Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

workflow fixes and improvements #88

Merged
merged 13 commits into from
May 16, 2024
Merged
3 changes: 2 additions & 1 deletion .github/workflows/gem_ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,8 @@ jobs:
if: |
contains(inputs.rake_task, 'coverage') &&
inputs.runs_on == 'ubuntu-latest' &&
inputs.ruby_version == '3.2'
inputs.ruby_version == '3.2' &&
secrets.CODECOV_TOKEN
uses: codecov/codecov-action@v4
with:
token: ${{ secrets.CODECOV_TOKEN }}
Expand Down
24 changes: 12 additions & 12 deletions .github/workflows/labeller.yml
Original file line number Diff line number Diff line change
@@ -1,27 +1,27 @@
name: Labeller

on:
issues:
types:
- opened
- labeled
- unlabeled
pull_request_target:
types:
- opened
- labeled
- unlabeled
workflow_call:
inputs:
token:
default: ''
type: string

jobs:
label:
name: ${{ github.event.action }} ${{ github.event_name }}
# case if the workflow is called improperly
if: |
contains(fromJson('["puppetlabs", "puppet-toy-chest"]'), github.repository_owner) &&
contains(fromJson('["pull_request_target", "issues"]'), github.event_name) &&
contains(fromJson('["opened", "reopened", "labeled", "unlabeled"]'), github.event.action)
runs-on: ubuntu-latest
steps:

- uses: puppetlabs/[email protected]
name: Label issues or pull requests
with:
label_name: community
label_color: '5319e7'
org_membership: puppetlabs
fail_if_member: 'true'
token: ${{ secrets.IAC_COMMUNITY_LABELER }}
token: ${{ inputs.token != '' && inputs.token || secrets.IAC_COMMUNITY_TOKEN }}
44 changes: 39 additions & 5 deletions .github/workflows/mend_ruby.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,14 +4,42 @@ name: mend

on:
workflow_call:
inputs:
api_key:
default: ''
type: string
token:
default: ''
type: string
product_name:
default: 'content-and-tooling'
type: string

jobs:
env:
MEND_API_KEY: ${{ secrets.MEND_API_KEY != '' && secrets.MEND_API_KEY || inputs.api_key }}
MEND_TOKEN: ${{ secrets.MEND_TOKEN != '' && secrets.MEND_TOKEN || inputs.token }}
PRODUCT_NAME: ${{ inputs.PRODUCT_NAME != '' && inputs.PRODUCT_NAME || inputs.product_name }}
REQUIRE_SECRETS: MEND_API_KEY MEND_TOKEN

jobs:
mend:
runs-on: "ubuntu-latest"
continue-on-error: ${{ contains(fromJson('["puppetlabs","puppet-toy-chest"]'), github.repository_owner) != true }}
steps:
- name: "check requirements"
run: |
declare -a MISSING
for V in ${REQUIRE_SECRETS} ; do
[[ -z "${!V}" ]] && MISSING+=($V)
done
if [ ${#MISSING[@]} -gt 0 ] ; then
echo "::warning::missing required secrets: ${MISSING[@]}"
exit 1
fi

# If we are on a PR, checkout the PR head sha, else checkout the default branch
- name: "Set the checkout ref"
if: success()
id: set_ref
run: |
if [[ "${{ github.event_name }}" == "pull_request_target" ]]; then
Expand All @@ -21,32 +49,38 @@ jobs:
fi

- name: "checkout"
if: success()
uses: "actions/checkout@v4"
with:
fetch-depth: 1
ref: ${{ steps.set_ref.outputs.ref }}

- name: "setup ruby"
if: success()
uses: "ruby/setup-ruby@v1"
with:
ruby-version: 2.7

- name: "bundle lock"
if: success()
run: bundle lock

- uses: "actions/setup-java@v4"
if: success()
with:
distribution: "temurin"
java-version: "17"

- name: "download"
if: success()
run: curl -o wss-unified-agent.jar https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar

- name: "scan"
if: success()
run: java -jar wss-unified-agent.jar
env:
WS_APIKEY: ${{ secrets.MEND_API_KEY }}
WS_APIKEY: ${{ env.MEND_API_KEY }}
WS_WSS_URL: https://saas-eu.whitesourcesoftware.com/agent
WS_USERKEY: ${{ secrets.MEND_TOKEN }}
WS_PRODUCTNAME: "content-and-tooling"
WS_PROJECTNAME: ${{ github.event.repository.name }}
WS_USERKEY: ${{ env.MEND_TOKEN }}
WS_PRODUCTNAME: ${{ env.PRODUCT_NAME }}
WS_PROJECTNAME: ${{ github.event.repository.name }}
21 changes: 19 additions & 2 deletions .github/workflows/module_acceptance.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,14 @@ on:
required: false
default: ''
type: "string"

kernel_modules:
description: "Volume map host kernel /lib/modules into docker container"
default: true
type: boolean
disable_apparmor:
description: "Disable and stop apparmor"
default: false
type: boolean

jobs:

Expand Down Expand Up @@ -68,6 +75,16 @@ jobs:
- name: "Checkout"
uses: "actions/checkout@v4"

- name: "Disable Apparmor"
if: ${{ inputs.disable_apparmor }}
run: |
if command -v apparmor_parser >/dev/null ; then
sudo find /etc/apparmor.d/ -maxdepth 1 -type f -exec ln -sf {} /etc/apparmor.d/disable/ \;
sudo apparmor_parser -R /etc/apparmor.d/disable/* || true
sudo systemctl disable apparmor
sudo systemctl stop apparmor
fi

- name: "Setup ruby"
uses: "ruby/setup-ruby@v1"
with:
Expand All @@ -82,7 +99,7 @@ jobs:

- name: "Provision environment"
run: |
if [[ "${{matrix.platforms.provider}}" == "docker" ]]; then
if [[ "${{ inputs.kernel_modules }}" == "true" ]] && [[ "${{matrix.platforms.provider}}" =~ docker* ]] ; then
DOCKER_RUN_OPTS="docker_run_opts: {'--volume': '/lib/modules/$(uname -r):/lib/modules/$(uname -r)'}"
else
DOCKER_RUN_OPTS=''
Expand Down
124 changes: 108 additions & 16 deletions .github/workflows/module_release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,47 +5,139 @@ name: "Module Release"

on:
workflow_call:
inputs:
tag:
description: "Enter an old tag, or blank to tag HEAD of branch"
default: ''
type: string
release:
description: "Create a release on Github"
type: boolean
default: true
publish:
description: "Publish to forge.puppet.com"
type: boolean
default: true
edit:
description: "Re-tag and regenerate release notes"
type: boolean
default: false

env:
FORGE_API_KEY: ${{ secrets.FORGE_API_KEY }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

jobs:
check:
runs-on: "ubuntu-latest"
steps:
- name: "Check Requirements"
if: ${{ inputs.publish == true || inputs.publish == 'true' }}
run: |
if [[ -z "${FORGE_API_KEY}" ]] ; then
echo "::error::missing required secret: FORGE_API_KEY"
exit 1
fi

release:
name: "Release"
name: ${{ inputs.tag != '' && inputs.tag || 'new' }}
needs: check
runs-on: "ubuntu-latest"
if: github.repository_owner == 'puppetlabs'

steps:

- name: "Checkout"
uses: "actions/checkout@v4"
with:
ref: "${{ github.ref }}"
clean: true
fetch-depth: 0
fetch-tags: true

- name: "Checkout tag ${{ inputs.tag }}"
if: ${{ inputs.tag != '' }}
run: |
git checkout refs/tags/${{ inputs.tag }}

- name: "Get version"
id: "get_version"
- name: "Get metadata"
id: metadata
run: |
echo "version=$(jq --raw-output .version metadata.json)" >> $GITHUB_OUTPUT
metadata_version=$(jq --raw-output .version metadata.json)
if [[ -n "${{ inputs.tag }}" ]] ; then
tag=${{ inputs.tag }}
if [[ "${metadata_version}" != "${tag/v}" ]] ; then
echo "::error::tag ${tag/v} does not match metadata version ${metadata_version}"
exit 1
fi
else
tag="v${metadata_version}"
fi
echo "tag=${tag}" >> $GITHUB_OUTPUT
echo "version=${metadata_version}" >> $GITHUB_OUTPUT

- name: "PDK build"
- name: "PDK build ${{ steps.metadata.outputs.version }}"
uses: "docker://puppet/pdk:3.0.0.0"
with:
args: "build"

- name: "Generate release notes"
- name: "Generate release notes for Github"
continue-on-error: true
run: |
export GH_HOST=github.com
gh extension install chelnak/gh-changelog
gh changelog get --latest > OUTPUT.md
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# TODO replace sed when gh-changelog supports templates
gh changelog get --latest | \
sed -e "1,/^\[Full Changelog\]/ d" \
-e 's/(\[\([^]]*\)\]([^)]*))$/@\1/g' \
-e 's/\[#\([0-9]*\)\]([^)]*)/#\1/g' > OUTPUT.md
echo "::group::release notes"
cat OUTPUT.md
echo "::endgroup::"

- name: "Tag ${{ steps.metadata.outputs.tag }}"
id: tag
run: |
# create an annotated tag -- gh release create DOES NOT do this for us!
# TODO move this to an automatic action when a release_prep PR is merged
git config --local user.email "${{ github.repository_owner }}@users.noreply.github.com"
git config --local user.name "GitHub Actions"

# overwrite existing tag?
if [[ -n "${{ inputs.tag }}" ]] ; then
if [[ "${{ inputs.edit }}" == "true" ]] ; then
arg="-f"
else
skip_tag=1
fi
fi

if [[ -z "${skip_tag}" ]] ; then
GIT_COMMITTER_DATE="$(git log --format=%aD ...HEAD^)" git tag -a $arg -F OUTPUT.md "${{ steps.metadata.outputs.tag }}"
git push $arg origin tag "${{ steps.metadata.outputs.tag }}"
fi

if gh release view "${{ steps.metadata.outputs.tag }}" > /dev/null ; then
echo "release_action=edit" >> $GITHUB_OUTPUT
echo "undraft=${{ inputs.edit }}" >> $GITHUB_OUTPUT
else
echo "release_action=create" >> $GITHUB_OUTPUT
fi

# is latest tag?
LAST_TAG=$(git for-each-ref refs/tags --sort='-*creatordate' --format='%(refname:short)' --count=1)
if [[ "${LAST_TAG}" == "${{ steps.metadata.outputs.tag }}" ]] ; then
echo "latest=true" >> $GITHUB_OUTPUT
else
echo "latest=false" >> $GITHUB_OUTPUT
fi

- name: "Create release"
- name: "${{ steps.tag.outputs.release_action }} release for ${{ steps.metadata.outputs.tag }}"
if: ${{ inputs.release == true || inputs.release == 'true' || steps.tag.outputs.undraft == 'true' }}
run: |
gh release create v${{ steps.get_version.outputs.version }} --title v${{ steps.get_version.outputs.version }} -F OUTPUT.md
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
gh release ${{ steps.tag.outputs.release_action }} ${{ steps.metadata.outputs.tag }} --latest=${{ steps.tag.outputs.latest }} --draft=false --title ${{ steps.metadata.outputs.tag }} -F OUTPUT.md

- name: "Publish module"
if: ${{ inputs.publish == true || inputs.publish == 'true' }}
uses: "docker://puppet/pdk:3.0.0.0"
with:
args: 'release publish --forge-token ${{ secrets.FORGE_API_KEY }} --force'
args: 'release publish --forge-token ${{ env.FORGE_API_KEY }} --force'
Loading