Skip to content

Commit

Permalink
(SIMP-10392) GHA: Trigger rpm_release workflow (#436)
Browse files Browse the repository at this point in the history 
This patch ensures that a GitHub release will trigger the `release_rpm`
GHA workflow.

The patch enforces a standardized asset baseline using simp/puppetsync,
and may apply other updates to ensure conformity.

[SIMP-10393] #close
[SIMP-10392] #comment Add `release_rpms` to simp-doc
  • Loading branch information
@op-ct
op-ct authored Jan 12, 2022
1 parent 96dd1bf commit cc27b8d
Show file tree
Hide file tree
Showing 6 changed files with 610 additions and 178 deletions.
111 changes: 27 additions & 84 deletions .github/workflows/pr_glci.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,14 @@
# 1. The .gitlab-ci.yaml file exists and validates
# 2. The PR submitter has write access to the target repository.
#
# ------------------------------------------------------------------------------
#
# NOTICE: **This file is maintained with puppetsync**
#
# This file is updated automatically as part of a puppet module baseline.
#
# The next baseline sync will overwrite any local changes to this file!
#
# ==============================================================================
#
# GitHub Action Secrets variables available for this pipeline:
Expand Down Expand Up @@ -57,47 +65,18 @@ jobs:
name: '.gitlab-ci.yml Syntax'
runs-on: ubuntu-latest
outputs:
exists: ${{ steps.glci-file-exists.outputs.exists }}
valid: ${{ steps.validate-glci-file.outputs.valid }}
steps:
- uses: actions/checkout@v2
with:
repository: ${{ github.event.pull_request.head.repo.full_name }}
ref: ${{ github.event.pull_request.head.ref }}
- name: 'Does GLCI file exist?'
id: glci-file-exists
run: |
if [ -f .gitlab-ci.yml ]; then
echo '.gitlab-ci.yml exists'
echo '::set-output name=exists::true'
else
echo '::error ::The ".gitlab-ci.yml" file is missing!'
echo '::set-output name=exists::false'
false
fi
- name: 'Validate GLCI file syntax'
id: validate-glci-file
if: steps.glci-file-exists.outputs.exists == 'true'
env:
GITLAB_API_URL: ${{ secrets.GITLAB_API_URL }} # https://gitlab.com/api/v4
GITLAB_API_PRIVATE_TOKEN: ${{ secrets.GITLAB_API_PRIVATE_TOKEN }}
run: |
GITLAB_API_URL="${GITLAB_API_URL:-https://gitlab.com/api/v4}"
CURL_CMD=(curl --http1.1 --fail --silent --show-error --header 'Content-Type: application/json' --data @-)
[ -n "$GITLAB_API_PRIVATE_TOKEN" ] && CURL_CMD+=(--header "Authorization: Bearer $GITLAB_API_PRIVATE_TOKEN")
data="$(jq --null-input --arg yaml "$(<.gitlab-ci.yml)" '.content=$yaml' )"
response="$(echo "$data" | "${CURL_CMD[@]}" "${GITLAB_API_URL}/ci/lint?include_merged_yaml=true" | jq . )"
status=$( echo "$response" | jq .status )
if [[ "$status" == '"valid"' ]]; then
echo '.gitlab-ci.yml is valid'
echo '::set-output name=valid::true'
else
echo '::set-output name=valid::false'
echo '::error::The .gitlab-ci.yml" file is invalid!'
echo "$response" | jq -r '.errors[] | . = "::error ::\(.)"'
printf "::debug ::.gitlab-ci.yml CI lint service response: %s\n" "$response"
false
fi
uses: simp/github-action-gitlab-ci-syntax-check@main
with:
gitlab_api_private_token: ${{ secrets.GITLAB_API_PRIVATE_TOKEN }}
gitlab_api_url: ${{ secrets.GITLAB_API_URL }} # https://gitlab.com/api/v4

contributor-permissions:
name: 'PR contributor check'
Expand Down Expand Up @@ -145,14 +124,16 @@ jobs:
# AND:
# - [x] Newly-opened PRs: github.event.action == 'opened'
# - [x] Re-opened PRs: github.event.action == 'reopened'
# - [x] Commites are added to PR: github.event.action == 'synchronize'
# - [x] Commits are added to PR: github.event.action == 'synchronize'
# AND:
# - [x] .gitlab-ci.yml exists/ok: needs.glci-syntax.outputs.valid == 'true'
#
# It will NOT Trigger on:
# [Not implemented] It should NEVER trigger on:
#
# - [ ] Merged PRs: github.event.pull_request.merged == 'false'
# - (the downstream GitLab mirror will take care of that)
# - (the downstream GitLab mirror will take care of that)
# - Not implemented: For some reason, this conditional always fails
# - Unnecessary if on>pull_request_target>types doesn't include 'closed'
if: github.event_name == 'pull_request_target' && ( github.event.action == 'opened' || github.event.action == 'reopened' || github.event.action == 'synchronize' ) && github.event.pull_request.merged != 'true' && needs.glci-syntax.outputs.valid == 'true' && needs.contributor-permissions.outputs.permitted == 'true'
runs-on: ubuntu-18.04
steps:
Expand All @@ -162,64 +143,26 @@ jobs:
# - [ ] if there's no PR check on the main GitHub branch, make one (?)
# - [x] Cancel any GLCI pipelines already pending/running for this branch
# - "created|waiting_for_resource|preparing|pending|running"
# - Exception: don't cancel existing pipeline for our own commit
# - [x] if PR: force-push branch to GitLab
- uses: actions/checkout@v2
if: needs.contributor-permissions.outputs.permitted == 'true'
with:
clean: true
fetch-depth: 0 # Need full checkout to push to gitlab mirror
repository: ${{ github.event.pull_request.head.repo.full_name }}
ref: ${{ github.event.pull_request.head.ref }}

- name: Trigger CI when user has Repo Permissions
if: needs.contributor-permissions.outputs.permitted == 'true'
env:
GITLAB_SERVER_URL: ${{ secrets.GITLAB_SERVER_URL }} # https://gitlab.com
GITLAB_API_URL: ${{ secrets.GITLAB_API_URL }} # https://gitlab.com/api/v4
GITLAB_ORG: 'simp'
GITLAB_API_PRIVATE_TOKEN: ${{ secrets.GITLAB_API_PRIVATE_TOKEN }}
GIT_BRANCH: ${{ github.event.pull_request.head.ref }}
run: |
GITLAB_SERVER_URL="${GITLAB_SERVER_URL:-https://gitlab.com}"
GITLAB_API_URL="${GITLAB_API_URL:-${GITLAB_SERVER_URL}/api/v4}"
GIT_BRANCH="${GIT_BRANCH:-GITHUB_HEAD_REF}"
GITXXB_REPO_NAME="${GITHUB_REPOSITORY/$GITHUB_REPOSITORY_OWNER\//}"
GITLAB_PROJECT_ID="${GITLAB_ORG}%2F${GITXXB_REPO_NAME}"
# --http1.0 avoids an HTTP/2 load balancing issue when run from GA
CURL_CMD=(curl --http1.0 --fail --silent --show-error \
--header "Authorization: Bearer $GITLAB_API_PRIVATE_TOKEN" \
--header "Content-Type: application/json" \
--header "Accept: application/json" \
)
# Cancel any active/pending GitLab CI pipelines for the same project+branch
active_pipeline_ids=()
for pipe_status in created waiting_for_resource preparing pending running; do
echo " ---- checking for CI pipelines with status '$pipe_status' for project '$GITLAB_PROJECT_ID', branch '$GIT_BRANCH'"
url="${GITLAB_API_URL}/projects/${GITLAB_PROJECT_ID}/pipelines?ref=${GIT_BRANCH}&status=${pipe_status}"
active_pipelines="$("${CURL_CMD[@]}" "$url" | jq -r '.[] | .id , .web_url')"
active_pipeline_ids+=($(echo "$active_pipelines" | grep -E '^[0-9]*$'))
printf "$active_pipelines\n\n"
done
if [ "${#active_pipeline_ids[@]}" -gt 0 ]; then
printf "\nFound %s active pipeline ids:\n" "${#active_pipeline_ids[@]}"
echo "${active_pipeline_ids[@]}"
for pipe_id in "${active_pipeline_ids[@]}"; do
printf "\n ------ Cancelling pipeline ID %s...\n" "$pipe_id"
"${CURL_CMD[@]}" --request POST "${GITLAB_API_URL}/projects/${GITLAB_PROJECT_ID}/pipelines/${pipe_id}/cancel"
done
else
echo No active pipelines found
fi
echo "== Pushing $GIT_BRANCH to gitlab"
git remote add gitlab "https://oauth2:${GITLAB_API_PRIVATE_TOKEN}@${GITLAB_SERVER_URL#*://}/${GITLAB_ORG}/${GITXXB_REPO_NAME}.git"
#git branch "$GIT_BRANCH" HEAD
git log --color --graph --abbrev-commit -5 \
--pretty=format:'%C(red)%h%C(reset) -%C(yellow)%d%Creset %s %Cgreen(%ci) %C(bold blue)<%an>%Creset'
git push gitlab ":${GIT_BRANCH}" -f || : # attempt to un-weird GLCI's `changed` tracking
git push gitlab "${GIT_BRANCH}" -f
echo "Pushed branch '${GIT_BRANCH}' to gitlab"
echo " A new pipeline should be at: https://${GITLAB_SERVER_URL#*://}/${GITLAB_ORG}/${GITXXB_REPO_NAME}/-/pipelines/"
uses: simp/github-action-gitlab-ci-pipeline-trigger@v1
with:
git_branch: ${{ github.event.pull_request.head.ref }} # TODO check for/avoid protected branches?
git_hashref: ${{ github.event.pull_request.head.sha }}
gitlab_api_private_token: ${{ secrets.GITLAB_API_PRIVATE_TOKEN }}
gitlab_group: ${{ github.event.organization.login }}
github_repository: ${{ github.repository }}
github_repository_owner: ${{ github.repository_owner }}

- name: When user does NOT have Repo Permissions
if: needs.contributor-permissions.outputs.permitted == 'false'
Expand Down
8 changes: 8 additions & 0 deletions .github/workflows/pr_glci_cleanup.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,14 @@
# * Cancels all GLCI pipelines associated with the PR HEAD ref (branch)
# * Removes the PR HEAD branch from the corresponding gitlab.com/org/ project
#
# ------------------------------------------------------------------------------
#
# NOTICE: **This file is maintained with puppetsync**
#
# This file is updated automatically as part of a standardized asset baseline.
#
# The next baseline sync will overwrite any local changes to this file!
#
# ==============================================================================
#
# GitHub Action Secrets variables available for this pipeline:
Expand Down
142 changes: 48 additions & 94 deletions .github/workflows/pr_glci_manual.yml
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,36 @@

# Manually trigger GLCI pipelines for a PR
# ------------------------------------------------------------------------------
#
# NOTICE: **This file is maintained with puppetsync**
#
# This file is updated automatically as part of a standardized asset baseline.
#
# The next baseline sync will overwrite any local changes to this file!
#
# ==============================================================================
#
# This pipeline uses the following GitHub Action Secrets:
#
# GitHub Secret variable Type Notes
# ------------------------ -------- ----------------------------------------
# GITLAB_API_PRIVATE_TOKEN Required GitLab token (should have `api` scope)
# NO_SCOPE_GITHUB_TOKEN Required GitHub token (should have no scopes)
# GITLAB_SERVER_URL Optional Specify a GL server other than gitlab.com
# The secure vars will be filtered in GitHub Actions log output, and aren't
# provided to untrusted builds (i.e, triggered by PR from another repository)
#
# ------------------------------------------------------------------------------
#
# NOTES:
# $secrets.GITHUB_AUTO is not set for workflow_dispatch events
# It is necessary to provide NO_SCOPE_GITHUB_TOKEN because $secrets.GITHUB_AUTO
# is NOT provide to manually-triggered (`workflow_dispatch`) events, in order
# to prevent recursive triggers between workflows
#
# Reference:
#
# https://docs.github.com/en/actions/reference/events-that-trigger-workflows#triggering-new-workflows-using-a-personal-access-token
---
name: 'Manual: GLCI for PR'
name: 'Manual: PR GLCI'

on:
workflow_dispatch:
Expand All @@ -16,9 +42,8 @@ on:
jobs:
glci-syntax:
name: '.gitlab-ci.yml Syntax'
runs-on: ubuntu-latest
runs-on: ubuntu-18.04
outputs:
exists: ${{ steps.glci-file-exists.outputs.exists }}
valid: ${{ steps.validate-glci-file.outputs.valid }}
pr_head_ref: ${{ steps.get-pr.outputs.pr_head_ref }}
pr_head_sha: ${{ steps.get-pr.outputs.pr_head_sha }}
Expand All @@ -28,7 +53,7 @@ jobs:
- uses: actions/github-script@v3
id: get-pr
with:
github-token: ${{secrets.SIMP_AUTO_GITHUB_TOKEN__NO_SCOPE}}
github-token: ${{secrets.NO_SCOPE_GITHUB_TOKEN}}
# See:
# - https://octokit.github.io/rest.js/
script: |
Expand Down Expand Up @@ -69,112 +94,42 @@ jobs:
with:
repository: ${{ steps.get-pr.outputs.pr_head_full_name }}
ref: ${{ steps.get-pr.outputs.pr_head_sha }}
token: ${{secrets.SIMP_AUTO_GITHUB_TOKEN__NO_SCOPE}}
token: ${{secrets.NO_SCOPE_GITHUB_TOKEN}}
clean: true
- name: 'Does GLCI file exist?'
id: glci-file-exists
run: |
if [ -f .gitlab-ci.yml ]; then
echo '.gitlab-ci.yml exists'
echo '::set-output name=exists::true'
else
echo '::error ::The ".gitlab-ci.yml" file is missing!'
echo '::set-output name=exists::false'
false
fi
- name: 'Validate GLCI file syntax'
id: validate-glci-file
if: steps.glci-file-exists.outputs.exists == 'true'
env:
GITLAB_API_URL: ${{ secrets.GITLAB_API_URL }} # https://gitlab.com/api/v4
GITLAB_API_PRIVATE_TOKEN: ${{ secrets.GITLAB_API_PRIVATE_TOKEN }}
run: |
GITLAB_API_URL="${GITLAB_API_URL:-https://gitlab.com/api/v4}"
CURL_CMD=(curl --http1.1 --fail --silent --show-error --header 'Content-Type: application/json' --data @-)
[ -n "$GITLAB_API_PRIVATE_TOKEN" ] && CURL_CMD+=(--header "Authorization: Bearer $GITLAB_API_PRIVATE_TOKEN")
data="$(jq --null-input --arg yaml "$(<.gitlab-ci.yml)" '.content=$yaml' )"
response="$(echo "$data" | "${CURL_CMD[@]}" "${GITLAB_API_URL}/ci/lint?include_merged_yaml=true" | jq . )"
status=$( echo "$response" | jq .status )
if [[ "$status" == '"valid"' ]]; then
echo '.gitlab-ci.yml is valid'
echo '::set-output name=valid::true'
else
echo '::set-output name=valid::false'
echo '::error::The .gitlab-ci.yml" file is invalid!'
echo "$response" | jq -r '.errors[] | . = "::error ::\(.)"'
printf "::debug ::.gitlab-ci.yml CI lint service response: %s\n" "$response"
false
fi
uses: simp/github-action-gitlab-ci-syntax-check@main
with:
gitlab_api_private_token: ${{ secrets.GITLAB_API_PRIVATE_TOKEN }}
gitlab_api_url: ${{ secrets.GITLAB_API_URL }} # https://gitlab.com/api/v4

trigger-when-user-has-repo-permissions:
name: 'Trigger CI'
needs: [ glci-syntax ]
runs-on: ubuntu-latest
runs-on: ubuntu-18.04
steps:
- uses: actions/checkout@v2
with:
repository: ${{ needs.glci-syntax.outputs.pr_head_full_name }}
ref: ${{ needs.glci-syntax.outputs.pr_head_sha }}
token: ${{secrets.SIMP_AUTO_GITHUB_TOKEN__NO_SCOPE}}
token: ${{secrets.NO_SCOPE_GITHUB_TOKEN}}
fetch-depth: 0 # Need full checkout to push to gitlab mirror
clean: true
- name: Trigger CI
env:
GITLAB_SERVER_URL: ${{ secrets.GITLAB_SERVER_URL }} # https://gitlab.com
GITLAB_API_URL: ${{ secrets.GITLAB_API_URL }} # https://gitlab.com/api/v4
GITLAB_ORG: 'simp'
GITLAB_API_PRIVATE_TOKEN: ${{ secrets.GITLAB_API_PRIVATE_TOKEN }}
GIT_BRANCH: ${{ needs.glci-syntax.outputs.pr_head_ref }}
run: |
GITLAB_SERVER_URL="${GITLAB_SERVER_URL:-https://gitlab.com}"
GITLAB_API_URL="${GITLAB_API_URL:-${GITLAB_SERVER_URL}/api/v4}"
GITXXB_REPO_NAME="${GITHUB_REPOSITORY/$GITHUB_REPOSITORY_OWNER\//}"
GITLAB_PROJECT_ID="${GITLAB_ORG}%2F${GITXXB_REPO_NAME}"
# --http1.0 avoids an HTTP/2 load balancing issue when run from GA
CURL_CMD=(curl --http1.0 --fail --silent --show-error \
--header "Authorization: Bearer $GITLAB_API_PRIVATE_TOKEN" \
--header "Content-Type: application/json" \
--header "Accept: application/json" \
)
# Cancel any active/pending GitLab CI pipelines for the same project+branch
active_pipeline_ids=()
for pipe_status in created waiting_for_resource preparing pending running; do
echo " ---- checking for CI pipelines with status '$pipe_status' for project '$GITLAB_PROJECT_ID', branch '$GIT_BRANCH'"
url="${GITLAB_API_URL}/projects/${GITLAB_PROJECT_ID}/pipelines?ref=${GIT_BRANCH}&status=${pipe_status}"
active_pipelines="$("${CURL_CMD[@]}" "$url" | jq -r '.[] | .id , .web_url')"
active_pipeline_ids+=($(echo "$active_pipelines" | grep -E '^[0-9]*$'))
printf "$active_pipelines\n\n"
done
if [ "${#active_pipeline_ids[@]}" -gt 0 ]; then
printf "\nFound %s active pipeline ids:\n" "${#active_pipeline_ids[@]}"
echo "${active_pipeline_ids[@]}"
for pipe_id in "${active_pipeline_ids[@]}"; do
printf "\n ------ Cancelling pipeline ID %s...\n" "$pipe_id"
"${CURL_CMD[@]}" --request POST "${GITLAB_API_URL}/projects/${GITLAB_PROJECT_ID}/pipelines/${pipe_id}/cancel"
done
else
echo No active pipelines found
fi
# Should we protect against pushing default branches?
echo "== Pushing '$GIT_BRANCH' to gitlab"
git remote add gitlab "https://oauth2:${GITLAB_API_PRIVATE_TOKEN}@${GITLAB_SERVER_URL#*://}/${GITLAB_ORG}/${GITXXB_REPO_NAME}.git"
git branch "$GIT_BRANCH" HEAD || :
git branch -av
git log --color --graph --abbrev-commit -5 \
--pretty=format:'%C(red)%h%C(reset) -%C(yellow)%d%Creset %s %Cgreen(%ci) %C(bold blue)<%an>%Creset'
git push gitlab ":${GIT_BRANCH}" -f || : # attempt to un-weird GLCI's `changed` tracking
echo "== git push --verbose gitlab ${GIT_BRANCH}"
git push --verbose gitlab "${GIT_BRANCH}"
echo "Pushed branch '${GIT_BRANCH}' to gitlab"
echo " A new pipeline should be at: https://${GITLAB_SERVER_URL#*://}/${GITLAB_ORG}/${GITXXB_REPO_NAME}/-/pipelines/"
- name: Trigger CI when user has Repo Permissions
uses: simp/github-action-gitlab-ci-pipeline-trigger@v1
with:
git_hashref: ${{ needs.glci-syntax.outputs.pr_head_sha }}
git_branch: ${{ needs.glci-syntax.outputs.pr_head_ref }}
gitlab_api_private_token: ${{ secrets.GITLAB_API_PRIVATE_TOKEN }}
gitlab_group: ${{ github.event.organization.login }}
github_repository: ${{ github.repository }}
github_repository_owner: ${{ github.repository_owner }}

### examine_contexts:
### needs: [ glci-syntax ]
### name: 'Examine Context contents'
### if: always()
### runs-on: ubuntu-latest
### runs-on: ubuntu-18.04
### steps:
### - name: Dump contexts
### env:
Expand All @@ -186,4 +141,3 @@ jobs:
### run: echo "$ENV_CONTEXT"
### - name: Dump env vars
### run: env | sort
Loading

0 comments on commit cc27b8d

Please sign in to comment.