upgrade (#7)

ipld · Sep 12, 2022 · 9273431 · 9273431
1 parent 8e0a245
commit 9273431
Show file tree

Hide file tree

Showing 48 changed files with 5,345 additions and 199 deletions.
diff --git a/.github/workflows/fix.yml b/.github/workflows/fix.yml
@@ -0,0 +1,179 @@
+name: Fix
+
+on:
+  pull_request_target:
+    branches: [master]
+  workflow_dispatch:
+  workflow_run:
+    workflows:
+      - "Apply"
+    types:
+      - completed
+
+defaults:
+  run:
+    shell: bash
+
+concurrency:
+  group: fix-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true # we only care about the most recent fix run for any given PR/ref
+
+jobs:
+  prepare:
+    # not starting for PRs if repo is private because we cannot write to private forks
+    if: github.event_name == 'workflow_dispatch' ||
+        (github.event_name == 'pull_request_target' &&
+        github.event.pull_request.head.repo.private == false) ||
+        (github.event_name == 'workflow_run' &&
+        github.event.workflow_run.conclusion == 'success')
+    permissions:
+      contents: read
+      pull-requests: read
+    name: Prepare
+    runs-on: ubuntu-latest
+    outputs:
+      workspaces: ${{ steps.workspaces.outputs.this }}
+      skip-fix: ${{ steps.skip-fix.outputs.this }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - if: github.event_name == 'pull_request_target'
+        env:
+          NUMBER: ${{ github.event.pull_request.number }}
+          SHA: ${{ github.event.pull_request.head.sha }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          git fetch origin "pull/${NUMBER}/head"
+          rm -rf github && git checkout "${SHA}" -- github
+      - name: Discover workspaces
+        id: workspaces
+        run: echo "::set-output name=this::$(ls github | jq --raw-input '[.[0:-4]]' | jq -sc add)"
+      - name: Check last commit
+        id: skip-fix
+        env:
+          SHA: ${{ github.event.pull_request.head.sha || github.sha }}
+        run: |
+          # this workflow doesn't continue if the last commit has [skip fix] suffix or there are no user defined fix rules
+          if [[ "$(git log --format=%B -n 1 "${SHA}" | head -n 1)" == *"[skip fix]" ]] || ! test -f scripts/src/actions/fix-yaml-config.ts 2> /dev/null; then
+            echo "::set-output name=this::true"
+          else
+            echo "::set-output name=this::false"
+          fi
+  fix:
+    needs: [prepare]
+    if: needs.prepare.outputs.skip-fix == 'false'
+    permissions:
+      contents: read
+      pull-requests: read
+    strategy:
+      fail-fast: false
+      matrix:
+        workspace: ${{ fromJson(needs.prepare.outputs.workspaces || '[]') }}
+    name: Fix
+    runs-on: ubuntu-latest
+    env:
+      TF_IN_AUTOMATION: 1
+      TF_INPUT: 0
+      TF_WORKSPACE: ${{ matrix.workspace }}
+      AWS_ACCESS_KEY_ID: ${{ secrets.RO_AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.RO_AWS_SECRET_ACCESS_KEY }}
+      GITHUB_APP_ID: ${{ secrets.RO_GITHUB_APP_ID }}
+      GITHUB_APP_INSTALLATION_ID: ${{ secrets[format('RO_GITHUB_APP_INSTALLATION_ID_{0}', matrix.workspace)] || secrets.RO_GITHUB_APP_INSTALLATION_ID }}
+      GITHUB_APP_PEM_FILE: ${{ secrets.RO_GITHUB_APP_PEM_FILE }}
+      TF_VAR_write_delay_ms: 300
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - if: github.event_name == 'pull_request_target'
+        env:
+          NUMBER: ${{ github.event.pull_request.number }}
+          SHA: ${{ github.event.pull_request.head.sha }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          # only checking out github directory from the PR
+          git fetch origin "pull/${NUMBER}/head"
+          rm -rf github && git checkout "${SHA}" -- github
+      - name: Setup terraform
+        uses: hashicorp/setup-terraform@3d8debd658c92063839bc97da5c2427100420dec # v1.3.2
+        with:
+          terraform_version: 1.1.4
+      - name: Initialize terraform
+        run: terraform init
+        working-directory: terraform
+      - name: Initialize scripts
+        run: npm install && npm run build
+        working-directory: scripts
+      - name: Fix
+        run: node lib/actions/fix-yaml-config.js
+        working-directory: scripts
+      - name: Upload YAML config
+        uses: actions/upload-artifact@v2
+        with:
+          name: ${{ env.TF_WORKSPACE }}.yml
+          path: github/${{ env.TF_WORKSPACE }}.yml
+          if-no-files-found: error
+          retention-days: 1
+  push:
+    needs: [prepare, fix]
+    permissions:
+      contents: read
+    name: Push
+    runs-on: ubuntu-latest
+    env:
+      AWS_ACCESS_KEY_ID: ${{ secrets.RO_AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.RO_AWS_SECRET_ACCESS_KEY }}
+    steps:
+      - name: Generate app token
+        id: token
+        uses: tibdex/github-app-token@7ce9ffdcdeb2ba82b01b51d6584a6a85872336d4 # v1.5.1
+        with:
+          app_id: ${{ secrets.RW_GITHUB_APP_ID }}
+          installation_id: ${{ secrets[format('RW_GITHUB_APP_INSTALLATION_ID_{0}', github.repository_owner)] || secrets.RW_GITHUB_APP_INSTALLATION_ID }}
+          private_key: ${{ secrets.RW_GITHUB_APP_PEM_FILE }}
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }}
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
+          token: ${{ steps.token.outputs.token }}
+          path: head
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          path: base
+      - name: Download YAML configs
+        uses: actions/download-artifact@v2
+        with:
+          path: artifacts
+      - name: Copy YAML configs
+        run: cp artifacts/**/*.yml head/github
+      - name: Check if github was modified
+        id: github-modified
+        run: |
+          if [ -z "$(git status --porcelain -- github)" ]; then
+            echo "::set-output name=this::false"
+          else
+            echo "::set-output name=this::true"
+          fi
+        working-directory: head
+      - uses: ./base/.github/actions/git-config-user
+        if: steps.github-modified.outputs.this == 'true'
+      - if: steps.github-modified.outputs.this == 'true'
+        run: |
+          git add --all -- github
+          git commit -m "chore: fix [skip fix]"
+        working-directory: head
+      - if: steps.github-modified.outputs.this == 'true' && github.event_name == 'pull_request_target'
+        env:
+          REF: ${{ github.event.pull_request.head.ref }}
+        run: |
+          git checkout -B "${REF}"
+          git push origin "${REF}"
+        working-directory: head
+      - if: steps.github-modified.outputs.this == 'true' && github.event_name != 'pull_request_target'
+        uses: ./base/.github/actions/git-push
+        env:
+          GITHUB_TOKEN: ${{ steps.token.outputs.token }}
+        with:
+          suffix: fix
+          working-directory: head
diff --git a/.github/workflows/plan.yml b/.github/workflows/plan.yml
@@ -62,11 +62,13 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v2
       - if: github.event_name == 'pull_request_target'
-        run: |
-          git fetch origin pull/${{ github.event.pull_request.number }}/head
-          rm -rf github && git checkout ${{ github.event.pull_request.head.sha }} -- github
         env:
+          NUMBER: ${{ github.event.pull_request.number }}
+          SHA: ${{ github.event.pull_request.head.sha }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          git fetch origin "pull/${NUMBER}/head"
+          rm -rf github && git checkout "${SHA}" -- github
       - name: Setup terraform
         uses: hashicorp/setup-terraform@3d8debd658c92063839bc97da5c2427100420dec # v1.3.2
         with:

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,6 +14,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - repository_file support
 - repository.default_branch support
 - weekly schedule to the synchronization workflow
+- fix workflow which executes user defined config transforms on PRs and after Apply
+- shared config fix rule which adds missing default branch protections
 
 ### Changed
 - Synchronization script: to use GitHub API directly instead of relying on TF GH Provider's Data Sources

diff --git a/docs/ABOUT.md b/docs/ABOUT.md
@@ -48,3 +48,10 @@ Running the `Sync` GitHub Action workflows refreshes the underlying terraform st
 - [github_team_membership](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/team_membership)
 - [github_repository_file](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_file)
 
+# Config Fix Rules
+
+With GitHub Management, you can write config fix rules in TypeScript. Your code will get executed by the `Fix` workflow on each PR (if the repository isn't private) and after each `Apply` workflow run. If your code execution results in any changes to the YAML configuration files, they will be either pushed directly in case of PRs or proposed through PRs otherwise.
+
+Config fix rules have to be put inside `scripts/src/actions/fix-yaml-config.ts` file. Look around `scripts/src` to find useful abstractions for YAML manipulation. You can also browse through a catalog of ready-made rules in `scripts/src/actions/shared`.
+
+You can instruct GitHub Management to skip `Fix` workflow execution on your commit by adding a `[skip fix]` suffix to the first line of your commit message.
diff --git a/docs/EXAMPLE.yml b/docs/EXAMPLE.yml
@@ -22,7 +22,7 @@ repositories: # This group defines repositories (https://registry.terraform.io/p
       README.md:
         content: README.md # This field accepts either a relative path to a file from ./files directory...
       docs/HELLO.md:
-        content: > # ... or a content string
+        content: | # ... or a content string
           Hi!
     branch_protection: # This group defines branch protection rules (https://registry.terraform.io/providers/integrations/github/latest/docs/resources/branch_protection)
       master: # This key accepts only EXACT branch names, unlike the terraform resource which accepts any pattern

diff --git a/docs/HOWTOS.md b/docs/HOWTOS.md
@@ -107,3 +107,19 @@ I push my changes to a new branch and create a PR. An admin reviews the PR, sync
 
 - Run `Clean` GitHub Action workflow with a chosen regex
 - Follow [How to synchronize GitHub Management with GitHub?](#synchronize-github-management-with-github)
+
+### ...add a new config fix rule?
+
+- Create or modify `scripts/src/actions/fix-yaml-config.ts` file
+
+*Example*
+
+I want to ensure that all the public repositories in my organization have their default branches protected.
+
+To do that, I ensure the following content is present in `scripts/src/actions/fix-yaml-config.ts`:
+```ts
+import 'reflect-metadata'
+import { protectDefaultBranches } from './shared/protect-default-branches'
+
+protectDefaultBranches()
+```