From 70e0a922022b27bb282308d4723c1aa67a9ddc46 Mon Sep 17 00:00:00 2001 From: Mike Verbanic Date: Fri, 23 Jun 2023 09:07:37 -0400 Subject: [PATCH] fix: enable signed commits from bot account --- .github/workflows/update-checksums.yml | 241 +++++++++++++++++++++++-- 1 file changed, 228 insertions(+), 13 deletions(-) diff --git a/.github/workflows/update-checksums.yml b/.github/workflows/update-checksums.yml index da1d040..cf68d6a 100644 --- a/.github/workflows/update-checksums.yml +++ b/.github/workflows/update-checksums.yml @@ -12,8 +12,10 @@ # See the License for the specific language governing permissions and # limitations under the License. -name: 'Update Checksums File' +name: 'update-checksums-file' on: + # for testing only, to be removed before merging + pull_request: workflow_dispatch: schedule: - cron: '0 0 */1 * *' @@ -42,18 +44,231 @@ jobs: service_audience: '${{ vars.TOKEN_MINTER_SERVICE_AUDIENCE }}' service_url: '${{ vars.TOKEN_MINTER_SERVICE_URL }}' requested_permissions: '{"repositories":["secure-setup-terraform"],"permissions":{"pull_requests":"write","contents":"write"}}' + # Create a pull request branch using the GitHub API + - id: 'create-branch-ref' + if: '${{ env.CHANGES }}' + uses: 'actions/github-script@98814c53be79b1d30f795b907e553d8679345975' # ratchet:actions/github-script@v6 + with: + github-token: '${{ steps.mint-token.outputs.token }}' + result-encoding: 'string' + retries: '3' + script: |- + let githubSHA = "${{ github.sha }}"; + //const githubSHA = "${{ github.sha }}"; + const pullRequestPartialRef = `heads/${process.env.PR_BRANCH}`; + const pullRequestFullRef = `refs/${pullRequestPartialRef}`; + + // this is temporary for testing inside pull request + const { data: mainRef } = await github.rest.git.getRef({ + owner: context.repo.owner, + repo: context.repo.repo, + ref: `heads/main`, + }); + githubSHA = mainRef.object.sha; + + try { + core.info( + `Checking for existing pull request reference: + owner: ${context.repo.owner} + repo: ${context.repo.repo} + ref: ${pullRequestPartialRef} + ` + ); + + const { data: existingRef } = await github.rest.git.getRef({ + owner: context.repo.owner, + repo: context.repo.repo, + ref: pullRequestPartialRef, + }); + + return existingRef.object.sha; + } catch (err) { + if (err.status !== 404) { + core.setFailed("Failed to get existing pull request reference: ${err}"); + core.error(err); + process.exit(1); + } + core.info("Existing pull request reference not found"); + } + + try { + core.info( + `Creating new pull request reference: + owner: ${context.repo.owner} + repo: ${context.repo.repo} + ref: ${pullRequestFullRef} + sha: ${githubSHA} + ` + ); + + const newRef = await github.rest.git.createRef({ + owner: context.repo.owner, + repo: context.repo.repo, + ref: pullRequestFullRef, + sha: githubSHA, + }); + + return newRef.object.sha; + } catch (err) { + core.setFailed( + "Failed to create/update pull request branch reference: ${err}" + ); + core.error(err); + } + # Create a pull request for review - - id: 'create-pull-request' + # Use the GitHub API to ensure commits are signed + - id: 'create-commits' if: '${{ env.CHANGES }}' - uses: 'peter-evans/create-pull-request@b4d51739f96fca8047ad065eccef63442d8e99f7' # ratchet:peter-evans/create-pull-request@v4 + uses: 'actions/github-script@98814c53be79b1d30f795b907e553d8679345975' # ratchet:actions/github-script@v6 with: - token: '${{ steps.mint-token.outputs.token }}' - add-paths: 'terraform-checksums.json' - commit-message: 'chore: [automated] checksum updates' - committer: 'Token Minter ' - author: 'Token Minter ' - delete-branch: true - branch: '${{ env.PR_BRANCH }}' - title: 'chore: Terraform checksum updates for ${{ env.UPDATE_DATE }}' - body: |- - Adds Terraform binary checksums for ${{ env.CHANGES }} versions: ${{ env.VERSIONS }} + github-token: '${{ steps.mint-token.outputs.token }}' + retries: '3' + script: |- + try { + const fs = require("fs/promises"); + + const githubWorkspace = "${{ github.workspace }}"; + let githubSHA = "${{ github.sha }}"; + //const githubSHA = "${{ github.sha }}"; + const parentSHA = "${{ steps.create-branch-ref.outputs.result }}"; + const pullRequestPartialRef = `heads/${process.env.PR_BRANCH}`; + const pullRequestFullRef = `refs/${pullRequestPartialRef}`; + + // this is temporary for testing inside pull request + const { data: mainRef } = await github.rest.git.getRef({ + owner: context.repo.owner, + repo: context.repo.repo, + ref: `heads/main`, + }); + githubSHA = mainRef.object.sha; + + core.info(`Creating new tree: + owner: ${context.repo.owner} + repo: ${context.repo.repo} + base_tree: ${githubSHA} + `); + + // read the file content + const checksumFilePath = `${githubWorkspace}/terraform-checksums.json`; + const content = await fs.readFile(checksumFilePath, { encoding: "utf8" }); + + // create new git tree from the pr branch + const { data: tree } = await github.rest.git.createTree({ + owner: context.repo.owner, + repo: context.repo.repo, + base_tree: githubSHA, + tree: [ + { + path: "terraform-checksums.json", + mode: "100644", + type: "blob", + content: content, + }, + ], + }); + + core.debug("tree: ", tree); + + core.info(`Creating new commit: + owner: ${context.repo.owner} + repo: ${context.repo.repo} + parents: ${parentSHA} + tree: ${tree.sha} + `); + + // create a commit from on the git tree + const { data: commit } = await github.rest.git.createCommit({ + owner: context.repo.owner, + repo: context.repo.repo, + message: "chore: [automated] checksum updates", + parents: [parentSHA], + tree: tree.sha, + }); + + core.debug("commit: ", commit); + + core.info(`Updating PR branch ref + owner: ${context.repo.owner} + repo: ${context.repo.repo} + ref: ${pullRequestPartialRef} + sha: ${commit.sha} + `); + + // update the pr branch reference with the new git tree + await github.rest.git.updateRef({ + owner: context.repo.owner, + repo: context.repo.repo, + ref: pullRequestPartialRef, + sha: commit.sha, + }); + } catch (err) { + core.error(err); + core.setFailed("Failed to create commits for pull request branch: ${err}"); + } + + - name: 'create-or-update-pull-request' + if: '${{ env.CHANGES }}' + uses: 'actions/github-script@98814c53be79b1d30f795b907e553d8679345975' # ratchet:actions/github-script@v6 + with: + github-token: '${{ steps.mint-token.outputs.token }}' + retries: '3' + script: |- + try { + const headRef = process.env.PR_BRANCH; + const baseRef = "${{ github.event.repository.default_branch }}"; + //const baseRef = "${{ github.ref_name }}" + + const listResponse = await github.rest.pulls.list({ + owner: context.repo.owner, + repo: context.repo.repo, + state: "open", + head: context.repo.owner + ":" + process.env.PR_BRANCH, + base: process.env.DEFAULT_BRANCH, + }); + + core.debug(`listResponse: ${listResponse}`); + + if (!listResponse.data.length) { + core.info(`Creating pull request: + owner: ${context.repo.owner} + repo: ${context.repo.repo} + head: ${headRef} + base: ${baseRef} + `); + + const createResponse = await github.rest.pulls.create({ + owner: context.repo.owner, + repo: context.repo.repo, + head: headRef, + base: baseRef, + title: `chore: Terraform checksum updates for ${process.env.UPDATE_DATE}`, + body: `Adds Terraform binary checksums for ${process.env.CHANGES} versions: ${process.env.VERSIONS}`, + }); + + core.info( + `Created PR #${createResponse.data.number} at ${createResponse.data.html_url}` + ); + } else { + core.info(`Updating pull request: + owner: ${context.repo.owner} + repo: ${context.repo.repo} + pull_number: ${listResponse.data[0].number} + `); + + const updateResponse = await github.rest.pulls.update({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: listResponse.data[0].number, + title: `chore: Terraform checksum updates for ${process.env.UPDATE_DATE}`, + body: `Adds Terraform binary checksums for ${process.env.CHANGES} versions: ${process.env.VERSIONS}`, + }); + + core.info( + `Updated PR #${updateResponse.data.number} at ${updateResponse.data.html_url}` + ); + } + } catch (err) { + core.error(err); + core.setFailed(`Failed to create/update pull request: ${err}`); + }