diff --git a/.github/workflows/_docker.yml b/.github/workflows/_docker.yml index 70caecf..b00a1ae 100644 --- a/.github/workflows/_docker.yml +++ b/.github/workflows/_docker.yml @@ -24,9 +24,10 @@ jobs: build: name: Build ${{ inputs.publish && 'and publish' || '' }} a Docker image runs-on: ubuntu-latest - permissions: - packages: write - contents: read + # packages write should be needed for publish only - set permissions accordingly from calling workflow + # permissions: + # packages: write + # contents: read steps: - name: checkout code uses: actions/checkout@v4 diff --git a/.github/workflows/close_pr.yml b/.github/workflows/close_pr.yml index 2c88eaa..90c0998 100644 --- a/.github/workflows/close_pr.yml +++ b/.github/workflows/close_pr.yml @@ -14,35 +14,16 @@ on: types: ['closed'] jobs: - close: - name: Close PAN.DEV preview PR + store_pr_details: + name: Upload PR details to artifact for closing runs-on: ubuntu-latest - permissions: - contents: write - pull-requests: write steps: - - uses: actions/github-script@v6 + - name: save PR details + run: | + mkdir -p ./pr + echo ${{ github.event.number }} > ./pr/NR + echo ${{ github.event.pull_request.head.ref }} > ./pr/HEAD_REF + - uses: actions/upload-artifact@v4 with: - result-encoding: string - github-token: ${{ secrets.CLSC_PAT }} - script: | - let prs = await github.rest.pulls.list({ - owner: "PaloAltoNetworks", - repo: "pan.dev", - state: "open", - }) - - let prs_list = prs.data - - for (let pr of prs_list){ - if (pr.head.label == "PaloAltoNetworks:pua_prev_${{ github.event.pull_request.head.ref }}"){ - await github.rest.pulls.update({ - owner: "PaloAltoNetworks", - repo: "pan.dev", - pull_number: pr.number, - state: "closed", - }) - console.log("Closing related PAN.DEV PR: #" + pr.number + " - " + pr.title + " -> " + pr.url) - break - } - } + name: pr + path: pr/ diff --git a/.github/workflows/close_pr_workflow_run.yml b/.github/workflows/close_pr_workflow_run.yml new file mode 100644 index 0000000..4ac4265 --- /dev/null +++ b/.github/workflows/close_pr_workflow_run.yml @@ -0,0 +1,66 @@ +name: Post Close PR Workflow Run +run-name: "Post ${{ github.event.workflow_run.display_title }}" +# This workflow is to be triggerred after Close PR workflow is completed to get access to secrets for fork repo PRs securely. + +# we always expect a single PR to trigger this workflow_run - take care of event filtering below to match a single workflow +on: + workflow_run: + workflows: ["Close PR"] + types: + - completed + +permissions: + contents: write + pull-requests: write + actions: read + +jobs: + close_pr: + name: Close PAN.DEV preview PR + runs-on: ubuntu-latest + if: > + github.event.workflow_run.event == 'pull_request' && + github.event.workflow_run.conclusion == 'success' + + steps: + - name: download PR artifact + uses: actions/download-artifact@v4 + with: + name: pr + path: pr + github-token: ${{ secrets.GITHUB_TOKEN }} + run-id: ${{ github.event.workflow_run.id }} + + - name: read PR details from artifact + id: read + working-directory: pr + run: | + ls -R ./ + echo "pr_number=$(cat NR)" >> "$GITHUB_OUTPUT" + echo "pr_head_ref=$(cat HEAD_REF)" >> "$GITHUB_OUTPUT" + + - uses: actions/github-script@v6 + with: + result-encoding: string + github-token: ${{ secrets.CLSC_PAT }} + script: | + let prs = await github.rest.pulls.list({ + owner: "PaloAltoNetworks", + repo: "pan.dev", + state: "open", + }) + + let prs_list = prs.data + + for (let pr of prs_list){ + if (pr.head.label == "PaloAltoNetworks:pua_prev_${{ steps.read.outputs.pr_head_ref }}"){ + await github.rest.pulls.update({ + owner: "PaloAltoNetworks", + repo: "pan.dev", + pull_number: pr.number, + state: "closed", + }) + console.log("Closing related PAN.DEV PR: #" + pr.number + " - " + pr.title + " -> " + pr.url) + break + } + } diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 26ae04e..31f8f04 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -31,8 +31,7 @@ jobs: name: Unit Tests needs: pyversion permissions: - contents: read - pull-requests: write + contents: write uses: ./.github/workflows/sub_unittest.yml with: python_version: ${{ needs.pyversion.outputs.pyversion }} @@ -47,10 +46,10 @@ jobs: docker_image_test_build: name: Build Docker image needs: pyversion + uses: ./.github/workflows/_docker.yml permissions: contents: read - packages: write - uses: ./.github/workflows/_docker.yml + packages: read # since publish is false, read access is ok with: publish: false python_version: ${{ needs.pyversion.outputs.pyversion }} @@ -70,70 +69,21 @@ jobs: working-directory: docs run: tar --exclude .DS_Store --exclude sidebars.js -cvf documentation.tar * - name: upload the documentation artifact - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: documentation path: docs/documentation.tar - pandev_pr: - name: Create a preview PR for pan.dev - needs: store_documentation + store_pr_details: + name: Upload PR details to artifact runs-on: ubuntu-latest - permissions: - contents: write - pull-requests: write steps: - - name: checkout pan.dev - uses: actions/checkout@v4 - with: - repository: PaloAltoNetworks/pan.dev - token: ${{ secrets.CLSC_PAT }} - - - name: download documentation artifact - uses: actions/download-artifact@v3 - with: - name: documentation - path: products/panos/docs - - - name: unpack the documentation - working-directory: products/panos/docs + - name: save PR details run: | - rm -rf 'panos-upgrade-assurance' - tar xvf documentation.tar - rm -f documentation.tar - - - name: create a PR to upstream pan.dev - id: pr - uses: peter-evans/create-pull-request@v5 - with: - token: ${{ secrets.CLSC_PAT }} - delete-branch: true - branch: "pua_prev_${{ github.event.pull_request.head.ref }}" - title: "[PAN-OS Upgrade Assurance][${{ github.event.pull_request.head.ref }}] documentation PREVIEW - do NOT MERGE" - commit-message: "docs: PanOS Upgrade Assurance documentation update" - labels: netsec, DO NOT MERGE - body: | - # Description - - DO NOT MERGE - preview PR made for changes on branch: ${{ github.event.pull_request.head.ref }}. - - # Types of changes - - New feature (non-breaking change which adds functionality) - - - name: find if we have a comment - uses: peter-evans/find-comment@v2 - id: find - with: - issue-number: ${{ github.event.pull_request.number }} - body-includes: A Preview PR in PanDev repo has been created - repository: ${{ github.repository }} - - - name: comment back on the original PR - if: steps.find.outputs.comment-id == '' && steps.pr.outputs.pull-request-url != '' - uses: peter-evans/create-or-update-comment@v3 + mkdir -p ./pr + echo ${{ github.event.number }} > ./pr/NR + echo ${{ github.event.pull_request.head.ref }} > ./pr/HEAD_REF + - uses: actions/upload-artifact@v4 with: - issue-number: ${{ github.event.pull_request.number }} - repository: ${{ github.repository }} - body: | - A Preview PR in PanDev repo has been created. You can view it [here](${{ steps.pr.outputs.pull-request-url }}). + name: pr + path: pr/ diff --git a/.github/workflows/pr_workflow_run.yml b/.github/workflows/pr_workflow_run.yml new file mode 100644 index 0000000..82aa484 --- /dev/null +++ b/.github/workflows/pr_workflow_run.yml @@ -0,0 +1,120 @@ +name: Post PR Workflow Run +run-name: "Post ${{ github.event.workflow_run.display_title }}" +# This workflow is to be triggerred after PR workflow is completed to have "write" access to the PR from fork repos securely. + +# we always expect a single PR to trigger this workflow_run - take care of event filtering below to match a single workflow +on: + workflow_run: + workflows: ["PR"] + types: + - completed + +permissions: + contents: write + pull-requests: write + # Gives the python-coverage-comment-action the necessary "actions" permissions for looking up the workflow that launched this + # workflow, and download the related artifact that contains the comment to be published + actions: read + +jobs: + + pr_status: + name: Get PR details from artifacts + runs-on: ubuntu-latest + if: > + github.event.workflow_run.event == 'pull_request' && + github.event.workflow_run.conclusion == 'success' + + outputs: + pr_number: ${{ steps.read.outputs.pr_number }} + pr_head_ref: ${{ steps.read.outputs.pr_head_ref }} + + steps: + - name: download PR artifact + uses: actions/download-artifact@v4 + with: + name: pr + path: pr + github-token: ${{ secrets.GITHUB_TOKEN }} + run-id: ${{ github.event.workflow_run.id }} + + - name: read PR details from artifact + id: read + working-directory: pr + run: | + ls -R ./ + echo "pr_number=$(cat NR)" >> "$GITHUB_OUTPUT" + echo "pr_head_ref=$(cat HEAD_REF)" >> "$GITHUB_OUTPUT" + + update_coverage: + name: Update coverage report on PR + needs: pr_status + runs-on: ubuntu-latest + steps: + - name: post coverage comment + uses: py-cov-action/python-coverage-comment-action@v3 + with: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_PR_RUN_ID: ${{ github.event.workflow_run.id }} + + pandev_pr: + name: Create a preview PR for pan.dev + needs: pr_status + runs-on: ubuntu-latest + steps: + - name: checkout pan.dev + uses: actions/checkout@v4 + with: + repository: PaloAltoNetworks/pan.dev + token: ${{ secrets.CLSC_PAT }} + + - name: download documentation artifact + uses: actions/download-artifact@v4 + with: + name: documentation + path: products/panos/docs + github-token: ${{ secrets.GITHUB_TOKEN }} + run-id: ${{ github.event.workflow_run.id }} + + - name: unpack the documentation + working-directory: products/panos/docs + run: | + rm -rf 'panos-upgrade-assurance' + tar xvf documentation.tar + rm -f documentation.tar + + - name: create a PR to upstream pan.dev + id: pr + uses: peter-evans/create-pull-request@v5 + with: + token: ${{ secrets.CLSC_PAT }} + delete-branch: true + branch: "pua_prev_${{ needs.pr_status.outputs.pr_head_ref }}" + title: "[PAN-OS Upgrade Assurance][${{ needs.pr_status.outputs.pr_head_ref }}] documentation PREVIEW - do NOT MERGE" + commit-message: "docs: PanOS Upgrade Assurance documentation update" + labels: netsec, DO NOT MERGE + body: | + # Description + + DO NOT MERGE - preview PR made for changes on branch: ${{ needs.pr_status.outputs.pr_head_ref }}. + + # Types of changes + + New feature (non-breaking change which adds functionality) + + - name: find if we have a comment + uses: peter-evans/find-comment@v2 + id: find + with: + issue-number: ${{ needs.pr_status.outputs.pr_number }} + body-includes: A Preview PR in PanDev repo has been created + repository: ${{ github.repository }} + + - name: comment back on the original PR + if: steps.find.outputs.comment-id == '' && steps.pr.outputs.pull-request-url != '' + uses: peter-evans/create-or-update-comment@v3 + with: + issue-number: ${{ needs.pr_status.outputs.pr_number }} + repository: ${{ github.repository }} + body: | + A Preview PR in PanDev repo has been created. You can view it [here](${{ steps.pr.outputs.pull-request-url }}). diff --git a/.github/workflows/sub_unittest.yml b/.github/workflows/sub_unittest.yml index 8f2b327..599a615 100644 --- a/.github/workflows/sub_unittest.yml +++ b/.github/workflows/sub_unittest.yml @@ -12,12 +12,20 @@ on: type: string required: true + +permissions: + # Gives the action the necessary permissions for pushing data to the + # python-coverage-comment-action branch, and for editing existing + # comments (to avoid publishing multiple comments in the same PR) + contents: write + jobs: unittests: name: Verify unit tests are successful runs-on: ubuntu-latest steps: + - name: Checkout code uses: actions/checkout@v4 @@ -37,13 +45,19 @@ jobs: - name: Run unit tests and coverage run: poetry run make test_coverage - # requires pull-requests: write permissions when triggered from PRs - - name: Get coverage - uses: orgoro/coverage@v3.1 + # coverage results comment is uploaded to artifact to be written by post PR workflow run + - name: Coverage comment + id: coverage_comment + uses: py-cov-action/python-coverage-comment-action@v3 with: - coverageFile: coverage.xml - token: ${{ secrets.GITHUB_TOKEN }} - thresholdAll: 0.95 - thresholdNew: 0.90 - thresholdModified: 0.95 + GITHUB_TOKEN: ${{ github.token }} if: ${{ github.event_name == 'pull_request' }} + + - name: Store Pull Request comment to be posted + uses: actions/upload-artifact@v4 + if: | + ${{ github.event_name == 'pull_request' && + steps.coverage_comment.outputs.COMMENT_FILE_WRITTEN == 'true' }} + with: + name: python-coverage-comment-action + path: python-coverage-comment-action.txt diff --git a/pyproject.toml b/pyproject.toml index aee7698..6cd5724 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -51,4 +51,8 @@ line-length = 130 [tool.flake8] select = ["C","E","F","W","B","D","B950"] -ignore = ["E203","E501","W503","D203","D102","D103","D107","D400","E501"] \ No newline at end of file +ignore = ["E203","E501","W503","D203","D102","D103","D107","D400","E501"] + +[tool.coverage.run] +source = [ "panos_upgrade_assurance" ] +relative_files = true \ No newline at end of file