Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feature: added job to bump the rc-tag in the sec-scanners-config on main branch when creating release #543

Merged
merged 3 commits into from
Mar 26, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
106 changes: 106 additions & 0 deletions .github/workflows/create-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -217,3 +217,109 @@ jobs:
KUSTOMIZE_VERSION: "v4.5.6"
run: |
./hack/ci/render_and_upload_manifests.sh

bump-sec-scanners-config-main:
name: Bump sec-scanners-config.yaml on main branch
needs: create-draft
runs-on: ubuntu-latest
env:
VERSION: ${{ needs.generate-version.outputs.VERSION }}

steps:
- name: Checkout code
uses: actions/checkout@v4
with:
ref: main

- uses: actions/setup-go@v5
with:
go-version: "stable"

- name: "Setup yq" # Required for rendering the files.
shell: bash
run: |
go install github.com/mikefarah/yq/v4@latest
echo "$(go env GOPATH)/bin" >> $GITHUB_PATH

- name: Render sec-scanners-config.yaml
shell: bash
run: |
yq --version
./hack/ci/render-sec-scanners-config.sh "${VERSION}"
FILE="sec-scanners-config.yaml"
echo "******* ${FILE} *******"
[ -f "${FILE}" ] && cat "${FILE}" || echo "${FILE} not found."

# Check if there are changes, so we can determine if all following steps can be skipped.
- name: Check for changes
shell: bash
run: |
if [ -z "$(git status --porcelain)" ]; then
echo "No changes found. No need to create a PR"
else
echo "Changes found. Creating a PR and waiting for it to be merged."
echo "CREATE_PR=true" >> $GITHUB_ENV
fi

- name: Set up git
if: ${{ env.CREATE_PR == 'true' }}
env:
GH_TOKEN: ${{ secrets.BOT_PAT }}
REPO: ${{ github.repository }}
shell: bash
run: |
# set git username
ghusername=$(curl -s -H "Authorization: token ${GH_TOKEN}" https://api.github.com/user | jq '.login')
git config user.name "${ghusername}"
# set git mail address
ghemailaddress="${ghusername}@users.noreply.github.com"
git config user.email "${ghemailaddress}"
# set remote url
git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${REPO}.git"

- name: Set all variables
if: ${{ env.CREATE_PR == 'true' }}
shell: bash
run: |
PR_DATE="$(date '+%Y-%m-%d-%H-%M-%S')"
echo "pr date: ${PR_DATE}"
echo "PR_DATE=${PR_DATE}" >> $GITHUB_ENV

BRANCH_NAME="sec-scanners-bump-main-${PR_DATE}"
echo "name of the new branch: ${BRANCH_NAME}"
echo "BRANCH_NAME=${BRANCH_NAME}" >> $GITHUB_ENV

- name: Create a pull request
if: ${{ env.CREATE_PR == 'true' }}
env:
REPO: ${{ github.repository }}
PR_DATE: ${{ env.PR_DATE }}
BRANCH_NAME: ${{ env.BRANCH_NAME }}
GH_TOKEN: ${{ secrets.BOT_PAT }}
shell: bash
run: |
# Create a new branch for our changes.
git checkout -b "${BRANCH_NAME}"

# Stage the changes to sec-scanner-config.yaml and create a commit.
git add sec-scanners-config.yaml
git commit -m "auto-bump sec-scanners-config: ${PR_DATE}"

# Push the changes to origin, as defined earlier.
git push origin "$BRANCH_NAME"

# Create a PR.
BODY="This is an auto-generated PR to bump the sec-scanners-config.yml on ${REPO}."
PR_URL=$(gh pr create --base "main" --head "${BRANCH_NAME}" --title "chore: bump sec-scanners-config on main" --body "${BODY}")
echo "PR_URL=${PR_URL}" >> $GITHUB_ENV

- name: USER INTERACTION REQUIRED
if: ${{ env.CREATE_PR == 'true' }}
shell: bash
timeout-minutes: 60
env:
PR_URL: ${{ env.PR_URL }}
GH_TOKEN: ${{ secrets.BOT_PAT }}
run: |
echo "please review: ${PR_URL}"
./hack/ci/await-pr-merge.sh
24 changes: 24 additions & 0 deletions hack/ci/await-pr-merge.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
#!/usr/bin/env bash

# standard bash error handling
set -o nounset # treat unset variables as an error and exit immediately.
set -o errexit # exit immediately when a command fails.
set -E # needs to be set if we want the ERR trap
set -o pipefail # prevents errors in a pipeline from being masked

# Expected environment variables:
# PR_URL - Number of the PR with the changes to be merged

# wait until the PR is merged.
while true ; do
pr_state=$(gh pr view ${PR_URL} --json state --jq '.state')
if [ "$pr_state" == "CLOSED" ]; then
echo "ERROR! PR has been closed!"
exit 1
elif [ "$pr_state" == "MERGED" ]; then
echo "PR has been merged!"
exit 0
fi
echo "Waiting for ${PR_URL} to be merged"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When will this time out?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have added it here.

sleep 10
done
Loading