Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

enable workflow at organization level #88

Merged
merged 18 commits into from
Feb 23, 2022
Merged

enable workflow at organization level #88

merged 18 commits into from
Feb 23, 2022

Conversation

rohankh532
Copy link
Contributor

#52

@azeemshaikh38 azeemshaikh38 self-requested a review February 5, 2022 02:36
@azeemshaikh38 azeemshaikh38 linked an issue Feb 5, 2022 that may be closed by this pull request
Enable action installation on multiple repos #52
Open
@azeemshaikh38 azeemshaikh38 marked this pull request as ready for review February 5, 2022 02:37
@azeemshaikh38 azeemshaikh38 removed a link to an issue Feb 5, 2022
Enable action installation on multiple repos #52
Open
@azeemshaikh38
Copy link
Contributor

Thanks for the quick turnaround here @rohankh532! Looks good overall, will take another look next week. Please include documentation for the tool in this PR (things like how to use the tool, required scopes for the PAT etc.). Could add to README.md so that it's visible to users.

laurentsimon
laurentsimon reviewed Feb 5, 2022
View reviewed changes
Copy link
Contributor

@laurentsimon laurentsimon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @rohankh532 this looks pretty good.
Just fyi, we tend to comment a lot in general, this is entirely normal ^^

multi-repo-action/go.mod Outdated Show resolved Hide resolved
multi-repo-action/org-workflow-add.go Outdated Show resolved Hide resolved
multi-repo-action/org-workflow-add.go Outdated Show resolved Hide resolved
multi-repo-action/org-workflow-add.go Show resolved Hide resolved
multi-repo-action/org-workflow-add.go Outdated Show resolved Hide resolved
multi-repo-action/org-workflow-add.go Outdated Show resolved Hide resolved
multi-repo-action/org-workflow-add.go Outdated Show resolved Hide resolved
multi-repo-action/scorecards.yml Outdated Show resolved Hide resolved
multi-repo-action/org-workflow-add.go Show resolved Hide resolved
multi-repo-action/org-workflow-add.go Outdated Show resolved Hide resolved
naveensrinivasan
naveensrinivasan previously requested changes Feb 6, 2022
View reviewed changes
Copy link
Member

@naveensrinivasan naveensrinivasan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Without tests, it is hard to maintain things. For example that is the reason we are porting the shell script to go #87

We shouldn't merge these changes without tests and high code coverage.

That is one of the reasons I am blocking this change.

@azeemshaikh38
Copy link
Contributor

Without tests, it is hard to maintain things. For example that is the reason we are porting the shell script to go #87

We shouldn't merge these changes without tests and high code coverage.

That is one of the reasons I am blocking this change.

@naveensrinivasan do you have any suggestions on how to unit test this? Since the code is mostly API calls to GH, it's difficult to write unit tests for it.

@naveensrinivasan
Copy link
Member

Without tests, it is hard to maintain things. For example that is the reason we are porting the shell script to go #87
We shouldn't merge these changes without tests and high code coverage.
That is one of the reasons I am blocking this change.

@naveensrinivasan do you have any suggestions on how to unit test this? Since the code is mostly API calls to GH, it's difficult to write unit tests for it.

I agree unit tests could be hard for this. But we should be able to add e2e tests for this similar to https://github.com/ossf/scorecard/tree/main/e2e . This ensures that we haven't broken the functionality especially when there are lots of folks going to use this as a feature

@azeemshaikh38
Copy link
Contributor

Without tests, it is hard to maintain things. For example that is the reason we are porting the shell script to go #87
We shouldn't merge these changes without tests and high code coverage.
That is one of the reasons I am blocking this change.

@naveensrinivasan do you have any suggestions on how to unit test this? Since the code is mostly API calls to GH, it's difficult to write unit tests for it.

I agree unit tests could be hard for this. But we should be able to add e2e tests for this similar to https://github.com/ossf/scorecard/tree/main/e2e . This ensures that we haven't broken the functionality especially when there are lots of folks going to use this as a feature

Makes sense. Since that is a big chunk of work in itself, can we tackle that as part of a separate PR? Note that, this PR is just a v0 version of the tool, something to get the framework in place. It will get refined more as we go before we actually recommend this to users.

@naveensrinivasan
Copy link
Member

Without tests, it is hard to maintain things. For example that is the reason we are porting the shell script to go #87
We shouldn't merge these changes without tests and high code coverage.
That is one of the reasons I am blocking this change.

@naveensrinivasan do you have any suggestions on how to unit test this? Since the code is mostly API calls to GH, it's difficult to write unit tests for it.

I agree unit tests could be hard for this. But we should be able to add e2e tests for this similar to https://github.com/ossf/scorecard/tree/main/e2e . This ensures that we haven't broken the functionality especially when there are lots of folks going to use this as a feature

Makes sense. Since that is a big chunk of work in itself, can we tackle that as part of a separate PR? Note that, this PR is just a v0 version of the tool, something to get the framework in place. It will get refined more as we go before we actually recommend this to users.

It could be a separate PR. But the issue is that no one takes the responsibility and it falls off the radar till things go wrong. That is the reason we should insist on tests for PRs.

Also writing tests make the code more manageable into functions instead of a giant main func.

Thoughts?

@azeemshaikh38
Copy link
Contributor

It could be a separate PR. But the issue is that no one takes the responsibility and it falls off the radar till things go wrong. That is the reason we should insist on tests for PRs.

Also writing tests make the code more manageable into functions instead of a giant main func.

Thoughts?

Thinking about this more - it won't be that easy writing e2e tests also for this. Every e2e test will end up creating a bunch of new PRs and unlike Scorecards, we won't have data that is being returned to verify against. I do genuinely think writing tests for this is far more complicated than what we want to take on in this initial PR. If you still have concerns, let's discuss this in the upcoming Scorecard sync.

@rohankh532
Copy link
Contributor Author

Without tests, it is hard to maintain things. For example that is the reason we are porting the shell script to go #87
We shouldn't merge these changes without tests and high code coverage.
That is one of the reasons I am blocking this change.

@naveensrinivasan do you have any suggestions on how to unit test this? Since the code is mostly API calls to GH, it's difficult to write unit tests for it.

I agree unit tests could be hard for this. But we should be able to add e2e tests for this similar to https://github.com/ossf/scorecard/tree/main/e2e . This ensures that we haven't broken the functionality especially when there are lots of folks going to use this as a feature

Makes sense. Since that is a big chunk of work in itself, can we tackle that as part of a separate PR? Note that, this PR is just a v0 version of the tool, something to get the framework in place. It will get refined more as we go before we actually recommend this to users.

It could be a separate PR. But the issue is that no one takes the responsibility and it falls off the radar till things go wrong. That is the reason we should insist on tests for PRs.

Also writing tests make the code more manageable into functions instead of a giant main func.

Thoughts?

I looked into writing tests and there seems to be a good example here, but it still requires a live Github account to make the changes on. Another option used here is just writing endpoints to mimic github api calls, which works well for GET requests, but I'm not sure how that would work for POSTs where we want persistence after modifications. So overall testing this seems pretty difficult, but if there was a live test Github account then it would be much easier.

@naveensrinivasan
Copy link
Member

Without tests, it is hard to maintain things. For example that is the reason we are porting the shell script to go #87
We shouldn't merge these changes without tests and high code coverage.
That is one of the reasons I am blocking this change.

@naveensrinivasan do you have any suggestions on how to unit test this? Since the code is mostly API calls to GH, it's difficult to write unit tests for it.

I agree unit tests could be hard for this. But we should be able to add e2e tests for this similar to https://github.com/ossf/scorecard/tree/main/e2e . This ensures that we haven't broken the functionality especially when there are lots of folks going to use this as a feature

Makes sense. Since that is a big chunk of work in itself, can we tackle that as part of a separate PR? Note that, this PR is just a v0 version of the tool, something to get the framework in place. It will get refined more as we go before we actually recommend this to users.

It could be a separate PR. But the issue is that no one takes the responsibility and it falls off the radar till things go wrong. That is the reason we should insist on tests for PRs.
Also writing tests make the code more manageable into functions instead of a giant main func.
Thoughts?

I looked into writing tests and there seems to be a good example here, but it still requires a live Github account to make the changes on. Another option used here is just writing endpoints to mimic github api calls, which works well for GET requests, but I'm not sure how that would work for POSTs where we want persistence after modifications. So overall testing this seems pretty difficult, but if there was a live test Github account then it would be much easier.

I understand! Thanks for trying and appreciate it!

@naveensrinivasan naveensrinivasan dismissed their stale review February 17, 2022 23:19

Thanks! I am ok without tests as it makes it extremely complicated. Can we please prioritize to make it small improvements to test? How about creating an issue to track it?

laurentsimon
laurentsimon approved these changes Feb 22, 2022
View reviewed changes
Copy link
Contributor

@laurentsimon laurentsimon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Try to clean up the comments by starting them with a capital latter and ending them with a full stop. Also clean global variable names following golang guidelines

multi-repo-action/org-workflow-add.go Outdated Show resolved Hide resolved
multi-repo-action/org-workflow-add.go Show resolved Hide resolved
multi-repo-action/org-workflow-add.go Show resolved Hide resolved
@rohankh532
Copy link
Contributor Author

rohankh532 commented Feb 22, 2022
edited
Loading

Ready for review. Issues to propagate to the next PR:

  1. Automatically generate the default branch and randomize the schedule (link)
  2. Add e2e integration tests (link)
  3. Run script as a docker image and allow users run and provide a PAT via CLI so the SCORECARD_READ_TOKEN secret can be automatically created at an org level (link)

@naveensrinivasan
Copy link
Member

@laurentsimon Is this good to be merged?

laurentsimon
laurentsimon approved these changes Feb 23, 2022
View reviewed changes
Copy link
Contributor

@laurentsimon laurentsimon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just update one of the global variable to be lower case, and we're good to merge!

multi-repo-action/org-workflow-add.go Outdated Show resolved Hide resolved
@laurentsimon laurentsimon merged commit 8c3e2c2 into ossf:main Feb 23, 2022
justaugustus pushed a commit to justaugustus/scorecard that referenced this pull request May 26, 2022
@rohankh532 @naveensrinivasan @justaugustus
enable workflow at organization level (ossf/scorecard-action#88)
333807a 
* enable workflow at organization level

* added more error checking

* added README, minor fixes

* added support for specifying repo list

* skip repo checks, started writing test

* dynamically pull latest workflow file

* cleanup

* test file resources

* reverted to statically storing workflow file

* removed token

* updated readme

* skip repo upon failure instead of exiting

* renamed global var

Co-authored-by: Naveen <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@naveensrinivasan naveensrinivasan naveensrinivasan left review comments

@laurentsimon laurentsimon laurentsimon approved these changes

@azeemshaikh38 azeemshaikh38 Awaiting requested review from azeemshaikh38

@asraa asraa Awaiting requested review from asraa

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@rohankh532 @azeemshaikh38 @naveensrinivasan @laurentsimon