-
Notifications
You must be signed in to change notification settings - Fork 242
190 lines (168 loc) · 10.1 KB
/
run_update_opa.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
name: Update OPA executable version if necessary
# Run this workflow M-F at 2:11 a.m UTC 10:11 p.m Eastern Daylight Time
on:
schedule:
- cron: "11 2 * * 1-5"
workflow_dispatch:
permissions: read-all
jobs:
update-opa-dependency:
runs-on: windows-latest
permissions:
contents: write
pull-requests: write
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Determine if OPA update is required
id: determine-update-required
continue-on-error: true
shell: powershell
run: |
$UpdateRequired = $false
$LatestOPAVersion = Invoke-RestMethod -Uri "https://api.github.com/repos/open-policy-agent/opa/releases/latest" | Select-Object -ExpandProperty tag_name
$LatestOPAVersion = $LatestOPAVersion -replace "v", ""
# Check if there is already an update branch
$OPAVersionBumpBranch = "opa-version-bump-$($LatestOPAVersion)"
$Temp = git ls-remote --exit-code --heads origin $OPAVersionBumpBranch
$OPAVersionBranchExists = $false
if ($LASTEXITCODE -eq 0) {
$OPAVersionBranchExists = $true
}
# Check if our current OPA version is outdated
$OPAVersionPath = '.\PowerShell\ScubaGear\Modules\Support\Support.psm1'
$OPAVerRegex = "\'\d+\.\d+\.\d+\'"
$ExpectedVersionPattern = "ExpectedVersion = $OPAVerRegex"
$SupportModule = Get-Content $OPAVersionPath -Raw
# Find our current OPA version using some dirty string
# manipulation
$ScubaConfigPath = '.\PowerShell\ScubaGear\Modules\ScubaConfig\ScubaConfig.psm1'
$OPAVerRegex = "\'\d+\.\d+\.\d+\'"
$DefaultVersionPattern = "DefaultOPAVersion = $OPAVerRegex"
$ScubaConfigModule = Get-Content $ScubaConfigPath -Raw
$CurrentOPAVersion = '0.0.0'
if ($ScubaConfigModule -match $DefaultVersionPattern) {
$CurrentOPAVersion = ($Matches[0] -split "=")[1] -replace " ", ""
$CurrentOPAVersion = $CurrentOPAVersion -replace "'", ""
}
if (($LatestOPAVersion -gt $CurrentOPAVersion) -and (-not $OPAVersionBranchExists)) {
$UpdateRequired = $true
}
if ($UpdateRequired) {
Write-Output "OPA version update required."
}
else {
Write-Output "OPA version update is not required. Update branch already exists or OPA version is already up to date."
}
Write-Output "Current ScubaGear default OPA Version: v$($CurrentOPAVersion) Latest OPA version: v$($LatestOPAVersion)"
# pass variables to the next steps
echo latestopaversion=$LatestOPAVersion >> $env:GITHUB_OUTPUT
echo opaversionbumpbranch=$OPAVersionBumpBranch >> $env:GITHUB_OUTPUT
echo updaterequired=$UpdateRequired >> $env:GITHUB_OUTPUT
echo currentopaversion=$CurrentOPAVersion >> $env:GITHUB_OUTPUT
# Note that git-ls will always fail with exit code 1 when the branch does not exist.
# Setting exit 0 (success) at the end of this workflow to prevent that error
exit 0
- name: Update OPA version in ScubaGear
id: update-opa-version
if: steps.determine-update-required.outputs.updaterequired == 'true'
run: |
$LatestOPAVersion = "${{ steps.determine-update-required.outputs.latestopaversion }}"
$CurrentOPAVersion = "${{ steps.determine-update-required.outputs.currentopaversion }}"
# Replace Default version in Config Module
$ScubaConfigPath = '.\PowerShell\ScubaGear\Modules\ScubaConfig\ScubaConfig.psm1'
$OPAVerRegex = "\'\d+\.\d+\.\d+\'"
$DefaultVersionPattern = "DefaultOPAVersion = $OPAVerRegex"
$ScubaConfigModule = Get-Content $ScubaConfigPath -Raw
if ($ScubaConfigModule -match $DefaultVersionPattern) {
$Content = $ScubaConfigModule -replace $DefaultVersionPattern, "DefaultOPAVersion = '$LatestOPAVersion'"
Set-Content -Path $ScubaConfigPath -Value $Content -NoNewline
}
else {
throw "Fatal Error: Couldn't find the default OPA version in the ScubaConfig."
}
# Update Acceptable Versions in Support Module
$SupportModulePath = '.\PowerShell\ScubaGear\Modules\Support\Support.psm1'
$MAXIMUM_VER_PER_LINE = 4 # Handle long lines of acceptable versions
$END_VERSIONS_COMMENT = "# End Versions" # EOL comment in the PowerShell file
$EndAcceptableVerRegex = ".*$END_VERSIONS_COMMENT"
$DefaultOPAVersionVar = "[ScubaConfig]::ScubaDefault('DefaultOPAVersion')"
(Get-Content -Path $SupportModulePath) | ForEach-Object {
$EndAcceptableVarMatch = $_ -match $EndAcceptableVerRegex
if ($EndAcceptableVarMatch) {
$VersionsLength = ($_ -split ",").length
# Split the line if we reach our version limit per line
# in the the file. This is to prevent long lines.
if ($VersionsLength -gt $MAXIMUM_VER_PER_LINE) {
# Splitting lines; Current and latest OPA Version will start on the next line
$VersionsArr = $_ -split ","
# Create a new line
# Then add the new version on the next line
($VersionsArr[0..($VersionsArr.Length-2)] -join ",") + ","
" '$CurrentOPAVersion', $DefaultOPAVersionVar $END_VERSIONS_COMMENT" # 4 space indentation
}
elseif ($VersionsLength -eq 1) {
# if the default version is the only acceptable version
# Make `VariableName = CurrentVersion, DefaultOPAVer #EndVersionComment `
$VersionsArr = $_ -split "="
$VersionsArr[0] + "= '$CurrentOPAVersion'" + ", $DefaultOPAVersionVar $END_VERSIONS_COMMENT"
}
else {
# No Splitting lines; Appending new Current OPA version to acceptable version
$VersionsArr = $_ -split ","
$NewVersions = ($VersionsArr[0..($VersionsArr.Length-2)] -join ",")
$NewVersions + ", '$CurrentOPAVersion'" + ", $DefaultOPAVersionVar $END_VERSIONS_COMMENT"
}
}
else {
$_
}
} | Set-Content $SupportModulePath
- name: Create the OPA update PR
if: steps.determine-update-required.outputs.updaterequired == 'true'
run: |
$LatestOPAVersion = "${{ steps.determine-update-required.outputs.latestopaversion }}"
$CurrentOPAVersion = "${{ steps.determine-update-required.outputs.currentopaversion }}"
$OPAVersionBumpBranch = "${{ steps.determine-update-required.outputs.opaversionbumpbranch }}"
#
# Create the PR Body
#
$PRTemplatePath = '.\.github\pull_request_template.md'
$Description = '<!-- Describe the "what" of your changes in detail. -->'
$Motivation = '<!-- Why is this change required\? -->'
$Testing = '<!-- see how your change affects other areas of the code, etc. -->'
$RemoveHeader = '# <!-- Use the title to describe PR changes in the imperative mood --> #'
$NewDescription = "- This pull request was created by a GitHub Action to bump ScubaGear's Open Policy Agent (OPA) executable version dependency.`n - Please fill out the rest of the template that the Action did not cover. `n"
$NewMotivation = "- Bump to the latest OPA version v$($LatestOPAVersion) `n"
$NewTesting = "- Currently a human should still check if bumping the OPA version affects ScubaGear.`n"
$Body = "This is a test body fear me"
$PRTemplateContent = (Get-Content -Path $PRTemplatePath) | ForEach-Object {
$DescriptionRegex = $_ -match $Description
$MotivationRegex = $_ -match $Motivation
$TestingRegex = $_ -match $Testing
$RemoveHeaderRegex = $_ -match $RemoveHeader # removes unneeded new line
if ($DescriptionRegex) {
$_ -replace $Description, $NewDescription
}
elseif ($MotivationRegex) {
$_ -replace $Motivation, $NewMotivation
}
elseif ($TestingRegex) {
$_ -replace $Testing, $NewTesting
}
elseif ($RemoveHeaderRegex) {
$_ -replace $RemoveHeader, ""
}
else {
$_ + "`n"
}
}
git config --global user.email "action@github.com"
git config --global user.name "GitHub Action"
git checkout -b "$($OPAVersionBumpBranch)"
git add .
git commit -m "Bump OPA version from v$($CurrentOPAVersion) to v$($LatestOPAVersion)"
git push origin $OPAVersionBumpBranch
gh pr create -B main -H $OPAVersionBumpBranch --title "Bump OPA version from v$($CurrentOPAVersion) to v$($LatestOPAVersion)" --body "${PRTemplateContent}" --label "version bump"