Skip to content

Commit

Permalink
fix: enable signed commits from bot account
Browse files Browse the repository at this point in the history
  • Loading branch information
@verbanicm
verbanicm committed Jun 23, 2023
1 parent b5dcd94 commit 70e0a92
Showing 1 changed file with 228 additions and 13 deletions.
241 changes: 228 additions & 13 deletions .github/workflows/update-checksums.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,10 @@
# See the License for the specific language governing permissions and
# limitations under the License.

name: 'Update Checksums File'
name: 'update-checksums-file'
on:
# for testing only, to be removed before merging
pull_request:
workflow_dispatch:
schedule:
- cron: '0 0 */1 * *'
Expand Down Expand Up @@ -42,18 +44,231 @@ jobs:
service_audience: '${{ vars.TOKEN_MINTER_SERVICE_AUDIENCE }}'
service_url: '${{ vars.TOKEN_MINTER_SERVICE_URL }}'
requested_permissions: '{"repositories":["secure-setup-terraform"],"permissions":{"pull_requests":"write","contents":"write"}}'
# Create a pull request branch using the GitHub API
- id: 'create-branch-ref'
if: '${{ env.CHANGES }}'
uses: 'actions/github-script@98814c53be79b1d30f795b907e553d8679345975' # ratchet:actions/github-script@v6
with:
github-token: '${{ steps.mint-token.outputs.token }}'
result-encoding: 'string'
retries: '3'
script: |-
let githubSHA = "${{ github.sha }}";
//const githubSHA = "${{ github.sha }}";
const pullRequestPartialRef = `heads/${process.env.PR_BRANCH}`;
const pullRequestFullRef = `refs/${pullRequestPartialRef}`;
// this is temporary for testing inside pull request
const { data: mainRef } = await github.rest.git.getRef({
owner: context.repo.owner,
repo: context.repo.repo,
ref: `heads/main`,
});
githubSHA = mainRef.object.sha;
try {
core.info(
`Checking for existing pull request reference:
owner: ${context.repo.owner}
repo: ${context.repo.repo}
ref: ${pullRequestPartialRef}
`
);
const { data: existingRef } = await github.rest.git.getRef({
owner: context.repo.owner,
repo: context.repo.repo,
ref: pullRequestPartialRef,
});
return existingRef.object.sha;
} catch (err) {
if (err.status !== 404) {
core.setFailed("Failed to get existing pull request reference: ${err}");
core.error(err);
process.exit(1);
}
core.info("Existing pull request reference not found");
}
try {
core.info(
`Creating new pull request reference:
owner: ${context.repo.owner}
repo: ${context.repo.repo}
ref: ${pullRequestFullRef}
sha: ${githubSHA}
`
);
const newRef = await github.rest.git.createRef({
owner: context.repo.owner,
repo: context.repo.repo,
ref: pullRequestFullRef,
sha: githubSHA,
});
return newRef.object.sha;
} catch (err) {
core.setFailed(
"Failed to create/update pull request branch reference: ${err}"
);
core.error(err);
}
# Create a pull request for review
- id: 'create-pull-request'
# Use the GitHub API to ensure commits are signed
- id: 'create-commits'
if: '${{ env.CHANGES }}'
uses: 'peter-evans/create-pull-request@b4d51739f96fca8047ad065eccef63442d8e99f7' # ratchet:peter-evans/create-pull-request@v4
uses: 'actions/github-script@98814c53be79b1d30f795b907e553d8679345975' # ratchet:actions/github-script@v6
with:
token: '${{ steps.mint-token.outputs.token }}'
add-paths: 'terraform-checksums.json'
commit-message: 'chore: [automated] checksum updates'
committer: 'Token Minter <abcxyz-token-minter-github-app@google.com>'
author: 'Token Minter <abcxyz-token-minter-github-app@google.com>'
delete-branch: true
branch: '${{ env.PR_BRANCH }}'
title: 'chore: Terraform checksum updates for ${{ env.UPDATE_DATE }}'
body: |-
Adds Terraform binary checksums for ${{ env.CHANGES }} versions: ${{ env.VERSIONS }}
github-token: '${{ steps.mint-token.outputs.token }}'
retries: '3'
script: |-
try {
const fs = require("fs/promises");
const githubWorkspace = "${{ github.workspace }}";
let githubSHA = "${{ github.sha }}";
//const githubSHA = "${{ github.sha }}";
const parentSHA = "${{ steps.create-branch-ref.outputs.result }}";
const pullRequestPartialRef = `heads/${process.env.PR_BRANCH}`;
const pullRequestFullRef = `refs/${pullRequestPartialRef}`;
// this is temporary for testing inside pull request
const { data: mainRef } = await github.rest.git.getRef({
owner: context.repo.owner,
repo: context.repo.repo,
ref: `heads/main`,
});
githubSHA = mainRef.object.sha;
core.info(`Creating new tree:
owner: ${context.repo.owner}
repo: ${context.repo.repo}
base_tree: ${githubSHA}
`);
// read the file content
const checksumFilePath = `${githubWorkspace}/terraform-checksums.json`;
const content = await fs.readFile(checksumFilePath, { encoding: "utf8" });
// create new git tree from the pr branch
const { data: tree } = await github.rest.git.createTree({
owner: context.repo.owner,
repo: context.repo.repo,
base_tree: githubSHA,
tree: [
{
path: "terraform-checksums.json",
mode: "100644",
type: "blob",
content: content,
},
],
});
core.debug("tree: ", tree);
core.info(`Creating new commit:
owner: ${context.repo.owner}
repo: ${context.repo.repo}
parents: ${parentSHA}
tree: ${tree.sha}
`);
// create a commit from on the git tree
const { data: commit } = await github.rest.git.createCommit({
owner: context.repo.owner,
repo: context.repo.repo,
message: "chore: [automated] checksum updates",
parents: [parentSHA],
tree: tree.sha,
});
core.debug("commit: ", commit);
core.info(`Updating PR branch ref
owner: ${context.repo.owner}
repo: ${context.repo.repo}
ref: ${pullRequestPartialRef}
sha: ${commit.sha}
`);
// update the pr branch reference with the new git tree
await github.rest.git.updateRef({
owner: context.repo.owner,
repo: context.repo.repo,
ref: pullRequestPartialRef,
sha: commit.sha,
});
} catch (err) {
core.error(err);
core.setFailed("Failed to create commits for pull request branch: ${err}");
}
- name: 'create-or-update-pull-request'
if: '${{ env.CHANGES }}'
uses: 'actions/github-script@98814c53be79b1d30f795b907e553d8679345975' # ratchet:actions/github-script@v6
with:
github-token: '${{ steps.mint-token.outputs.token }}'
retries: '3'
script: |-
try {
const headRef = process.env.PR_BRANCH;
const baseRef = "${{ github.event.repository.default_branch }}";
//const baseRef = "${{ github.ref_name }}"
const listResponse = await github.rest.pulls.list({
owner: context.repo.owner,
repo: context.repo.repo,
state: "open",
head: context.repo.owner + ":" + process.env.PR_BRANCH,
base: process.env.DEFAULT_BRANCH,
});
core.debug(`listResponse: ${listResponse}`);
if (!listResponse.data.length) {
core.info(`Creating pull request:
owner: ${context.repo.owner}
repo: ${context.repo.repo}
head: ${headRef}
base: ${baseRef}
`);
const createResponse = await github.rest.pulls.create({
owner: context.repo.owner,
repo: context.repo.repo,
head: headRef,
base: baseRef,
title: `chore: Terraform checksum updates for ${process.env.UPDATE_DATE}`,
body: `Adds Terraform binary checksums for ${process.env.CHANGES} versions: ${process.env.VERSIONS}`,
});
core.info(
`Created PR #${createResponse.data.number} at ${createResponse.data.html_url}`
);
} else {
core.info(`Updating pull request:
owner: ${context.repo.owner}
repo: ${context.repo.repo}
pull_number: ${listResponse.data[0].number}
`);
const updateResponse = await github.rest.pulls.update({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: listResponse.data[0].number,
title: `chore: Terraform checksum updates for ${process.env.UPDATE_DATE}`,
body: `Adds Terraform binary checksums for ${process.env.CHANGES} versions: ${process.env.VERSIONS}`,
});
core.info(
`Updated PR #${updateResponse.data.number} at ${updateResponse.data.html_url}`
);
}
} catch (err) {
core.error(err);
core.setFailed(`Failed to create/update pull request: ${err}`);
}

0 comments on commit 70e0a92

Please sign in to comment.