generated from ipdxco/github-as-code
-
Notifications
You must be signed in to change notification settings - Fork 26
190 lines (185 loc) · 7 KB
/
fix.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
name: Fix
on:
pull_request_target:
branches: [master]
workflow_dispatch:
workflow_run:
workflows:
- "Apply"
types:
- completed
defaults:
run:
shell: bash
concurrency:
group: fix-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true # we only care about the most recent fix run for any given PR/ref
jobs:
prepare:
# not starting for PRs if repo is private because we cannot write to private forks
if: github.event_name == 'workflow_dispatch' ||
(github.event_name == 'pull_request_target' &&
github.event.pull_request.head.repo.private == false) ||
(github.event_name == 'workflow_run' &&
github.event.workflow_run.conclusion == 'success')
permissions:
contents: read
pull-requests: read
name: Prepare
runs-on: ubuntu-latest
outputs:
workspaces: ${{ steps.workspaces.outputs.this }}
skip-fix: ${{ steps.skip-fix.outputs.this }}
steps:
- name: Checkout
uses: actions/checkout@v4
- if: github.event_name == 'pull_request_target'
env:
NUMBER: ${{ github.event.pull_request.number }}
SHA: ${{ github.event.pull_request.head.sha }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
git fetch origin "pull/${NUMBER}/head"
rm -rf github && git checkout "${SHA}" -- github
- name: Discover workspaces
id: workspaces
run: echo "this=$(ls github | jq --raw-input '[.[0:-4]]' | jq -sc add)" >> $GITHUB_OUTPUT
- name: Check last commit
id: skip-fix
env:
SHA: ${{ github.event.pull_request.head.sha || github.sha }}
run: |
# this workflow doesn't continue if the last commit has [skip fix] suffix or there are no user defined fix rules
if [[ "$(git log --format=%B -n 1 "${SHA}" | head -n 1)" == *"[skip fix]" ]] || ! test -f scripts/src/actions/fix-yaml-config.ts 2> /dev/null; then
echo "this=true" >> $GITHUB_OUTPUT
else
echo "this=false" >> $GITHUB_OUTPUT
fi
fix:
needs: [prepare]
if: needs.prepare.outputs.skip-fix == 'false'
permissions:
contents: read
pull-requests: write
strategy:
fail-fast: false
matrix:
workspace: ${{ fromJson(needs.prepare.outputs.workspaces || '[]') }}
name: Fix
runs-on: ubuntu-latest
env:
TF_IN_AUTOMATION: 1
TF_INPUT: 0
TF_WORKSPACE: ${{ matrix.workspace }}
AWS_ACCESS_KEY_ID: ${{ secrets.RO_AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.RO_AWS_SECRET_ACCESS_KEY }}
GITHUB_APP_ID: ${{ secrets.RO_GITHUB_APP_ID }}
GITHUB_APP_INSTALLATION_ID: ${{ secrets[format('RO_GITHUB_APP_INSTALLATION_ID_{0}', matrix.workspace)] || secrets.RO_GITHUB_APP_INSTALLATION_ID }}
GITHUB_APP_PEM_FILE: ${{ secrets.RO_GITHUB_APP_PEM_FILE }}
TF_VAR_write_delay_ms: 300
steps:
- name: Checkout
uses: actions/checkout@v4
- if: github.event_name == 'pull_request_target'
env:
NUMBER: ${{ github.event.pull_request.number }}
SHA: ${{ github.event.pull_request.head.sha }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
# only checking out github directory from the PR
git fetch origin "pull/${NUMBER}/head"
rm -rf github && git checkout "${SHA}" -- github
- name: Setup terraform
uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
with:
terraform_version: 1.2.9
terraform_wrapper: false
- name: Initialize terraform
run: terraform init
working-directory: terraform
- name: Initialize scripts
run: npm ci && npm run build
working-directory: scripts
- name: Fix
id: fix
run: node lib/actions/fix-yaml-config.js
working-directory: scripts
- name: Upload YAML config
uses: actions/upload-artifact@v3
with:
name: ${{ env.TF_WORKSPACE }}.yml
path: github/${{ env.TF_WORKSPACE }}.yml
if-no-files-found: error
retention-days: 1
# NOTE(galargh, 2024-02-15): This will only work if GitHub as Code is used for a single organization
- name: Comment on pull request
if: github.event_name == 'pull_request_target' && steps.fix.outputs.comment
uses: marocchino/sticky-pull-request-comment@fcf6fe9e4a0409cd9316a5011435be0f3327f1e1 # v2.3.1
with:
header: fix
number: ${{ github.event.pull_request.number }}
message: ${{ steps.fix.outputs.comment }}
push:
needs: [prepare, fix]
permissions:
contents: read
name: Push
runs-on: ubuntu-latest
env:
AWS_ACCESS_KEY_ID: ${{ secrets.RO_AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.RO_AWS_SECRET_ACCESS_KEY }}
steps:
- name: Generate app token
id: token
uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0
with:
app_id: ${{ secrets.RW_GITHUB_APP_ID }}
installation_id: ${{ secrets[format('RW_GITHUB_APP_INSTALLATION_ID_{0}', github.repository_owner)] || secrets.RW_GITHUB_APP_INSTALLATION_ID }}
private_key: ${{ secrets.RW_GITHUB_APP_PEM_FILE }}
- name: Checkout
uses: actions/checkout@v4
with:
repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }}
ref: ${{ github.event.pull_request.head.sha || github.sha }}
token: ${{ steps.token.outputs.token }}
path: head
- name: Checkout
uses: actions/checkout@v4
with:
path: base
- name: Download YAML configs
uses: actions/download-artifact@v3
with:
path: artifacts
- name: Copy YAML configs
run: cp artifacts/**/*.yml head/github
- name: Check if github was modified
id: github-modified
run: |
if [ -z "$(git status --porcelain -- github)" ]; then
echo "this=false" >> $GITHUB_OUTPUT
else
echo "this=true" >> $GITHUB_OUTPUT
fi
working-directory: head
- uses: ./base/.github/actions/git-config-user
if: steps.github-modified.outputs.this == 'true'
- if: steps.github-modified.outputs.this == 'true'
run: |
git add --all -- github
git commit -m "fix@${GITHUB_RUN_ID} [skip fix]"
working-directory: head
- if: steps.github-modified.outputs.this == 'true' && github.event_name == 'pull_request_target'
env:
REF: ${{ github.event.pull_request.head.ref }}
run: |
git checkout -B "${REF}"
git push origin "${REF}"
working-directory: head
- if: steps.github-modified.outputs.this == 'true' && github.event_name != 'pull_request_target'
uses: ./base/.github/actions/git-push
env:
GITHUB_TOKEN: ${{ steps.token.outputs.token }}
with:
suffix: fix
working-directory: head