-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ci: Securely allow fork repo PRs and unittest coverage (#156)
- Loading branch information
1 parent
00fb011
commit e180eb0
Showing
7 changed files
with
240 additions
and
104 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,66 @@ | ||
| name: Post Close PR Workflow Run | ||
| run-name: "Post ${{ github.event.workflow_run.display_title }}" | ||
| # This workflow is to be triggerred after Close PR workflow is completed to get access to secrets for fork repo PRs securely. | ||
|
|
||
| # we always expect a single PR to trigger this workflow_run - take care of event filtering below to match a single workflow | ||
| on: | ||
| workflow_run: | ||
| workflows: ["Close PR"] | ||
| types: | ||
| - completed | ||
|
|
||
| permissions: | ||
| contents: write | ||
| pull-requests: write | ||
| actions: read | ||
|
|
||
| jobs: | ||
| close_pr: | ||
| name: Close PAN.DEV preview PR | ||
| runs-on: ubuntu-latest | ||
| if: > | ||
| github.event.workflow_run.event == 'pull_request' && | ||
| github.event.workflow_run.conclusion == 'success' | ||
| steps: | ||
| - name: download PR artifact | ||
| uses: actions/download-artifact@v4 | ||
| with: | ||
| name: pr | ||
| path: pr | ||
| github-token: ${{ secrets.GITHUB_TOKEN }} | ||
| run-id: ${{ github.event.workflow_run.id }} | ||
|
|
||
| - name: read PR details from artifact | ||
| id: read | ||
| working-directory: pr | ||
| run: | | ||
| ls -R ./ | ||
| echo "pr_number=$(cat NR)" >> "$GITHUB_OUTPUT" | ||
| echo "pr_head_ref=$(cat HEAD_REF)" >> "$GITHUB_OUTPUT" | ||
| - uses: actions/github-script@v6 | ||
| with: | ||
| result-encoding: string | ||
| github-token: ${{ secrets.CLSC_PAT }} | ||
| script: | | ||
| let prs = await github.rest.pulls.list({ | ||
| owner: "PaloAltoNetworks", | ||
| repo: "pan.dev", | ||
| state: "open", | ||
| }) | ||
| let prs_list = prs.data | ||
| for (let pr of prs_list){ | ||
| if (pr.head.label == "PaloAltoNetworks:pua_prev_${{ steps.read.outputs.pr_head_ref }}"){ | ||
| await github.rest.pulls.update({ | ||
| owner: "PaloAltoNetworks", | ||
| repo: "pan.dev", | ||
| pull_number: pr.number, | ||
| state: "closed", | ||
| }) | ||
| console.log("Closing related PAN.DEV PR: #" + pr.number + " - " + pr.title + " -> " + pr.url) | ||
| break | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,120 @@ | ||
| name: Post PR Workflow Run | ||
| run-name: "Post ${{ github.event.workflow_run.display_title }}" | ||
| # This workflow is to be triggerred after PR workflow is completed to have "write" access to the PR from fork repos securely. | ||
|
|
||
| # we always expect a single PR to trigger this workflow_run - take care of event filtering below to match a single workflow | ||
| on: | ||
| workflow_run: | ||
| workflows: ["PR"] | ||
| types: | ||
| - completed | ||
|
|
||
| permissions: | ||
| contents: write | ||
| pull-requests: write | ||
| # Gives the python-coverage-comment-action the necessary "actions" permissions for looking up the workflow that launched this | ||
| # workflow, and download the related artifact that contains the comment to be published | ||
| actions: read | ||
|
|
||
| jobs: | ||
|
|
||
| pr_status: | ||
| name: Get PR details from artifacts | ||
| runs-on: ubuntu-latest | ||
| if: > | ||
| github.event.workflow_run.event == 'pull_request' && | ||
| github.event.workflow_run.conclusion == 'success' | ||
| outputs: | ||
| pr_number: ${{ steps.read.outputs.pr_number }} | ||
| pr_head_ref: ${{ steps.read.outputs.pr_head_ref }} | ||
|
|
||
| steps: | ||
| - name: download PR artifact | ||
| uses: actions/download-artifact@v4 | ||
| with: | ||
| name: pr | ||
| path: pr | ||
| github-token: ${{ secrets.GITHUB_TOKEN }} | ||
| run-id: ${{ github.event.workflow_run.id }} | ||
|
|
||
| - name: read PR details from artifact | ||
| id: read | ||
| working-directory: pr | ||
| run: | | ||
| ls -R ./ | ||
| echo "pr_number=$(cat NR)" >> "$GITHUB_OUTPUT" | ||
| echo "pr_head_ref=$(cat HEAD_REF)" >> "$GITHUB_OUTPUT" | ||
| update_coverage: | ||
| name: Update coverage report on PR | ||
| needs: pr_status | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: post coverage comment | ||
| uses: py-cov-action/python-coverage-comment-action@v3 | ||
| with: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| GITHUB_PR_RUN_ID: ${{ github.event.workflow_run.id }} | ||
|
|
||
| pandev_pr: | ||
| name: Create a preview PR for pan.dev | ||
| needs: pr_status | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: checkout pan.dev | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| repository: PaloAltoNetworks/pan.dev | ||
| token: ${{ secrets.CLSC_PAT }} | ||
|
|
||
| - name: download documentation artifact | ||
| uses: actions/download-artifact@v4 | ||
| with: | ||
| name: documentation | ||
| path: products/panos/docs | ||
| github-token: ${{ secrets.GITHUB_TOKEN }} | ||
| run-id: ${{ github.event.workflow_run.id }} | ||
|
|
||
| - name: unpack the documentation | ||
| working-directory: products/panos/docs | ||
| run: | | ||
| rm -rf 'panos-upgrade-assurance' | ||
| tar xvf documentation.tar | ||
| rm -f documentation.tar | ||
| - name: create a PR to upstream pan.dev | ||
| id: pr | ||
| uses: peter-evans/create-pull-request@v5 | ||
| with: | ||
| token: ${{ secrets.CLSC_PAT }} | ||
| delete-branch: true | ||
| branch: "pua_prev_${{ needs.pr_status.outputs.pr_head_ref }}" | ||
| title: "[PAN-OS Upgrade Assurance][${{ needs.pr_status.outputs.pr_head_ref }}] documentation PREVIEW - do NOT MERGE" | ||
| commit-message: "docs: PanOS Upgrade Assurance documentation update" | ||
| labels: netsec, DO NOT MERGE | ||
| body: | | ||
| # Description | ||
| DO NOT MERGE - preview PR made for changes on branch: ${{ needs.pr_status.outputs.pr_head_ref }}. | ||
| # Types of changes | ||
| New feature (non-breaking change which adds functionality) | ||
| - name: find if we have a comment | ||
| uses: peter-evans/find-comment@v2 | ||
| id: find | ||
| with: | ||
| issue-number: ${{ needs.pr_status.outputs.pr_number }} | ||
| body-includes: A Preview PR in PanDev repo has been created | ||
| repository: ${{ github.repository }} | ||
|
|
||
| - name: comment back on the original PR | ||
| if: steps.find.outputs.comment-id == '' && steps.pr.outputs.pull-request-url != '' | ||
| uses: peter-evans/create-or-update-comment@v3 | ||
| with: | ||
| issue-number: ${{ needs.pr_status.outputs.pr_number }} | ||
| repository: ${{ github.repository }} | ||
| body: | | ||
| A Preview PR in PanDev repo has been created. You can view it [here](${{ steps.pr.outputs.pull-request-url }}). |
Oops, something went wrong.