Merge pull request #176 from jku/issue-mgmt

feature: Add integrated issue handling
theupdateframework · Jan 29, 2024 · 9eb98c9 · 9eb98c9
2 parents eb3792e + 7136859
commit 9eb98c9
Show file tree

Hide file tree

Showing 7 changed files with 119 additions and 23 deletions.
diff --git a/actions/create-signing-events/action.yml b/actions/create-signing-events/action.yml
@@ -18,7 +18,7 @@ runs:
       with:
         python-version: "3.11"
 
-    - run: pip install $GITHUB_ACTION_PATH/../../repo/
+    - run: pip --quiet install $GITHUB_ACTION_PATH/../../repo/
       shell: bash
 
     - name: Create signing event branches for expiring roles

diff --git a/actions/online-sign/action.yml b/actions/online-sign/action.yml
@@ -49,7 +49,7 @@ runs:
       with:
         python-version: "3.11"
 
-    - run: pip install $GITHUB_ACTION_PATH/../../repo/
+    - run: pip --quiet install $GITHUB_ACTION_PATH/../../repo/
       shell: bash
 
     - id: online-sign

diff --git a/actions/signing-event/action.yml b/actions/signing-event/action.yml
@@ -33,7 +33,7 @@ runs:
       with:
         python-version: "3.11"
 
-    - run: pip install $GITHUB_ACTION_PATH/../../repo/
+    - run: pip --quiet install $GITHUB_ACTION_PATH/../../repo/
       shell: bash
 
     - id: update_targets

diff --git a/actions/test-repository/action.yml b/actions/test-repository/action.yml
@@ -16,12 +16,14 @@ runs:
   using: "composite"
   steps:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      with:
+        ref: "publish"
 
     - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
       with:
         python-version: "3.11"
 
-    - run: pip install $GITHUB_ACTION_PATH/../../repo/
+    - run: pip --quiet install $GITHUB_ACTION_PATH/../../repo/
       shell: bash
 
     - env:

diff --git a/actions/update-issue/action.yml b/actions/update-issue/action.yml
@@ -0,0 +1,94 @@
+name: 'Update TUF-on-CI issue'
+description: 'Create, close or add a comment in a GitHub issue for a workflow failure'
+# * This action will open an issue per workflow if that workflow fails.
+# * If an issue is open for that workflow already, the action will add a comment.
+# * If an issue is open and the workflow succeeds, the action will close the issue.
+# * The issue is identified using a label that is the workflow name.
+# * Required permissions:
+#     issues: write
+
+inputs:
+  token:
+    description: 'GitHub token'
+    required: true
+
+  success:
+    description: '"true" if workflow is succeeding'
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Update issue
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+      env:
+        SUCCESS: ${{ inputs.success }}
+      with:
+        github-token: ${{ inputs.token }}
+        script: |
+          var path = require("path")
+
+          success = (process.env.SUCCESS == "true")
+
+          // Find issue labeled with the forkflow name
+          const issues = await github.rest.issues.listForRepo({
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            labels: [context.workflow],
+          })
+          if (issues.data.length == 0) {
+            issue_number = 0
+          } else {
+            issue_number = issues.data[0].number
+          }
+
+          if (success && !issue_number) {
+              console.log("update-issue: Nothing to do (success, no issue open)")
+              return
+          }
+
+          // Build comment body
+          const run_url = `https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`
+          if (success) {
+            body = `### Workflow run succeeded for ${context.workflow}.\n` +
+                   `Successful run: ${run_url}\n\n` +
+                   `Closing issue based on this success.`
+          } else if (issue_number){
+            body = `### Workflow run failed for ${context.workflow}.\n` +
+                   `Failed run: ${run_url}\n\n`
+          } else {
+            body = `### Workflow run failed for ${context.workflow}.\n` +
+                   `Failed run: ${run_url}\n\n` +
+                   "* Maintainers can re-run the failing job manually\n" +
+                   "* This issue will be automatically closed if a later run succeeds"
+          }
+
+          // open, comment on, and close issue as needed
+          if (!success && !issue_number) {
+            console.log("update-issue: Opening a new issue on failure")
+            await github.rest.issues.create({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              title: `Failure in ${context.workflow}`,
+              labels: [context.workflow],
+              body: body,
+            })
+          }
+          if (issue_number) {
+            console.log(`update-issue: Adding a comment (issue: ${issue_number})`)
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: issue_number,
+              body: body,
+            })
+          }
+          if (success) {
+            console.log(`update-issue: Closing issue on success (issue: ${issue_number})`)
+            await github.rest.issues.update({
+              issue_number: issue_number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              state: "closed",
+            })
+          }
diff --git a/actions/upload-repository/action.yml b/actions/upload-repository/action.yml
@@ -30,7 +30,7 @@ runs:
       with:
         python-version: "3.11"
 
-    - run: pip install $GITHUB_ACTION_PATH/../../repo/
+    - run: pip --quiet install $GITHUB_ACTION_PATH/../../repo/
       shell: bash
 
     - id: build-repository

diff --git a/signer/tuf_on_ci_sign/_signer_repository.py b/signer/tuf_on_ci_sign/_signer_repository.py
@@ -397,18 +397,18 @@ def set_online_config(self, online_config: OnlineConfig):
             root.add_key(online_config.key, "snapshot")
 
             # set online role periods
-            timestamp.unrecognized_fields[
-                "x-tuf-on-ci-expiry-period"
-            ] = online_config.timestamp_expiry
-            timestamp.unrecognized_fields[
-                "x-tuf-on-ci-signing-period"
-            ] = online_config.timestamp_signing
-            snapshot.unrecognized_fields[
-                "x-tuf-on-ci-expiry-period"
-            ] = online_config.snapshot_expiry
-            snapshot.unrecognized_fields[
-                "x-tuf-on-ci-signing-period"
-            ] = online_config.snapshot_signing
+            timestamp.unrecognized_fields["x-tuf-on-ci-expiry-period"] = (
+                online_config.timestamp_expiry
+            )
+            timestamp.unrecognized_fields["x-tuf-on-ci-signing-period"] = (
+                online_config.timestamp_signing
+            )
+            snapshot.unrecognized_fields["x-tuf-on-ci-expiry-period"] = (
+                online_config.snapshot_expiry
+            )
+            snapshot.unrecognized_fields["x-tuf-on-ci-signing-period"] = (
+                online_config.snapshot_signing
+            )
 
     def get_role_config(self, rolename: str) -> OfflineConfig | None:
         """Read configuration for delegation and role from metadata"""
@@ -546,12 +546,12 @@ def set_role_config(
             if expiry == config.expiry_period and signing == config.signing_period:
                 raise AbortEdit(f"No changes to {rolename}")
 
-            signed.unrecognized_fields[
-                "x-tuf-on-ci-expiry-period"
-            ] = config.expiry_period
-            signed.unrecognized_fields[
-                "x-tuf-on-ci-signing-period"
-            ] = config.signing_period
+            signed.unrecognized_fields["x-tuf-on-ci-expiry-period"] = (
+                config.expiry_period
+            )
+            signed.unrecognized_fields["x-tuf-on-ci-signing-period"] = (
+                config.signing_period
+            )
 
         state_file_path = os.path.join(self._dir, ".signing-event-state")
         if self._invites: