Merge remote-tracking branch 'BigFiles/master' into add-repeat-upload…

…-check
opensourceways · Dec 2, 2024 · e751c4f · e751c4f
2 parents 4bcf8c3 + 5fe05cb
commit e751c4f
Show file tree

Hide file tree

Showing 12 changed files with 381 additions and 59 deletions.
diff --git a/.github/script/codearts_check.sh b/.github/script/codearts_check.sh
@@ -0,0 +1,79 @@
+
+IAM_DATA=$(cat <<EOF
+{
+    "auth": {
+        "identity": {
+            "methods": [
+                "password"
+            ],
+            "password": {
+                "user": {
+                    "domain": {
+                        "name": "freesky-edward"
+                    },
+                    "name": "codearts_test",
+                    "password": "$3"
+                }
+            }
+        },
+        "scope": {
+            "project": {
+                "name": "cn-north-4"
+            }
+        }
+    }
+}
+EOF
+)
+
+response=$(curl -s -i --location 'https://iam.myhuaweicloud.com/v3/auth/tokens?nocatalog=true' \
+  --header 'Content-Type: application/json' \
+  --data "$IAM_DATA")
+
+# Extract the X-Subject-Token from the response
+token=$(echo "$response" | grep "X-Subject-Token" | awk '{print $2}' | tr -d '\r')
+
+echo "X-Subject-Token: $token"
+
+
+DATA=$(cat <<EOF
+{
+  "sources" : [ {
+    "type" : "code",
+    "params" : {
+      "git_type" : "github",
+      "default_branch" : "main",
+      "git_url" : "$6",
+      "endpoint_id" : "$5",
+      "build_params" : {
+        "build_type" : "branch",
+        "event_type" : "Manual",
+        "target_branch" : "$1"
+      }
+    }
+  } ],
+  "description" : "运行描述",
+  "variables" : [ {
+    "name" : "repo",
+    "value" : "$8"
+  } ,
+  {
+    "name" : "owner",
+    "value" : "$7"
+  }
+  ,
+  {
+    "name" : "pr_id",
+    "value" : "$2"
+  }
+  ]
+}
+EOF
+)
+
+CODEARTS_PIPELINE="$4"
+
+curl --location "$CODEARTS_PIPELINE" \
+--header "X-Auth-Token:$token" \
+--header "Content-Type: application/json" \
+--data "$DATA"
diff --git a/.github/workflows/check-label-owner.yml b/.github/workflows/check-label-owner.yml
@@ -0,0 +1,40 @@
+name: Check PR Label Owner
+
+on:
+  pull_request:
+    types:
+      - labeled  # 当 PR 被添加标签时触发
+jobs:
+  verify-label-owner:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check if the label was added by the bot
+        env:
+          LABEL_NAME: "gate_check_pass"  # 替换为需要检查的标签名称
+          GITHUB_TOKEN: ${{ secrets.OWNER_TOKEN }}
+          TARGET_LABEL: "gate_check_pass"  # 替换为需要检查的标签名称
+          AUTHORIZED_USER: "shishupei"  # 替换为允许添加标签的 bot 用户名
+        run: |
+          
+          LABEL_NAME=${{ github.event.label.name }}
+          LABEL_USER=${{ github.event.sender.login }}
+          
+          # 检查是否有相关事件
+               if [[ "$LABEL_NAME" != "$TARGET_LABEL"  ]]; then
+               echo "No labeled event found for the label '$TARGET_LABEL'. Exiting."
+               exit 0
+               fi
+          
+          # 检查最近的标签操作者是否为授权用户
+               if [[ "$LABEL_USER" != "$AUTHORIZED_USER" ]]; then
+                echo "Label '$LABEL_NAME' was added by '$LABEL_USER', not '$AUTHORIZED_USER'. Removing it."
+          
+          # 删除标签
+                curl -X DELETE \
+                -H "Authorization: token ${{ secrets.OWNER_TOKEN }}" \
+                -H "Accept: application/vnd.github.v3+json" \
+                https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels/$TARGET_LABEL
+               else
+                echo "Label '$TARGET_LABEL' was added by the authorized user '$AUTHORIZED_USER'. No action needed."
+               fi
diff --git a/.github/workflows/gate-check.yml b/.github/workflows/gate-check.yml
@@ -0,0 +1,38 @@
+name: Gate Check
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]  # 在PR打开、同步、重新打开时触发
+
+jobs:
+  codearts-check:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check and Remove Label
+        run: |
+            # 定义需要移除的标签
+            TARGET_LABEL="gate_check_pass"
+                     
+            # 调用 GitHub API 删除标签
+            curl -X DELETE \
+              -H "Authorization: token ${{ secrets.OWNER_TOKEN }}" \
+              -H "Accept: application/vnd.github.v3+json" \
+              https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/labels/$TARGET_LABEL
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
+      - name: Make script executable
+        run: chmod +x ./.github/script/codearts_check.sh
+
+      - name: Post a comment to the PR
+        run: |
+            curl -X POST \
+              -H "Authorization: token ${{ secrets.OWNER_TOKEN }}" \
+              -H "Accept: application/vnd.github.v3+json" \
+              https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments \
+              -d '{"body": "开始门禁检查，等门禁检查通过后可以合入"}'
+
+      - name: RUN CodeArts Pipeline
+        env:
+          GIT_URL: ${{ github.server_url }}/${{ github.repository }}.git
+        run: ./.github/script/codearts_check.sh $GITHUB_HEAD_REF ${{ github.event.pull_request.number }}  ${{ secrets.CODEARTS_PASSWORD }} ${{ secrets.CODEARTS_PIPELINE }} ${{ secrets.CODEARTS_ENDPOINT_ID }} $GIT_URL ${GITHUB_REPOSITORY%/*} ${GITHUB_REPOSITORY##*/}
diff --git a/.github/workflows/label-check.yml b/.github/workflows/label-check.yml
@@ -0,0 +1,19 @@
+name: PR Label Check
+
+on:
+  pull_request:
+    types: [labeled,unlabeled, opened, reopened, edited]
+
+jobs:
+  check-label:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check PR Labels
+        uses: actions/github-script@v6
+        with:
+          script: |
+            const requiredLabel = 'gate_check_pass'; // 替换为你的标签名称
+            const labels = context.payload.pull_request.labels.map(label => label.name);
+            if (!labels.includes(requiredLabel)) {
+              throw new Error(`PR 必须包含标签: ${requiredLabel}`);
+            }
diff --git a/auth/gitee.go b/auth/gitee.go
@@ -15,6 +15,7 @@ import (
 var (
 	clientId     string
 	clientSecret string
+	defaultToken string
 )
 
 var (
@@ -23,6 +24,11 @@ var (
 	downloadPermissions = []string{"admin", "developer", "read"}
 )
 
+const contentType = "Content-Type"
+const verifyLog = "verifyUser"
+const appendPathAccessToken = "?access_token="
+const formatLogString = "%s | %s"
+
 type giteeUser struct {
 	Permission string `json:"permission"`
 }
@@ -64,6 +70,13 @@ func Init(cfg *config.Config) error {
 			return errors.New("client secret required")
 		}
 	}
+	defaultToken = cfg.DefaultToken
+	if defaultToken == "" {
+		defaultToken = os.Getenv("DEFAULT_TOKEN")
+		if defaultToken == "" {
+			return errors.New("default token required")
+		}
+	}
 
 	return nil
 }
@@ -90,14 +103,17 @@ func GiteeAuth() func(UserInRepo) error {
 // CheckRepoOwner checks whether the owner of a repo is allowed to use lfs server
 func CheckRepoOwner(userInRepo UserInRepo) error {
 	path := fmt.Sprintf(
-		"https://gitee.com/api/v5/repos/%s/%s",
+		"https://gitee.com/api/v5/repos/%s/%s%s",
 		userInRepo.Owner,
 		userInRepo.Repo,
+		appendPathAccessToken,
 	)
 	if userInRepo.Token != "" {
-		path += fmt.Sprintf("?access_token=%s", userInRepo.Token)
+		path += userInRepo.Token
+	} else {
+		path += defaultToken
 	}
-	headers := http.Header{"Content-Type": []string{"application/json;charset=UTF-8"}}
+	headers := http.Header{contentType: []string{"application/json;charset=UTF-8"}}
 	repo := new(Repo)
 	err := getParsedResponse("GET", path, headers, nil, &repo)
 	if err != nil {
@@ -133,7 +149,7 @@ func getToken(username, password string) (string, error) {
 	form.Add("client_secret", clientSecret)
 
 	path := "https://gitee.com/oauth/token"
-	headers := http.Header{"Content-Type": []string{"application/x-www-form-urlencoded"}}
+	headers := http.Header{contentType: []string{"application/x-www-form-urlencoded"}}
 	accessToken := new(AccessToken)
 	err := getParsedResponse("POST", path, headers, strings.NewReader(form.Encode()), &accessToken)
 	if err != nil {
@@ -147,48 +163,59 @@ func getToken(username, password string) (string, error) {
 // verifyUser verifies user permission in repo by access_token and operation
 func verifyUser(userInRepo UserInRepo) error {
 	path := fmt.Sprintf(
-		"https://gitee.com/api/v5/repos/%s/%s/collaborators/%s/permission",
+		"https://gitee.com/api/v5/repos/%s/%s/collaborators/%s/permission%s",
 		userInRepo.Owner,
 		userInRepo.Repo,
 		userInRepo.Username,
+		appendPathAccessToken,
 	)
 	if userInRepo.Token != "" {
-		path += fmt.Sprintf("?access_token=%s", userInRepo.Token)
+		path += userInRepo.Token
+	} else {
+		path += defaultToken
 	}
-	headers := http.Header{"Content-Type": []string{"application/json;charset=UTF-8"}}
+	headers := http.Header{contentType: []string{"application/json;charset=UTF-8"}}
 	giteeUser := new(giteeUser)
 	err := getParsedResponse("GET", path, headers, nil, &giteeUser)
 	if err != nil {
 		msg := err.Error() + ": verify user permission failed"
-		logrus.Error(fmt.Sprintf("verifyUser | %s", msg))
+		logrus.Error(fmt.Sprintf(formatLogString, verifyLog, msg))
 		return errors.New(msg)
 	}
 
 	if userInRepo.Operation == "upload" {
-		for _, v := range uploadPermissions {
-			if giteeUser.Permission == v {
-				return nil
-			}
-		}
-		msg := fmt.Sprintf("forbidden: user %s has no permission to upload to %s/%s",
-			userInRepo.Username, userInRepo.Owner, userInRepo.Repo)
-		remindMsg := " \n如果您正在向fork仓库上传大文件，请确认您已使用如下命令修改了本地仓库的配置：" +
-			"\n`git config --local lfs.url https://artifacts.openeuler.openatom.cn/{owner}/{repo}`" +
-			"，\n其中{owner}/{repo}请改为您fork之后的仓库的名称"
-		logrus.Error(fmt.Sprintf("verifyUser | %s", msg))
-		return errors.New(msg + remindMsg)
+		return verifyUserUpload(giteeUser, userInRepo)
 	} else if userInRepo.Operation == "download" {
-		for _, v := range downloadPermissions {
-			if giteeUser.Permission == v {
-				return nil
-			}
-		}
-		msg := fmt.Sprintf("forbidden: user %s has no permission to download", userInRepo.Username)
-		logrus.Error(fmt.Sprintf("verifyUser | %s", msg))
-		return errors.New(msg)
+		return verifyUserDownload(giteeUser, userInRepo)
 	} else {
 		msg := "system_error: unknow operation"
-		logrus.Error(fmt.Sprintf("verifyUser | %s", msg))
+		logrus.Error(fmt.Sprintf(formatLogString, verifyLog, msg))
 		return errors.New(msg)
 	}
 }
+
+func verifyUserUpload(giteeUser *giteeUser, userInRepo UserInRepo) error {
+	for _, v := range uploadPermissions {
+		if giteeUser.Permission == v {
+			return nil
+		}
+	}
+	msg := fmt.Sprintf("forbidden: user %s has no permission to upload to %s/%s",
+		userInRepo.Username, userInRepo.Owner, userInRepo.Repo)
+	remindMsg := " \n如果您正在向fork仓库上传大文件，请确认您已使用如下命令修改了本地仓库的配置：" +
+		"\n`git config --local lfs.url https://artlfs.openeuler.openatom.cn/{owner}/{repo}`" +
+		"，\n其中{owner}/{repo}请改为您fork之后的仓库的名称"
+	logrus.Error(fmt.Sprintf(formatLogString, verifyLog, msg))
+	return errors.New(msg + remindMsg)
+}
+
+func verifyUserDownload(giteeUser *giteeUser, userInRepo UserInRepo) error {
+	for _, v := range downloadPermissions {
+		if giteeUser.Permission == v {
+			return nil
+		}
+	}
+	msg := fmt.Sprintf("forbidden: user %s has no permission to download", userInRepo.Username)
+	logrus.Error(fmt.Sprintf(formatLogString, verifyLog, msg))
+	return errors.New(msg)
+}