PaloAltoNetworks · alperenkose · Feb 16, 2024 · Feb 12, 2024 · Feb 12, 2024 · Feb 12, 2024
@@ -24,9 +24,10 @@ jobs:
   build:
     name: Build ${{ inputs.publish && 'and publish' || '' }} a Docker image
     runs-on: ubuntu-latest
-    permissions:
-      packages: write
-      contents: read
+    # packages write should be needed for publish only - set permissions accordingly from calling workflow
+    # permissions:
+    #   packages: write
+    #   contents: read
     steps:
       - name: checkout code
         uses: actions/checkout@v4

@@ -14,35 +14,16 @@ on:
     types: ['closed']
 
 jobs:
-  close:
-    name: Close PAN.DEV preview PR
+  store_pr_details:
+    name: Upload PR details to artifact for closing
     runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      pull-requests: write
     steps:
-      - uses: actions/github-script@v6
+      - name: save PR details
+        run: |
+          mkdir -p ./pr
+          echo ${{ github.event.number }} > ./pr/NR
+          echo ${{ github.event.pull_request.head.ref }} > ./pr/HEAD_REF
+      - uses: actions/upload-artifact@v4
         with:
-          result-encoding: string
-          github-token: ${{ secrets.CLSC_PAT }}
-          script: |
-            let prs = await github.rest.pulls.list({
-              owner: "PaloAltoNetworks",
-              repo: "pan.dev",
-              state: "open",
-            })
-
-            let prs_list = prs.data
-
-            for (let pr of prs_list){
-              if (pr.head.label == "PaloAltoNetworks:pua_prev_${{ github.event.pull_request.head.ref }}"){
-                await github.rest.pulls.update({
-                  owner: "PaloAltoNetworks",
-                  repo: "pan.dev",
-                  pull_number: pr.number,
-                  state: "closed",
-                })
-                console.log("Closing related PAN.DEV PR: #" + pr.number + " - " + pr.title + " -> " + pr.url)
-                break
-              }
-            }
+          name: pr
+          path: pr/
@@ -0,0 +1,66 @@
+name: Post Close PR Workflow Run
+run-name: "Post ${{ github.event.workflow_run.display_title }}"
+# This workflow is to be triggerred after Close PR workflow is completed to get access to secrets for fork repo PRs securely.
+
+# we always expect a single PR to trigger this workflow_run - take care of event filtering below to match a single workflow
+on:
+  workflow_run:
+    workflows: ["Close PR"]
+    types:
+      - completed
+
+permissions:
+  contents: write
+  pull-requests: write
+  actions: read
+
+jobs:
+  close_pr:
+    name: Close PAN.DEV preview PR
+    runs-on: ubuntu-latest
+    if: >
+      github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.conclusion == 'success'
+
+    steps:
+      - name: download PR artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: pr
+          path: pr
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          run-id: ${{ github.event.workflow_run.id }}
+
+      - name: read PR details from artifact
+        id: read
+        working-directory: pr
+        run: |
+          ls -R ./
+          echo "pr_number=$(cat NR)" >> "$GITHUB_OUTPUT"
+          echo "pr_head_ref=$(cat HEAD_REF)" >> "$GITHUB_OUTPUT"
+
+      - uses: actions/github-script@v6
+        with:
+          result-encoding: string
+          github-token: ${{ secrets.CLSC_PAT }}
+          script: |
+            let prs = await github.rest.pulls.list({
+              owner: "PaloAltoNetworks",
+              repo: "pan.dev",
+              state: "open",
+            })
+
+            let prs_list = prs.data
+
+            for (let pr of prs_list){
+              if (pr.head.label == "PaloAltoNetworks:pua_prev_${{ steps.read.outputs.pr_head_ref }}"){
+                await github.rest.pulls.update({
+                  owner: "PaloAltoNetworks",
+                  repo: "pan.dev",
+                  pull_number: pr.number,
+                  state: "closed",
+                })
+                console.log("Closing related PAN.DEV PR: #" + pr.number + " - " + pr.title + " -> " + pr.url)
+                break
+              }
+            }
@@ -31,8 +31,7 @@ jobs:
     name: Unit Tests
     needs: pyversion
     permissions:
-      contents: read
-      pull-requests: write
+      contents: write
     uses: ./.github/workflows/sub_unittest.yml
     with:
       python_version: ${{ needs.pyversion.outputs.pyversion }}
@@ -47,10 +46,10 @@ jobs:
   docker_image_test_build:
     name: Build Docker image
     needs: pyversion
+    uses: ./.github/workflows/_docker.yml
     permissions:
       contents: read
-      packages: write
-    uses: ./.github/workflows/_docker.yml
+      packages: read            # since publish is false, read access is ok
     with:
       publish: false
       python_version: ${{ needs.pyversion.outputs.pyversion }}
@@ -70,70 +69,21 @@ jobs:
         working-directory: docs
         run: tar --exclude .DS_Store --exclude sidebars.js -cvf documentation.tar *
       - name: upload the documentation artifact
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: documentation
           path: docs/documentation.tar
 
-  pandev_pr:
-    name: Create a preview PR for pan.dev
-    needs: store_documentation
+  store_pr_details:
+    name: Upload PR details to artifact
     runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      pull-requests: write
     steps:
-      - name: checkout pan.dev
-        uses: actions/checkout@v4
-        with:
-          repository: PaloAltoNetworks/pan.dev
-          token: ${{ secrets.CLSC_PAT }}
-
-      - name: download documentation artifact
-        uses: actions/download-artifact@v3
-        with:
-          name: documentation
-          path: products/panos/docs
-
-      - name: unpack the documentation
-        working-directory: products/panos/docs
+      - name: save PR details
         run: |
-          rm -rf 'panos-upgrade-assurance'
-          tar xvf documentation.tar
-          rm -f documentation.tar
-
-      - name: create a PR to upstream pan.dev
-        id: pr
-        uses: peter-evans/create-pull-request@v5
-        with:
-          token: ${{ secrets.CLSC_PAT }}
-          delete-branch: true
-          branch: "pua_prev_${{ github.event.pull_request.head.ref }}"
-          title: "[PAN-OS Upgrade Assurance][${{ github.event.pull_request.head.ref }}] documentation PREVIEW - do NOT MERGE"
-          commit-message: "docs: PanOS Upgrade Assurance documentation update"
-          labels: netsec, DO NOT MERGE
-          body: |
-            # Description
-
-            DO NOT MERGE - preview PR made for changes on branch: ${{ github.event.pull_request.head.ref }}.
-
-            # Types of changes
-
-            New feature (non-breaking change which adds functionality)
-
-      - name: find if we have a comment
-        uses: peter-evans/find-comment@v2
-        id: find
-        with:
-          issue-number: ${{ github.event.pull_request.number }}
-          body-includes: A Preview PR in PanDev repo has been created
-          repository: ${{ github.repository }}
-
-      - name: comment back on the original PR
-        if: steps.find.outputs.comment-id == '' &&  steps.pr.outputs.pull-request-url != ''
-        uses: peter-evans/create-or-update-comment@v3
+          mkdir -p ./pr
+          echo ${{ github.event.number }} > ./pr/NR
+          echo ${{ github.event.pull_request.head.ref }} > ./pr/HEAD_REF
+      - uses: actions/upload-artifact@v4
         with:
-          issue-number: ${{ github.event.pull_request.number }}
-          repository: ${{ github.repository }}
-          body: |
-            A Preview PR in PanDev repo has been created. You can view it [here](${{ steps.pr.outputs.pull-request-url }}).
+          name: pr
+          path: pr/
@@ -0,0 +1,120 @@
+name: Post PR Workflow Run
+run-name: "Post ${{ github.event.workflow_run.display_title }}"
+# This workflow is to be triggerred after PR workflow is completed to have "write" access to the PR from fork repos securely.
+
+# we always expect a single PR to trigger this workflow_run - take care of event filtering below to match a single workflow
+on:
+  workflow_run:
+    workflows: ["PR"]
+    types:
+      - completed
+
+permissions:
+  contents: write
+  pull-requests: write
+  # Gives the python-coverage-comment-action the necessary "actions" permissions for looking up the workflow that launched this
+  # workflow, and download the related artifact that contains the comment to be published
+  actions: read
+
+jobs:
+
+  pr_status:
+    name: Get PR details from artifacts
+    runs-on: ubuntu-latest
+    if: >
+      github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.conclusion == 'success'
+
+    outputs:
+      pr_number: ${{ steps.read.outputs.pr_number }}
+      pr_head_ref: ${{ steps.read.outputs.pr_head_ref }}
+
+    steps:
+      - name: download PR artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: pr
+          path: pr
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          run-id: ${{ github.event.workflow_run.id }}
+
+      - name: read PR details from artifact
+        id: read
+        working-directory: pr
+        run: |
+          ls -R ./
+          echo "pr_number=$(cat NR)" >> "$GITHUB_OUTPUT"
+          echo "pr_head_ref=$(cat HEAD_REF)" >> "$GITHUB_OUTPUT"
+
+  update_coverage:
+    name: Update coverage report on PR
+    needs: pr_status
+    runs-on: ubuntu-latest
+    steps:
+      - name: post coverage comment
+        uses: py-cov-action/python-coverage-comment-action@v3
+        with:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_PR_RUN_ID: ${{ github.event.workflow_run.id }}
+
+  pandev_pr:
+    name: Create a preview PR for pan.dev
+    needs: pr_status
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout pan.dev
+        uses: actions/checkout@v4
+        with:
+          repository: PaloAltoNetworks/pan.dev
+          token: ${{ secrets.CLSC_PAT }}
+
+      - name: download documentation artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: documentation
+          path: products/panos/docs
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          run-id: ${{ github.event.workflow_run.id }}
+
+      - name: unpack the documentation
+        working-directory: products/panos/docs
+        run: |
+          rm -rf 'panos-upgrade-assurance'
+          tar xvf documentation.tar
+          rm -f documentation.tar
+
+      - name: create a PR to upstream pan.dev
+        id: pr
+        uses: peter-evans/create-pull-request@v5
+        with:
+          token: ${{ secrets.CLSC_PAT }}
+          delete-branch: true
+          branch: "pua_prev_${{ needs.pr_status.outputs.pr_head_ref }}"
+          title: "[PAN-OS Upgrade Assurance][${{ needs.pr_status.outputs.pr_head_ref }}] documentation PREVIEW - do NOT MERGE"
+          commit-message: "docs: PanOS Upgrade Assurance documentation update"
+          labels: netsec, DO NOT MERGE
+          body: |
+            # Description
+
+            DO NOT MERGE - preview PR made for changes on branch: ${{ needs.pr_status.outputs.pr_head_ref }}.
+
+            # Types of changes
+
+            New feature (non-breaking change which adds functionality)
+
+      - name: find if we have a comment
+        uses: peter-evans/find-comment@v2
+        id: find
+        with:
+          issue-number: ${{ needs.pr_status.outputs.pr_number }}
+          body-includes: A Preview PR in PanDev repo has been created
+          repository: ${{ github.repository }}
+
+      - name: comment back on the original PR
+        if: steps.find.outputs.comment-id == '' &&  steps.pr.outputs.pull-request-url != ''
+        uses: peter-evans/create-or-update-comment@v3
+        with:
+          issue-number: ${{ needs.pr_status.outputs.pr_number }}
+          repository: ${{ github.repository }}
+          body: |
+            A Preview PR in PanDev repo has been created. You can view it [here](${{ steps.pr.outputs.pull-request-url }}).