory from the PR
git fetch origin "pull/${NUMBER}/head"
rm -rf github && git checkout "${SHA}" -- github
- name: Setup terraform
uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
with:
terraform_version: 1.2.9
terraform_wrapper: false
- name: Initialize terraform
run: terraform init
working-directory: terraform
- name: Initialize scripts
run: npm ci && npm run build
working-directory: scripts
- name: Fix
id: fix
run: node lib/actions/fix-yaml-config.js
working-directory: scripts
- name: Upload YAML config
uses: actions/upload-artifact@v3
with:
name: ${{ env.TF_WORKSPACE }}.yml
path: github/${{ env.TF_WORKSPACE }}.yml
if-no-files-found: error
retention-days: 1
# NOTE(galargh, 2024-02-15): This will only work if GitHub as Code is used for a single organization
- name: Comment on pull request
if: github.event_name == 'pull_request_target' && steps.fix.outputs.comment
uses: marocchino/sticky-pull-request-comment@fcf6fe9e4a0409cd9316a5011435be0f3327f1e1 # v2.3.1
with:
header: fix
number: ${{ github.event.pull_request.number }}
message: ${{ steps.fix.outputs.comment }}
push:
needs: [prepare, fix]
permissions:
contents: read
name: Push
runs-on: ubuntu-latest
env:
AWS_ACCESS_KEY_ID: ${{ secrets.RO_AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.RO_AWS_SECRET_ACCESS_KEY }}
steps:
- name: Generate app token
id: token
uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0
with:
app_id: ${{ secrets.RW_GITHUB_APP_ID }}
installation_id: ${{ secrets[format('RW_GITHUB_APP_INSTALLATION_ID_{0}', github.repository_owner)] || secrets.RW_GITHUB_APP_INSTALLATION_ID }}
private_key: ${{ secrets.RW_GITHUB_APP_PEM_FILE }}
- name: Checkout
uses: actions/checkout@v4
with:
repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }}
ref: ${{ github.event.pull_request.head.sha || github.sha }}
token: ${{ steps.token.outputs.token }}
path: head
- name: Checkout
uses: actions/checkout@v4
with:
path: base
- name: Download YAML configs
uses: actions/download-artifact@v3
with:
path: artifacts
- name: Copy YAML configs
run: cp artifacts/**/*.yml head/github
- name: Check if github was modified
id: github-modified
run: |
if [ -z "$(git status --porcelain -- github)" ]; then
echo "this=false" >> $GITHUB_OUTPUT
else
echo "this=true" >> $GITHUB_OUTPUT
fi
working-directory: head
- uses: ./base/.github/actions/git-config-user
if: steps.github-modified.outputs.this == 'true'
- if: steps.github-modified.outputs.this == 'true'
run: |
git add --all -- github
git commit -m "fix@${GITHUB_RUN_ID} [skip fix]"
working-directory: head
- if: steps.github-modified.outputs.this == 'true' && github.event_name == 'pull_request_target'
env:
REF: ${{ github.event.pull_request.head.ref }}
run: |
git checkout -B "${REF}"
git push origin "${REF}"
working-directory: head
- if: steps.github-modified.outputs.this == 'true' && github.event_name != 'pull_request_target'
uses: ./base/.github/actions/git-push
env:
GITHUB_TOKEN: ${{ steps.token.outputs.token }}
with:
suffix: fix
working-directory: head