Skip to content

Commit

Permalink
Updating all uses of the secrets.PROJECT_MANAGEMENT_PAT to use a re…
Browse files Browse the repository at this point in the history 
…gistered Github App (nv-morpheus#1730)

Removes all uses of `secrets.PROJECT_MANAGEMENT_PAT` to instead use the registered app and generate a token via the actions/create-github-app-token` action

## By Submitting this PR I confirm:
- I am familiar with the [Contributing Guidelines](https://github.com/nv-morpheus/Morpheus/blob/main/docs/source/developer_guide/contributing.md).
- When the PR is ready for review, new or existing tests cover these changes.
- When the PR is ready for review, the documentation is up to date with these changes.

Authors:
  - Michael Demoret (https://github.com/mdemoret-nv)

Approvers:
  - Ben Jarmak (https://github.com/jarmak-nv)
  - David Gardner (https://github.com/dagardner-nv)

URL: nv-morpheus#1730
  • Loading branch information
@mdemoret-nv
mdemoret-nv authored Jun 6, 2024
1 parent 61ed7c3 commit fc3e45c
Show file tree
Hide file tree
Showing 6 changed files with 107 additions and 70 deletions.
22 changes: 15 additions & 7 deletions .github/workflows/label-external-issues.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,27 +19,35 @@ on:
issues:
types:
- opened

env:
GITHUB_TOKEN: ${{ secrets.PROJECT_MANAGEMENT_PAT }}

jobs:
Label-Issue:
runs-on: ubuntu-latest
# Only run if the issue author is not part of NV-Morpheus
if: ${{ ! contains(fromJSON('["OWNER", "MEMBER", "CONTRIBUTOR", "COLLABORATOR"]'), github.event.issue.author_association)}}
steps:
steps:
- name: Generate Token
uses: actions/create-github-app-token@v1
id: generate-token
with:
app-id: ${{ secrets.ACTIONS_APP_ID }}
private-key: ${{ secrets.ACTIONS_APP_KEY }}

- name: add-triage-label
env:
GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
run: |
issue_url=${{ github.event.issue.html_url }}
gh issue edit ${issue_url} --add-label "Needs Triage,external"
- name: add-comment-to-issue
env:
GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
run: |
issue_url=${{ github.event.issue.html_url }}
author=${{ github.event.issue.user.login }}
echo ${author}
gh issue comment ${issue_url} --body "Hi @${author}!
Thanks for submitting this issue - our team has been notified and we'll get back to you as soon as we can!
In the mean time, feel free to add any relevant information to this issue."
In the meantime, feel free to add any relevant information to this issue."
60 changes: 26 additions & 34 deletions .github/workflows/project_automation_set_in_progress.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,33 +23,33 @@ on:
pull_request_review:
# Run this action when a PR is reviewed
types: [submitted]

env:
ORG: ${{ github.event.repository.owner.login }}
PR_NUMBER: ${{ github.event.pull_request.number }}
REPO: ${{ github.event.repository.name }}
PR_GLOBAL_ID: ${{ github.event.pull_request.node_id}}
ORG: ${{ github.event.repository.owner.login }}
PR_NUMBER: ${{ github.event.pull_request.number }}
REPO: ${{ github.event.repository.name }}
PR_GLOBAL_ID: ${{ github.event.pull_request.node_id}}

# The environment vars below are hard-coded from external queries to save time + complexity here
# Note: PVT means Project V2, not "Private"
# PVT = Project V2, PVTSSF = Project V2 Single Select Field, PVTIF = Project V2 Iteration Field
PROJECT_ID: "PVT_kwDOBkAsks4ACeio"
STATUS_FIELD_ID: "PVTSSF_lADOBkAsks4ACeiozgBbno0"
WORKING_SPRINT_FIELD_ID: "PVTIF_lADOBkAsks4ACeiozgJ_KCY"
START_SPRINT_FIELD_ID: "PVTIF_lADOBkAsks4ACeiozgI90p0"
IN_PROGRESS_PROJECT_OPTION_ID: "47fc9ee4"
IN_REVIEW_PROJECT_OPTION_ID: "eb7a6302"
# The environment vars below are hard-coded from external queries to save time + complexity here
# Note: PVT means Project V2, not "Private"
# PVT = Project V2, PVTSSF = Project V2 Single Select Field, PVTIF = Project V2 Iteration Field
PROJECT_ID: "PVT_kwDOBkAsks4ACeio"
STATUS_FIELD_ID: "PVTSSF_lADOBkAsks4ACeiozgBbno0"
WORKING_SPRINT_FIELD_ID: "PVTIF_lADOBkAsks4ACeiozgJ_KCY"
START_SPRINT_FIELD_ID: "PVTIF_lADOBkAsks4ACeiozgI90p0"
IN_PROGRESS_PROJECT_OPTION_ID: "47fc9ee4"
IN_REVIEW_PROJECT_OPTION_ID: "eb7a6302"

jobs:
project_automation_in_progress:
runs-on: ubuntu-latest

# We use the default GitHub token to perform the draft update because
# The pull_request_review trigger does not grant access to the secrets.PROJECT_MANAGEMENT_PAT
# The pull_request_review trigger does not grant access to secrets
permissions:
issues: write
pull-requests: write

steps:
- name: Check if changes requested from a reviewer
id: check_changes_requested
Expand All @@ -58,7 +58,7 @@ jobs:
if [ ${{ github.event.review.state }} != 'changes_requested' ]; then
echo "Changes not requested, exiting"
exit 0
# If it is requesting changes, set PR to draft
# We use the default token here since we're granting write access to the PR
elif [ ${{ github.event.pull_request.draft }} == false ]; then
Expand All @@ -80,8 +80,6 @@ jobs:
- name: Select Status Field Value
id: select_status_field_value
if: github.event_name == 'pull_request_target'
env:
GITHUB_TOKEN: ${{ secrets.PROJECT_MANAGEMENT_PAT }}
run: |
# If it's not a draft and it's an opened trigger, the status should be "Ready for Review", otherwise "In Progress"
if [ ${{ github.event.pull_request.draft }} == false ] && [ ${{ github.event.action }} == "opened" ]; then
Expand All @@ -96,8 +94,6 @@ jobs:
- name: Get PR Project ID
id: get_pr_id
if: github.event_name == 'pull_request_target'
env:
GITHUB_TOKEN: ${{ secrets.PROJECT_MANAGEMENT_PAT }}
run: |
# Query up to 10 projects for the PR
gh api graphql -f query='
Expand All @@ -122,20 +118,18 @@ jobs:
}
}
}' > project_data.json
# Filter the json result to only the project-specific ID for the PR
# A PR can be in multiple projects so we need to filter by the project ID we want
pr_id=$(jq -r '.data.organization.repository.issueOrPullRequest.projectItems.edges[] |
select(.node.project.id == "${{ env.PROJECT_ID }}") |
.node.id' project_data.json)
echo "PR_ID=$pr_id" >> $GITHUB_ENV
continue-on-error: true

- name: Set PR Fields
id: set_pr_fields
if: github.event_name == 'pull_request_target'
env:
GITHUB_TOKEN: ${{ secrets.PROJECT_MANAGEMENT_PAT }}
run: |
gh api graphql -f query='
mutation {
Expand All @@ -154,7 +148,7 @@ jobs:
}
}
}'
# Check if the PR has a start sprint assigned, save the result for the linked issues
gh api graphql -f query='
query {
Expand All @@ -171,7 +165,7 @@ jobs:
}' > start_sprint_exists_data.json
start_sprint_option_id=$(jq -r '.data.node.fieldValueByName.id' start_sprint_exists_data.json)
echo "START_SPRINT_OPTION_ID=$start_sprint_option_id" >> $GITHUB_ENV
# If there is no start sprint assigned, assign the current start sprint
if [ "$start_sprint_option_id" == 'null' ]; then
# Get current start sprint iteration id
Expand All @@ -197,7 +191,7 @@ jobs:
}' > start_sprint_option_data.json
current_start_sprint_option_id=$(jq -r '.data.node.field.configuration.iterations[0].id' start_sprint_option_data.json)
echo "CURRENT_START_SPRINT_OPTION_ID=$current_start_sprint_option_id" >> $GITHUB_ENV
# The query below is constructed differently than the ones above due to bash variable syntax + github actions syntax interactions
QUERY="mutation {
updateProjectV2ItemFieldValue(
Expand All @@ -217,7 +211,7 @@ jobs:
}"
gh api graphql --field query="$QUERY"
fi
# Assign the current working sprint to the PR (faster/simpler to just overwrite even if it is the same)
gh api graphql -f query='
query {
Expand All @@ -240,7 +234,7 @@ jobs:
}' > working_sprint_options_data.json
current_working_sprint_option_id=$(jq -r '.data.node.field.configuration.iterations[0].id' working_sprint_options_data.json)
echo "CURRENT_WORKING_SPRINT_OPTION_ID=$current_working_sprint_option_id" >> $GITHUB_ENV
# Set the working sprint to the current working sprint
QUERY="mutation {
updateProjectV2ItemFieldValue(
Expand All @@ -260,12 +254,10 @@ jobs:
}"
gh api graphql --field query="$QUERY"
continue-on-error: true

- name: Sync Linked Issues
id: sync_linked_issues
if: github.event_name == 'pull_request_target'
env:
GITHUB_TOKEN: ${{ secrets.PROJECT_MANAGEMENT_PAT }}
run: |
# Find the linked issues to the PR
gh api graphql -f query='
Expand Down Expand Up @@ -303,7 +295,7 @@ jobs:
issue_ids=$(jq -r '.data.organization.repository.issueOrPullRequest.closingIssuesReferences.edges[].node.projectItems.edges[] |
select(.node.project.id == "${{ env.PROJECT_ID }}") |
.node.id' linked_issues.json)
# For each linked issue, set the status to "In Progress", the Working Sprint to the current working sprint
# If there's no Start Sprint, set that to the current Start Sprint as well
for issue_id in $issue_ids; do
Expand Down
25 changes: 16 additions & 9 deletions .github/workflows/project_automation_set_in_review.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ on:
# Run this action when a PR is opened or edited
# Issues do not have a graphQL connection to linked PRs so we can't use that event
types: [ready_for_review, review_requested]

env:
ORG: ${{ github.event.repository.owner.login }}
PR_NUMBER: ${{ github.event.pull_request.number }}
Expand All @@ -36,16 +36,23 @@ env:
jobs:
project_automation_in_review:
runs-on: ubuntu-latest

steps:
- name: Generate Token
uses: actions/create-github-app-token@v1
id: generate-token
with:
app-id: ${{ secrets.ACTIONS_APP_ID }}
private-key: ${{ secrets.ACTIONS_APP_KEY }}

- name: Wait 1 Second
id: sleep
run: sleep 1

- name: Get PR Project ID
id: get_pr_id
env:
GITHUB_TOKEN: ${{ secrets.PROJECT_MANAGEMENT_PAT }}
GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
run: |
# Query up to 10 projects for the PR
gh api graphql -f query='
Expand All @@ -70,7 +77,7 @@ jobs:
}
}
}' > project_data.json
# Filter the json result to only the project-specific ID for the PR
# A PR can be in multiple projects so we need to filter by the project ID we want
pr_id=$(jq -r '.data.organization.repository.issueOrPullRequest.projectItems.edges[] |
Expand All @@ -81,8 +88,8 @@ jobs:

- name: Set PR to In Review
id: set_pr_in_review
env:
GITHUB_TOKEN: ${{ secrets.PROJECT_MANAGEMENT_PAT }}
env:
GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
run: |
# Update the PR status to In Review
gh api graphql -f query='
Expand All @@ -107,7 +114,7 @@ jobs:
- name: Set Linked Issues to In Review
id: update_linked_issues
env:
GITHUB_TOKEN: ${{ secrets.PROJECT_MANAGEMENT_PAT }}
GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
run: |
gh api graphql -f query='
query {
Expand Down Expand Up @@ -144,7 +151,7 @@ jobs:
issue_ids=$(jq -r '.data.organization.repository.issueOrPullRequest.closingIssuesReferences.edges[].node.projectItems.edges[] |
select(.node.project.id == "${{ env.PROJECT_ID }}") |
.node.id' linked_issue_data.json)
# Set Linked Issues to In Review
for issue_id in $issue_ids; do
# The query below is constructed differently than the others due to bash variable syntax + github actions syntax interactions
Expand Down
31 changes: 19 additions & 12 deletions .github/workflows/project_automation_set_roadmap.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ on:
issues:
# Run this action when an issue is closed
types: [closed]

env:
ORG: ${{ github.event.repository.owner.login }}
PR_NUMBER: ${{ github.event.pull_request.number }} # evaluates to null for issues
Expand All @@ -38,13 +38,20 @@ env:
jobs:
project_automation_roadmap_on_close:
runs-on: ubuntu-latest

steps:

steps:
- name: Generate Token
uses: actions/create-github-app-token@v1
id: generate-token
with:
app-id: ${{ secrets.ACTIONS_APP_ID }}
private-key: ${{ secrets.ACTIONS_APP_KEY }}

- name: Get PR Project ID
if: github.event_name == 'pull_request_target'
id: get_pr_id
env:
GITHUB_TOKEN: ${{ secrets.PROJECT_MANAGEMENT_PAT }}
GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
run: |
# Query up to 10 projects for the PR
gh api graphql -f query='
Expand All @@ -69,20 +76,20 @@ jobs:
}
}
}' > project_data.json
# Filter the json result to only the project-specific ID for the PR
# A PR can be in multiple projects so we need to filter by the project ID we want
pr_id=$(jq -r '.data.organization.repository.issueOrPullRequest.projectItems.edges[] |
select(.node.project.id == "${{ env.PROJECT_ID }}") |
.node.id' project_data.json)
echo "ITEM_ID=$pr_id" >> $GITHUB_ENV
continue-on-error: true

- name: Get Issue Project ID
if: github.event_name == 'issues'
id: get_issue_id
env:
GITHUB_TOKEN: ${{ secrets.PROJECT_MANAGEMENT_PAT }}
GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
run: |
# Query up to 10 projects for the Issue
gh api graphql -f query='
Expand All @@ -107,7 +114,7 @@ jobs:
}
}
}' > project_data.json
# Filter the json result to only the project-specific ID for the PR
# A PR can be in multiple projects so we need to filter by the project ID we want
issue_id=$(jq -r '.data.organization.repository.issueOrPullRequest.projectItems.edges[] |
Expand All @@ -119,8 +126,8 @@ jobs:
- name: Get Current Release
id: get_current_release
env:
GITHUB_TOKEN: ${{ secrets.PROJECT_MANAGEMENT_PAT }}
run: |
GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
run: |
# Get current roadmap id
# We maintain the roadmap as a single select field in the project, with the first value being the upcoming release
Expand All @@ -146,8 +153,8 @@ jobs:

- name: Set Item Roadmap
id: set_item_roadmap
env:
GITHUB_TOKEN: ${{ secrets.PROJECT_MANAGEMENT_PAT }}
env:
GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
run: |
# Perform the mutation to update the Roadmap
gh api graphql -f query='
Expand Down
Loading

0 comments on commit fc3e45c

Please sign in to comment.