Add tep-notifier custom task to comment on PRs which should trigger T…

…EP updates

Note that this PR does not actually configure any repositories to trigger off the new custom task. It just adds the code for the task, its own build configuration, and a `TriggerBinding` that will be used when actually configuring its usage.

The `tep-notifier` will listen for PR open/edit/close events in configured repositories. When it receives an event, it will check the PR title and body for TEP references, either as `TEP-1234` or as the TEP's URL in the community repository. If it finds TEPs referenced in the PR that aren't recorded as having the appropriate state for the PR's action in the TEP README, it will create a comment (or edit its existing comment, if, say, the PR body has been edited to refer to an additional or different TEP) suggesting that the TEP(s) (with links and titles) should have their statuses updated accordingly.

Currently, for opened/edited PRs, it looks for TEPs in either the `proposed` or `implementable` state to transition to `implementing`, while for closed PRs, it checks if the PR was merged, and if so, looks for TEPs in the `implementing` state to transition to `implemented`.

Signed-off-by: Andrew Bayer <[email protected]>

tekton/ci/plumbing/template.yaml

@@ -81,6 +81,7 @@ spec:
             - pipelinerun-logs
             - tekton/ci/interceptors/add-team-members
             - tekton/ci/interceptors/add-pr-body
+            - tep-notifier
   - apiVersion: tekton.dev/v1beta1
     kind: PipelineRun
     metadata:
@@ -216,8 +217,9 @@ spec:
             - bots/buildcaptain/config
             - bots/mariobot/config
             - pipelinerun-logs/config
+            - tep-notifier
             - boskos
             - gubernator
             - prow
             - robocat
-            - tekton
+            - tekton

tekton/ci/shared/bindings.yaml

@@ -95,3 +95,23 @@ spec:
   params:
     - name: body
       value: $(body.pull_request.body)
+---
+apiVersion: triggers.tekton.dev/v1alpha1
+kind: TriggerBinding
+metadata:
+  name: tekton-ci-webhook-tep-notifier
+  namespace: tekton-ci
+spec:
+  params:
+    - name: pullRequestAction
+      value: $(body.action)
+    - name: pullRequestNumber
+      value: $(body.pull_request.number)
+    - name: pullRequestTitle
+      value: $(body.pull_request.title)
+    - name: pullRequestBody
+      value: $(body.pull_request.body)
+    - name: package
+      value: $(body.repository.full_name)
+    - name: pullRequestIsMerged
+      value: $(body.pull_request.merged)

tekton/cronjobs/dogfooding/releases/kustomization.yaml

@@ -10,3 +10,4 @@ resources:
 - operator-nightly
 - wait-task-nightly
 - pipeline-to-taskrun-nightly
+- tep-notifier-nightly

tekton/cronjobs/dogfooding/releases/tep-notifier-nightly/README.md

@@ -0,0 +1,2 @@
+Cron Job to trigger the TEP notifier custom task nightly build.
+Results are published to https://storage.cloud.google.com/tekton-releases-nightly/tep-notifier/latest/release.yaml

tekton/cronjobs/dogfooding/releases/tep-notifier-nightly/cronjob.yaml

@@ -0,0 +1,21 @@
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: nightly-cron-trigger
+spec:
+  schedule: "0 0 * * *"
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: trigger
+            env:
+              - name: PROJECT_NAME
+                value: tep-notifier
+          initContainers:
+          - name: git
+            env:
+              - name: GIT_REPO
+                value: github.com/tektoncd/plumbing

tekton/cronjobs/dogfooding/releases/tep-notifier-nightly/kustomization.yaml

@@ -0,0 +1,5 @@
+bases:
+- ../../../bases/release
+patchesStrategicMerge:
+- cronjob.yaml
+nameSuffix: "-tep-notifier-nightly-release"

tekton/resources/nightly-release/kustomization.yaml

@@ -15,3 +15,4 @@ resources:
 - overlays/operator
 - overlays/wait-task
 - overlays/pipeline-to-taskrun
+- overlays/tep-notifier

tekton/resources/nightly-release/overlays/tep-notifier/kustomization.yaml

@@ -0,0 +1,18 @@
+namePrefix: tep-notifier-
+bases:
+  - ../../base
+patchesJson6902:
+  - target:
+      group: triggers.tekton.dev
+      version: v1alpha1
+      kind: TriggerTemplate
+      name: template
+    path: template.yaml
+  - target:
+      group: triggers.tekton.dev
+      version: v1alpha1
+      kind: Trigger
+      name: nightly
+    path: trigger.yaml
+resources:
+  - github.com/tektoncd/plumbing/tep-notifier/tekton/?ref=main

tekton/resources/nightly-release/overlays/tep-notifier/template.yaml

@@ -0,0 +1,35 @@
+- op: add
+  path: /spec/resourcetemplates
+  value:
+    - apiVersion: tekton.dev/v1beta1
+      kind: PipelineRun
+      metadata:
+        generateName: tep-notifier-release-nightly-
+      spec:
+        pipelineRef:
+          name: release
+        params:
+        - name: package
+          value: $(tt.params.gitrepository)
+        - name: gitRevision
+          value: $(tt.params.gitrevision)
+        - name: imageRegistry
+          value: $(tt.params.imageRegistry)
+        - name: imageRegistryPath
+          value: $(tt.params.imageRegistryPath)
+        - name: versionTag
+          value: $(tt.params.versionTag)
+        - name: serviceAccountPath
+          value: release.json
+        workspaces:
+          - name: workarea
+            volumeClaimTemplate:
+              spec:
+                accessModes:
+                  - ReadWriteOnce
+                resources:
+                  requests:
+                    storage: 1Gi
+          - name: release-secret
+            secret:
+              secretName: release-secret

tekton/resources/nightly-release/overlays/tep-notifier/trigger.yaml

@@ -0,0 +1,7 @@
+- op: add
+  path: /spec/interceptors
+  value:
+    - cel:
+        filter: >-
+          'trigger-template' in body &&
+          body.params.release.projectName == 'tep-notifier'

tep-notifier/.gitignore

@@ -0,0 +1,2 @@
+bin/*
+.bin/*

tep-notifier/.ko.yaml

@@ -0,0 +1 @@
+defaultBaseImage: gcr.io/distroless/static:nonroot

tep-notifier/Makefile

@@ -0,0 +1,92 @@
+BINARY_NAME = tep-notifier
+
+GO  = go
+BIN = $(CURDIR)/.bin
+
+$(BIN):
+	@mkdir -p $@
+$(BIN)/%: | $(BIN) ; $(info $(M) building $(PACKAGE)…)
+	$Q tmp=$$(mktemp -d); \
+	   env GO111MODULE=off GOPATH=$$tmp GOBIN=$(BIN) $(GO) get $(PACKAGE) \
+		|| ret=$$?; \
+	   rm -rf $$tmp ; exit $$ret
+
+all: bin/$(BINARY_NAME) test
+
+FORCE:
+
+.PHONY: cross
+cross: amd64 386 arm arm64 s390x ppc64le ## build cross platform binaries
+
+.PHONY: amd64
+amd64:
+	GOOS=linux GOARCH=amd64 go build  $(LDFLAGS) -o bin/$(BINARY_NAME)-linux-amd64 ./cmd/$(BINARY_NAME)
+	GOOS=windows GOARCH=amd64 go build  $(LDFLAGS) -o bin/$(BINARY_NAME)-windows-amd64 ./cmd/$(BINARY_NAME)
+	GOOS=darwin GOARCH=amd64 go build  $(LDFLAGS) -o bin/$(BINARY_NAME)-darwin-amd64 ./cmd/$(BINARY_NAME)
+
+.PHONY: 386
+386:
+	GOOS=linux GOARCH=386 go build  $(LDFLAGS) -o bin/$(BINARY_NAME)-linux-386 ./cmd/$(BINARY_NAME)
+	GOOS=windows GOARCH=386 go build  $(LDFLAGS) -o bin/$(BINARY_NAME)-windows-386 ./cmd/$(BINARY_NAME)
+
+.PHONY: arm
+arm:
+	GOOS=linux GOARCH=arm go build  $(LDFLAGS) -o bin/$(BINARY_NAME)-linux-arm ./cmd/$(BINARY_NAME)
+
+.PHONY: arm64
+arm64:
+	GOOS=linux GOARCH=arm64 go build  $(LDFLAGS) -o bin/$(BINARY_NAME)-linux-arm64 ./cmd/$(BINARY_NAME)
+
+.PHONY: s390x
+s390x:
+	GOOS=linux GOARCH=s390x go build  $(LDFLAGS) -o bin/$(BINARY_NAME)-linux-s390x ./cmd/$(BINARY_NAME)
+
+.PHONY: ppc64le
+ppc64le:
+	GOOS=linux GOARCH=ppc64le go build  $(LDFLAGS) -o bin/$(BINARY_NAME)-linux-ppc64le ./cmd/$(BINARY_NAME)
+
+bin/%: cmd/% FORCE
+	go build  $(LDFLAGS) -v -o $@ ./$<
+
+check: lint test
+
+.PHONY: test
+test: test-unit ## run all tests
+
+.PHONY: test-unit
+test-unit: ## run unit tests
+	@echo "Running unit tests..."
+	@$(GO) test -failfast -v -cover ./...
+
+.PHONY: clean
+clean: ## clean build artifacts
+	rm -fR bin
+
+.PHONY: help
+help: ## print this help
+	@awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z0-9_-]+:.*?## / {gsub("\\\\n",sprintf("\n%22c",""), $$2);printf "\033[36m%-20s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST)
+
+GOLANGCILINT = $(BIN)/golangci-lint
+$(BIN)/golangci-lint:
+	@curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(BIN) $(GOLANGCI_VERSION)
+
+.PHONY: golangci-lint
+golangci-lint: $(GOLANGCILINT)
+	@echo "Running golangci-lint..."
+	@$(GOLANGCILINT) run --max-issues-per-linter=0 --max-same-issues=0 --deadline 5m
+
+.PHONY: lint
+lint: golangci-lint
+
+GOIMPORTS = $(BIN)/goimports
+$(BIN)/goimports: PACKAGE=golang.org/x/tools/cmd/goimports
+
+.PHONY: goimports
+goimports: $(GOIMPORTS)
+	@echo "Running goimports..."
+	@$(GOIMPORTS) -l -e -w pkg
+
+.PHONY: fmt
+fmt: goimports
+	@echo "Running go fmt..."
+	@$(GO) fmt `go list ./... | grep -v /vendor/`

tep-notifier/cmd/controller/main.go

@@ -0,0 +1,22 @@
+package main
+
+import (
+	"flag"
+	"github.com/tektoncd/plumbing/tep-notifier/pkg/reconciler"
+	"knative.dev/pkg/injection/sharedmain"
+	"knative.dev/pkg/signals"
+	"log"
+)
+
+var (
+	ghToken = flag.String("github-token", "", "GitHub OAuth token for interacting with GitHub")
+)
+
+func main() {
+	flag.Parse()
+
+	if ghToken == nil {
+		log.Fatal("no github-token specified")
+	}
+	sharedmain.MainWithContext(signals.NewContext(), reconciler.ControllerName, reconciler.NewController(*ghToken))
+}

tep-notifier/config/200-serviceaccount.yaml

@@ -0,0 +1,22 @@
+# Copyright 2020 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: tekton-tep-notifier-controller
+  namespace: tekton-pipelines
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: default
+    app.kubernetes.io/part-of: tekton-plumbing-tep-notifier

tep-notifier/config/201-clusterrole.yaml

@@ -0,0 +1,57 @@
+# Copyright 2020 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: tekton-tep-notifier-controller-cluster-access
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: default
+    app.kubernetes.io/part-of: tekton-plumbing-tep-notifier
+rules:
+    # Controller needs cluster access to all of the CRDs that it is responsible for managing.
+  - apiGroups: ["tekton.dev"]
+    resources: ["runs", "taskruns"]
+    verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+  - apiGroups: ["tekton.dev"]
+    resources: ["runs/status", "taskruns/status"]
+    verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  # This is the access that the controller needs on a per-namespace basis.
+  name: tekton-tep-notifier-controller-tenant-access
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: default
+    app.kubernetes.io/part-of: tekton-plumbing-tep-notifier
+rules:
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: tekton-tep-notifier-leader-election
+  labels:
+    app.kubernetes.io/instance: default
+    app.kubernetes.io/part-of: tekton-plumbing-tep-notifier
+rules:
+  # We uses leases for leaderelection
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]

tep-notifier/config/201-role.yaml

@@ -0,0 +1,35 @@
+# Copyright 2020 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: tekton-tep-notifier-controller
+  namespace: tekton-pipelines
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: default
+    app.kubernetes.io/part-of: tekton-plumbing-tep-notifier
+rules:
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["list", "watch"]
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["get"]
+    resourceNames: ["config-leader-election", "config-logging", "config-observability"]
+  - apiGroups: ["policy"]
+    resources: ["podsecuritypolicies"]
+    resourceNames: ["tekton-pipelines"]
+    verbs: ["use"]