Merge pull request #4 from camptocamp/fix-publish

Fix first run (dry run)
camptocamp · Nov 7, 2024 · c10f296 · c10f296
2 parents ce3501b + c60fbd8
commit c10f296
Show file tree

Hide file tree

Showing 12 changed files with 358 additions and 168 deletions.
diff --git a/.github/dpkg-versions.yaml b/.github/dpkg-versions.yaml
@@ -1 +1,90 @@
-{}
+camptocamp/tag-publish:latest:
+  ubuntu_24_04/apt: 2.7.14build2
+  ubuntu_24_04/base-passwd: 3.6.3build1
+  ubuntu_24_04/bash: 5.2.21-2ubuntu4
+  ubuntu_24_04/bsdutils: 1:2.39.3-9ubuntu6.1
+  ubuntu_24_04/coreutils: 9.4-3ubuntu6
+  ubuntu_24_04/dash: 0.5.12-6ubuntu5
+  ubuntu_24_04/debconf: 1.5.86ubuntu1
+  ubuntu_24_04/debianutils: 5.17build1
+  ubuntu_24_04/diffutils: 1:3.10-1build1
+  ubuntu_24_04/dpkg: 1.22.6ubuntu6.1
+  ubuntu_24_04/e2fsprogs: 1.47.0-2.4~exp1ubuntu4.1
+  ubuntu_24_04/findutils: 4.9.0-5build1
+  ubuntu_24_04/gcc-14-base: 14-20240412-0ubuntu1
+  ubuntu_24_04/gpgv: 2.4.4-2ubuntu17
+  ubuntu_24_04/grep: 3.11-4build1
+  ubuntu_24_04/gzip: 1.12-1ubuntu3
+  ubuntu_24_04/hostname: 3.23+nmu2ubuntu2
+  ubuntu_24_04/init-system-helpers: 1.66ubuntu1
+  ubuntu_24_04/libacl1: 2.3.2-1build1
+  ubuntu_24_04/libapt-pkg6.0t64: 2.7.14build2
+  ubuntu_24_04/libassuan0: 2.5.6-1build1
+  ubuntu_24_04/libattr1: 1:2.5.2-1build1
+  ubuntu_24_04/libaudit-common: 1:3.1.2-2.1build1
+  ubuntu_24_04/libaudit1: 1:3.1.2-2.1build1
+  ubuntu_24_04/libblkid1: 2.39.3-9ubuntu6.1
+  ubuntu_24_04/libbz2-1.0: 1.0.8-5.1build0.1
+  ubuntu_24_04/libc-bin: 2.39-0ubuntu8.3
+  ubuntu_24_04/libc6: 2.39-0ubuntu8.3
+  ubuntu_24_04/libcap-ng0: 0.8.4-2build2
+  ubuntu_24_04/libcap2: 1:2.66-5ubuntu2
+  ubuntu_24_04/libcom-err2: 1.47.0-2.4~exp1ubuntu4.1
+  ubuntu_24_04/libcrypt1: 1:4.4.36-4build1
+  ubuntu_24_04/libdb5.3t64: 5.3.28+dfsg2-7
+  ubuntu_24_04/libdebconfclient0: 0.271ubuntu3
+  ubuntu_24_04/libext2fs2t64: 1.47.0-2.4~exp1ubuntu4.1
+  ubuntu_24_04/libffi8: 3.4.6-1build1
+  ubuntu_24_04/libgcc-s1: 14-20240412-0ubuntu1
+  ubuntu_24_04/libgcrypt20: 1.10.3-2build1
+  ubuntu_24_04/libgmp10: 2:6.3.0+dfsg-2ubuntu6
+  ubuntu_24_04/libgnutls30t64: 3.8.3-1.1ubuntu3.2
+  ubuntu_24_04/libgpg-error0: 1.47-3build2
+  ubuntu_24_04/libhogweed6t64: 3.9.1-2.2build1.1
+  ubuntu_24_04/libidn2-0: 2.3.7-2build1
+  ubuntu_24_04/liblz4-1: 1.9.4-1build1.1
+  ubuntu_24_04/liblzma5: 5.6.1+really5.4.5-1build0.1
+  ubuntu_24_04/libmd0: 1.1.0-2build1
+  ubuntu_24_04/libmount1: 2.39.3-9ubuntu6.1
+  ubuntu_24_04/libncursesw6: 6.4+20240113-1ubuntu2
+  ubuntu_24_04/libnettle8t64: 3.9.1-2.2build1.1
+  ubuntu_24_04/libnpth0t64: 1.6-3.1build1
+  ubuntu_24_04/libp11-kit0: 0.25.3-4ubuntu2.1
+  ubuntu_24_04/libpam-modules: 1.5.3-5ubuntu5.1
+  ubuntu_24_04/libpam-modules-bin: 1.5.3-5ubuntu5.1
+  ubuntu_24_04/libpam-runtime: 1.5.3-5ubuntu5.1
+  ubuntu_24_04/libpam0g: 1.5.3-5ubuntu5.1
+  ubuntu_24_04/libpcre2-8-0: 10.42-4ubuntu2
+  ubuntu_24_04/libproc2-0: 2:4.0.4-4ubuntu3.2
+  ubuntu_24_04/libseccomp2: 2.5.5-1ubuntu3.1
+  ubuntu_24_04/libselinux1: 3.5-2ubuntu2
+  ubuntu_24_04/libsemanage-common: 3.5-1build5
+  ubuntu_24_04/libsemanage2: 3.5-1build5
+  ubuntu_24_04/libsepol2: 3.5-2build1
+  ubuntu_24_04/libsmartcols1: 2.39.3-9ubuntu6.1
+  ubuntu_24_04/libss2: 1.47.0-2.4~exp1ubuntu4.1
+  ubuntu_24_04/libssl3t64: 3.0.13-0ubuntu3.4
+  ubuntu_24_04/libstdc++6: 14-20240412-0ubuntu1
+  ubuntu_24_04/libsystemd0: 255.4-1ubuntu8.4
+  ubuntu_24_04/libtasn1-6: 4.19.0-3build1
+  ubuntu_24_04/libtinfo6: 6.4+20240113-1ubuntu2
+  ubuntu_24_04/libudev1: 255.4-1ubuntu8.4
+  ubuntu_24_04/libunistring5: 1.1-2build1
+  ubuntu_24_04/libuuid1: 2.39.3-9ubuntu6.1
+  ubuntu_24_04/libxxhash0: 0.8.2-2build1
+  ubuntu_24_04/libzstd1: 1.5.5+dfsg2-2build1.1
+  ubuntu_24_04/login: 1:4.13+dfsg1-4ubuntu3.2
+  ubuntu_24_04/logsave: 1.47.0-2.4~exp1ubuntu4.1
+  ubuntu_24_04/mawk: 1.3.4.20240123-1build1
+  ubuntu_24_04/mount: 2.39.3-9ubuntu6.1
+  ubuntu_24_04/ncurses-base: 6.4+20240113-1ubuntu2
+  ubuntu_24_04/ncurses-bin: 6.4+20240113-1ubuntu2
+  ubuntu_24_04/passwd: 1:4.13+dfsg1-4ubuntu3.2
+  ubuntu_24_04/perl-base: 5.38.2-3.2build2
+  ubuntu_24_04/procps: 2:4.0.4-4ubuntu3.2
+  ubuntu_24_04/sed: 4.9-2build1
+  ubuntu_24_04/sensible-utils: 0.0.22
+  ubuntu_24_04/sysvinit-utils: 3.08-6ubuntu3
+  ubuntu_24_04/tar: 1.35+dfsg-3build1
+  ubuntu_24_04/ubuntu-keyring: 2023.11.28.1
+  ubuntu_24_04/util-linux: 2.39.3-9ubuntu6.1
diff --git a/.github/publish.yaml b/.github/publish.yaml
@@ -5,7 +5,15 @@ pypi:
     - version_tag
     - version_branch
   packages:
-    - path: .
+    - {}
 docker:
+  auto_login: true
   images:
     - name: camptocamp/tag-publish
+  repository:
+    github:
+      server: ghcr.io
+      versions:
+        - version_tag
+        - version_branch
+        - rebuild
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -11,6 +11,7 @@ on:
 
 permissions:
   packages: write
+  id-token: write
 
 env:
   HAS_SECRETS: ${{ secrets.HAS_SECRETS }}

diff --git a/.github/workflows/repository-dispatch.yaml b/.github/workflows/repository-dispatch.yaml
@@ -10,8 +10,8 @@ on:
         required: true
       name:
         description: The package name
-      path:
-        description: The package path
+      folder:
+        description: The package folder
       version:
         description: The package version
       tag:
@@ -33,7 +33,7 @@ jobs:
         run: |
           echo "Event type: ${{ github.event.client_payload.type }}"
           echo "Package name: ${{ github.event.client_payload.name }}"
-          echo "Package path: ${{ github.event.client_payload.path }}"
+          echo "Package folder: ${{ github.event.client_payload.folder }}"
           echo "Package version: ${{ github.event.client_payload.version }}"
           echo "Package tag: ${{ github.event.client_payload.tag }}"
           echo "Repository: ${{ github.event.client_payload.repository }}"

diff --git a/config.md b/config.md
@@ -30,6 +30,7 @@ _Tag Publish configuration file_
       - **`server`** _(string)_: The server URL.
       - **`versions`** _(array)_: The kind or version that should be published, tag, branch or value of the --version argument of the tag-publish script. Default: `["version_tag", "version_branch", "rebuild", "feature_branch"]`.
         - **Items** _(string)_
+  - **`auto_login`** _(boolean)_: Auto login to the GitHub Docker registry. Default: `false`.
   - **`snyk`** _(object)_: Checks the published images with Snyk.
     - **`monitor_args`**: The arguments to pass to the Snyk container monitor command. Default: `["--app-vulns"]`.
       - **One of**
@@ -45,19 +46,16 @@ _Tag Publish configuration file_
   - **`packages`** _(array)_: The configuration of packages that will be published.
     - **Items** _(object)_: The configuration of package that will be published.
       - **`group`** _(string)_: The image is in the group, should be used with the --group option of tag-publish script. Default: `"default"`.
-      - **`path`** _(string)_: The path of the pypi package. Default: `"."`.
+      - **`folder`** _(string)_: The folder of the pypi package. Default: `"."`.
       - **`build_command`** _(array)_: The command used to do the build.
         - **Items** _(string)_
   - **`versions`** _(array)_: The kind or version that should be published, tag, branch or value of the --version argument of the tag-publish script. Default: `["version_tag"]`.
     - **Items** _(string)_
-- <a id="definitions/helm"></a>**`helm`**: Configuration to publish Helm charts on GitHub release.
-  - **One of**
-    - _object_: Configuration to publish on Helm charts on GitHub release.
-      - **`folders`** _(array)_: The folders that will be published.
-        - **Items** _(string)_
-      - **`versions`** _(array)_: The kind or version that should be published, tag, branch or value of the --version argument of the tag-publish script. Default: `["version_tag"]`.
-        - **Items** _(string)_
-    - : Must be: `false`.
+- <a id="definitions/helm"></a>**`helm`** _(object)_: Configuration to publish Helm charts on GitHub release.
+  - **`folders`** _(array)_: The folders that will be published.
+    - **Items** _(string)_
+  - **`versions`** _(array)_: The kind or version that should be published, tag, branch or value of the --version argument of the tag-publish script. Default: `["version_tag"]`.
+    - **Items** _(string)_
 - <a id="definitions/version_transform"></a>**`version_transform`** _(array)_: A version transformer definition.
   - **Items** _(object)_
     - **`from`** _(string)_: The from regular expression.

diff --git a/tag_publish/__init__.py b/tag_publish/__init__.py
@@ -8,6 +8,7 @@
 from re import Match, Pattern
 from typing import Any, Optional, TypedDict, cast
 
+import application_download.cli
 import github
 import requests
 import ruamel.yaml
@@ -32,10 +33,25 @@ class GH:
 
     def __init__(self) -> None:
         """Initialize the GitHub helper class."""
-        token = os.environ["GITHUB_TOKEN"]
+        token = (
+            os.environ["GITHUB_TOKEN"]
+            if "GITHUB_TOKEN" in os.environ
+            else subprocess.run(
+                ["gh", "auth", "token"], check=True, stdout=subprocess.PIPE, encoding="utf-8"
+            ).stdout.strip()
+        )
         self.auth = github.Auth.Token(token)
         self.github = github.Github(auth=self.auth)
-        self.repo = self.github.get_repo(os.environ["GITHUB_REPOSITORY"])
+        self.repo = self.github.get_repo(
+            os.environ["GITHUB_REPOSITORY"]
+            if "GITHUB_REPOSITORY" in os.environ
+            else subprocess.run(
+                ["gh", "repo", "view", "--json", "name,owner", "--jq", '(.owner.login + "/" + .name)'],
+                check=True,
+                stdout=subprocess.PIPE,
+                encoding="utf-8",
+            ).stdout.strip()
+        )
         self.default_branch = self.repo.default_branch
 
 
@@ -77,8 +93,8 @@ def get_config(gh: GH) -> tag_publish.configuration.Configuration:
     Get the configuration, with project and auto detections.
     """
     config: tag_publish.configuration.Configuration = {}
-    if os.path.exists("ci/config.yaml"):
-        with open("ci/config.yaml", encoding="utf-8") as open_file:
+    if os.path.exists(".github/publish.yaml"):
+        with open(".github/publish.yaml", encoding="utf-8") as open_file:
             yaml_ = ruamel.yaml.YAML()
             config = yaml_.load(open_file)
 
@@ -224,6 +240,17 @@ def snyk_exec() -> tuple[str, dict[str, str]]:
     env = {**os.environ}
     env["FORCE_COLOR"] = "true"
     snyk_bin = os.path.expanduser(os.path.join("~", ".local", "bin", "snyk"))
+
+    if not os.path.exists(snyk_bin):
+        folder = os.path.expanduser(os.path.join("~", ".config", "application_download"))
+        if not os.path.exists(folder):
+            os.makedirs(folder)
+        application_download.cli.download_application("snyk/cli")
+
+    if "SNYK_TOKEN" not in env:
+        env["SNYK_TOKEN"] = subprocess.run(
+            ["gopass", "show", "gs/ci/snyk/token"], check=True, stdout=subprocess.PIPE, encoding="utf-8"
+        ).stdout.strip()
     if "SNYK_ORG" in env:
         subprocess.run([snyk_bin, "config", "set", f"org={env['SNYK_ORG']}"], check=True, env=env)
 
@@ -237,7 +264,7 @@ class PublishedPayload(TypedDict, total=False):
 
     type: str
     name: str
-    path: str
+    folder: str
     version: str
     tag: str
     repository: str

diff --git a/tag_publish/applications-versions.yaml b/tag_publish/applications-versions.yaml
@@ -1,2 +1,3 @@
 # https://docs.renovatebot.com/modules/datasource/#github-releases-datasource
 helm/chart-releaser: v1.6.1 # github-releases
+snyk/cli: v1.1293.1 # github-releases