(#69) Stopped managing /etc/security/opasswd in this module #27
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# When a PR is closed, clean up any associated GitLab CI pipelines & branch | |
# | |
# * Cancels all GLCI pipelines associated with the PR HEAD ref (branch) | |
# * Removes the PR HEAD branch from the corresponding gitlab.com/org/ project | |
# | |
# ------------------------------------------------------------------------------ | |
# | |
# NOTICE: **This file is maintained with puppetsync** | |
# | |
# This file is updated automatically as part of a standardized asset baseline. | |
# | |
# The next baseline sync will overwrite any local changes to this file! | |
# | |
# ============================================================================== | |
# | |
# GitHub Action Secrets variables available for this pipeline: | |
# | |
# GitHub Secret variable Type Notes | |
# ------------------------ -------- ---------------------------------------- | |
# GITLAB_API_PRIVATE_TOKEN Secure Should have `api` scope | |
# GITLAB_API_URL Optional | |
# | |
# The secure vars will be filtered in GitHub Actions log output, and aren't | |
# provided to untrusted builds (i.e, triggered by PR from another repository) | |
# | |
# ------------------------------------------------------------------------------ | |
# | |
# https://docs.github.com/en/actions/reference/events-that-trigger-workflows | |
# | |
--- | |
name: PR GLCI Cleanup | |
on: | |
pull_request_target: | |
types: [closed] | |
jobs: | |
cleanup-glci-branch: | |
name: 'Clean up GLCI' | |
# This conditional provides an extra safety control, in case the workflow's | |
# `on` section is inadventently modified without considering the security | |
# implications. | |
if: github.event_name == 'pull_request_target' && github.event.action == 'closed' | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
repository: ${{ github.event.pull_request.head.repo.full_name }} | |
ref: ${{ github.event.pull_request.head.ref }} | |
- name: Trigger CI when user has Repo Permissions | |
env: | |
GITLAB_SERVER_URL: ${{ secrets.GITLAB_SERVER_URL }} # https://gitlab.com | |
GITLAB_API_URL: ${{ secrets.GITLAB_API_URL }} # https://gitlab.com/api/v4 | |
GITLAB_ORG: ${{ github.event.organization.login }} | |
GITLAB_API_PRIVATE_TOKEN: ${{ secrets.GITLAB_API_PRIVATE_TOKEN }} | |
GIT_BRANCH: ${{ github.event.pull_request.head.ref }} | |
run: | | |
GITLAB_SERVER_URL="${GITLAB_SERVER_URL:-https://gitlab.com}" | |
GITLAB_API_URL="${GITLAB_API_URL:-${GITLAB_SERVER_URL}/api/v4}" | |
GIT_BRANCH="${GIT_BRANCH:-GITHUB_HEAD_REF}" | |
GITXXB_REPO_NAME="${GITHUB_REPOSITORY/$GITHUB_REPOSITORY_OWNER\//}" | |
GITLAB_PROJECT_ID="${GITLAB_ORG}%2F${GITXXB_REPO_NAME}" | |
# --http1.0 avoids an HTTP/2 load balancing issue when run from GA | |
CURL_CMD=(curl --http1.0 --fail --silent --show-error \ | |
--header "Authorization: Bearer $GITLAB_API_PRIVATE_TOKEN" \ | |
--header "Content-Type: application/json" \ | |
--header "Accept: application/json" \ | |
) | |
# Cancel any active/pending GitLab CI pipelines for the same project+branch | |
active_pipeline_ids=() | |
for pipe_status in created waiting_for_resource preparing pending running; do | |
echo " ---- checking for CI pipelines with status '$pipe_status' for project '$GITLAB_PROJECT_ID', branch '$GIT_BRANCH'" | |
url="${GITLAB_API_URL}/projects/${GITLAB_PROJECT_ID}/pipelines?ref=${GIT_BRANCH}&status=${pipe_status}" | |
active_pipelines="$("${CURL_CMD[@]}" "$url" | jq -r '.[] | .id , .web_url')" | |
active_pipeline_ids+=($(echo "$active_pipelines" | grep -E '^[0-9]*$')) | |
printf "$active_pipelines\n\n" | |
done | |
if [ "${#active_pipeline_ids[@]}" -gt 0 ]; then | |
printf "\nFound %s active pipeline ids:\n" "${#active_pipeline_ids[@]}" | |
echo "${active_pipeline_ids[@]}" | |
for pipe_id in "${active_pipeline_ids[@]}"; do | |
printf "\n ------ Cancelling pipeline ID %s...\n" "$pipe_id" | |
"${CURL_CMD[@]}" --request POST "${GITLAB_API_URL}/projects/${GITLAB_PROJECT_ID}/pipelines/${pipe_id}/cancel" | |
done | |
else | |
echo No active pipelines found | |
fi | |
echo "== Removing $GIT_BRANCH from gitlab" | |
git remote add gitlab "https://oauth2:${GITLAB_API_PRIVATE_TOKEN}@${GITLAB_SERVER_URL#*://}/${GITLAB_ORG}/${GITXXB_REPO_NAME}.git" | |
git push gitlab ":${GIT_BRANCH}" -f || : # attempt to un-weird GLCI's `changed` tracking | |
### examine_contexts: | |
### name: 'Examine Context contents' | |
### if: always() | |
### runs-on: ubuntu-latest | |
### steps: | |
### - name: Dump contexts | |
### env: | |
### GITHUB_CONTEXT: ${{ toJson(github) }} | |
### run: echo "$GITHUB_CONTEXT" | |
### run: echo "$ENV_CONTEXT" | |
### - name: Dump env vars | |
### run: env | sort | |