Skip to content

HashiCorp Vault v0.29.1 #1206

HashiCorp Vault v0.29.1

HashiCorp Vault v0.29.1 #1206

Workflow file for this run

name: OWNERS PR Check
# Checks OWNERS file additions and modifications submitted by mercury-bot on a
# partner's behalf, typically in response to a partner updating their project
# metadata.
#
# Automatically approves modifications mercury-bot makes. Sanity checks
# net-new OWNERS files to ensure their addition does not conflict with
# existing locks.
on:
pull_request_target:
types: [opened, synchronize, reopened, edited, ready_for_review, labeled]
paths:
- charts/partners/**/OWNERS
jobs:
owners-file-check:
name: OWNERS file PR checker
runs-on: ubuntu-22.04
if: github.event.pull_request.draft == false && github.actor == 'redhat-mercury-bot'
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Python 3.x Part 1
uses: actions/setup-python@v5
with:
python-version: "3.10"
- name: Set up Python 3.x Part 2
run: |
# set up python
python3 -m venv ve1
cd scripts
../ve1/bin/pip3 install -r requirements.txt
../ve1/bin/pip3 install .
cd ..
- name: get files changed
id: get_files_changed
env:
BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
run: |
# get files in PR
./ve1/bin/pr-artifact --api-url=${{ github.event.pull_request._links.self.href }} \
--get-files
- name: check if only an OWNERS file is pushed
id: check_for_owners
env:
pr_files_py: "${{ steps.get_files_changed.outputs.pr_files }}"
run: |
# check if PR contains just one partner OWNERS file
pr_files=($(echo "$pr_files_py" | tr -d '[],'))
echo "Files in PR: ${pr_files[@]}"
eval first_file=${pr_files[0]}
if [ ${#pr_files[@]} == 1 ]; then
eval first_file=${pr_files[0]}
if [[ $first_file == "charts/partners/"*/*"/OWNERS" ]] ; then
echo "An OWNERS file has been modified or added"
echo "merge_pr=true" | tee -a $GITHUB_OUTPUT
else
echo "The file in the PR is not a partner OWNERS file"
echo "merge_pr=false" | tee -a $GITHUB_OUTPUT
echo "msg=ERROR: PR does not include a partner OWNERS file." >> $GITHUB_OUTPUT
fi
else
echo "The PR contains multiple files."
echo "msg=ERROR: PR contains multiple files." >> $GITHUB_OUTPUT
echo "merge_pr=false" | tee -a $GITHUB_OUTPUT
fi
# We know that only one file was modified at this point, and it seems
# mergeable. Determine if that file was created or modified here.
#
# This step only checks the first file for its modification type!
- name: Determine if net-new OWNERS file
id: populate-file-mod-type
if: ${{ steps.check_for_owners.outputs.merge_pr == 'true' }}
uses: actions/github-script@v7
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const resp = await github.rest.pulls.listFiles({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: context.issue.number,
});
const ownersFile = resp.data[0];
console.log(`Modified file "${ownersFile.filename} has a status of ${ownersFile.status}`);
console.log(`setting output: net-new-owners-file=${ownersFile.status == 'added'}`);
core.setOutput('net-new-owners-file', ownersFile.status == 'added');
- name: Add category/organization/chart-name from modified file to GITHUB_OUTPUT
id: gather-metadata
env:
API_URL: ${{ github.event.pull_request._links.self.href }}
BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
run: |
./ve1/bin/extract-metadata-from-pr \
--emit-to-github-output \
${{ env.API_URL }}
# Only used to assert content of the OWNERS file.
- name: Checkout Pull Request
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.ref }}
repository: ${{ github.event.pull_request.head.repo.full_name }}
token: ${{ secrets.BOT_TOKEN }}
fetch-depth: 0
path: "pr-branch"
# TODO: Implemented as a shell script temporarily. Future enhancement
# would re-use some existing logic that we have for the Red Hat OWNERS
# check, and build something similar for general use.
- name: Ensure OWNERS content and path content align
working-directory: "pr-branch"
id: fact-check
run: |
file=$(echo ${{ steps.get_files_changed.outputs.pr_files }} | yq .0)
owner_contents_chart_name=$(yq '.chart.name' ${file})
owner_contents_vendor_label=$(yq '.vendor.label' ${file})
echo "Chart Name Comparison: ${owner_contents_chart_name} = ${{ steps.gather-metadata.outputs.chart-name }}"
echo "Vendor Label Comparison: ${owner_contents_vendor_label} = ${{ steps.gather-metadata.outputs.organization }}"
test "${owner_contents_chart_name}" = "${{ steps.gather-metadata.outputs.chart-name }}"
test "${owner_contents_vendor_label}" = "${{ steps.gather-metadata.outputs.organization }}"
- name: Comment on PR if facts are mismatched
id: comment-if-fact-check-failure
if: failure() && steps.fact-check.outcome == 'failure'
run: |
gh pr comment ${{ github.event.number }} --body "${{ env.COMMENT_BODY }}"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
COMMENT_BODY: |
### Submission Facts Mismatch
The content of the OWNERS file and your submission path do not seem to match. Double check that
your vendor label and chart name values in your OWNERS file match with your submission path.
_This comment was auto-generated by [GitHub Actions](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})._
- name: Check if chart name is locked
id: determine-lock-status
uses: ./.github/actions/check-chart-locks
with:
chart-name: ${{ steps.gather-metadata.outputs.chart-name }}
fail-workflow-if-locked: 'false'
# Do not merge net-new OWNERS files for locked chart names. Allow a
# modification to an existing file. The mercury-bot periodically updates
# this file as users make changes to their project settings.
- name: Determine if should merge and is safe to merge
id: safe-to-merge
run: |
echo "OWNERS file is net new: ${{ steps.populate-file-mod-type.outputs.net-new-owners-file }}"
echo "Chart name is already locked: ${{ steps.determine-lock-status.outputs.chart-is-locked }}"
echo "merge_pr=${{ steps.populate-file-mod-type.outputs.net-new-owners-file == 'false' || (steps.populate-file-mod-type.outputs.net-new-owners-file == 'true' && steps.determine-lock-status.outputs.chart-is-locked == 'false') }}" | tee -a $GITHUB_OUTPUT
- name: Comment on PR
if: ${{ steps.check_for_owners.outputs.merge_pr == 'false' }}
uses: actions/github-script@v7
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
var issue_number = ${{ github.event.number }};
var comment = "${{ steps.check_for_owners.outputs.msg }}";
github.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: Number(issue_number),
body: comment
});
- name: Reflect on check for OWNERS file result
if: |
steps.check_for_owners.outputs.merge_pr == 'false'
|| steps.safe-to-merge.outputs.merge_pr == 'false'
run: |
echo "::error: The PR was not for a single partner OWNERS file, or was for a chart name locked to another contributor"
exit 1
- name: Approve PR
id: approve_pr
if: |
steps.check_for_owners.outputs.merge_pr == 'true'
&& steps.safe-to-merge.outputs.merge_pr == 'true'
uses: hmarr/auto-approve-action@v4
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Merge PR
id: merge_pr
if: ${{ steps.approve_pr.conclusion == 'success' }}
uses: pascalgn/[email protected]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
MERGE_METHOD: squash
MERGE_LABELS: ""