1-
1+ # Manually trigger GLCI pipelines for a PR
2+ # ------------------------------------------------------------------------------
3+ #
4+ # NOTICE: **This file is maintained with puppetsync**
5+ #
6+ # This file is updated automatically as part of a standardized asset baseline.
7+ #
8+ # The next baseline sync will overwrite any local changes to this file!
9+ #
10+ # ==============================================================================
11+ #
12+ # This pipeline uses the following GitHub Action Secrets:
13+ #
14+ # GitHub Secret variable Type Notes
15+ # ------------------------ -------- ----------------------------------------
16+ # GITLAB_API_PRIVATE_TOKEN Required GitLab token (should have `api` scope)
17+ # NO_SCOPE_GITHUB_TOKEN Required GitHub token (should have no scopes)
18+ # GITLAB_SERVER_URL Optional Specify a GL server other than gitlab.com
19+ # The secure vars will be filtered in GitHub Actions log output, and aren't
20+ # provided to untrusted builds (i.e, triggered by PR from another repository)
21+ #
22+ # ------------------------------------------------------------------------------
23+ #
224# NOTES:
3- # $secrets.GITHUB_AUTO is not set for workflow_dispatch events
25+ # It is necessary to provide NO_SCOPE_GITHUB_TOKEN because $secrets.GITHUB_AUTO
26+ # is NOT provide to manually-triggered (`workflow_dispatch`) events, in order
27+ # to prevent recursive triggers between workflows
28+ #
29+ # Reference:
430#
531# https://docs.github.com/en/actions/reference/events-that-trigger-workflows#triggering-new-workflows-using-a-personal-access-token
632---
7- name : ' Manual: GLCI for PR '
33+ name : ' Manual: PR GLCI '
834
935on :
1036 workflow_dispatch :
1642jobs :
1743 glci-syntax :
1844 name : ' .gitlab-ci.yml Syntax'
19- runs-on : ubuntu-latest
45+ runs-on : ubuntu-18.04
2046 outputs :
21- exists : ${{ steps.glci-file-exists.outputs.exists }}
2247 valid : ${{ steps.validate-glci-file.outputs.valid }}
2348 pr_head_ref : ${{ steps.get-pr.outputs.pr_head_ref }}
2449 pr_head_sha : ${{ steps.get-pr.outputs.pr_head_sha }}
2853 - uses : actions/github-script@v3
2954 id : get-pr
3055 with :
31- github-token : ${{secrets.SIMP_AUTO_GITHUB_TOKEN__NO_SCOPE }}
56+ github-token : ${{secrets.NO_SCOPE_GITHUB_TOKEN }}
3257 # See:
3358 # - https://octokit.github.io/rest.js/
3459 script : |
@@ -69,112 +94,42 @@ jobs:
6994 with :
7095 repository : ${{ steps.get-pr.outputs.pr_head_full_name }}
7196 ref : ${{ steps.get-pr.outputs.pr_head_sha }}
72- token : ${{secrets.SIMP_AUTO_GITHUB_TOKEN__NO_SCOPE }}
97+ token : ${{secrets.NO_SCOPE_GITHUB_TOKEN }}
7398 clean : true
74- - name : ' Does GLCI file exist?'
75- id : glci-file-exists
76- run : |
77- if [ -f .gitlab-ci.yml ]; then
78- echo '.gitlab-ci.yml exists'
79- echo '::set-output name=exists::true'
80- else
81- echo '::error ::The ".gitlab-ci.yml" file is missing!'
82- echo '::set-output name=exists::false'
83- false
84- fi
8599 - name : ' Validate GLCI file syntax'
86100 id : validate-glci-file
87- if : steps.glci-file-exists.outputs.exists == 'true'
88- env :
89- GITLAB_API_URL : ${{ secrets.GITLAB_API_URL }} # https://gitlab.com/api/v4
90- GITLAB_API_PRIVATE_TOKEN : ${{ secrets.GITLAB_API_PRIVATE_TOKEN }}
91- run : |
92- GITLAB_API_URL="${GITLAB_API_URL:-https://gitlab.com/api/v4}"
93- CURL_CMD=(curl --http1.1 --fail --silent --show-error --header 'Content-Type: application/json' --data @-)
94- [ -n "$GITLAB_API_PRIVATE_TOKEN" ] && CURL_CMD+=(--header "Authorization: Bearer $GITLAB_API_PRIVATE_TOKEN")
95- data="$(jq --null-input --arg yaml "$(<.gitlab-ci.yml)" '.content=$yaml' )"
96- response="$(echo "$data" | "${CURL_CMD[@]}" "${GITLAB_API_URL}/ci/lint?include_merged_yaml=true" | jq . )"
97- status=$( echo "$response" | jq .status )
98- if [[ "$status" == '"valid"' ]]; then
99- echo '.gitlab-ci.yml is valid'
100- echo '::set-output name=valid::true'
101- else
102- echo '::set-output name=valid::false'
103- echo '::error::The .gitlab-ci.yml" file is invalid!'
104- echo "$response" | jq -r '.errors[] | . = "::error ::\(.)"'
105- printf "::debug ::.gitlab-ci.yml CI lint service response: %s\n" "$response"
106- false
107- fi
101+ uses : simp/github-action-gitlab-ci-syntax-check@main
102+ with :
103+ gitlab_api_private_token : ${{ secrets.GITLAB_API_PRIVATE_TOKEN }}
104+ gitlab_api_url : ${{ secrets.GITLAB_API_URL }} # https://gitlab.com/api/v4
108105
109106 trigger-when-user-has-repo-permissions :
110107 name : ' Trigger CI'
111108 needs : [ glci-syntax ]
112- runs-on : ubuntu-latest
109+ runs-on : ubuntu-18.04
113110 steps :
114111 - uses : actions/checkout@v2
115112 with :
116113 repository : ${{ needs.glci-syntax.outputs.pr_head_full_name }}
117114 ref : ${{ needs.glci-syntax.outputs.pr_head_sha }}
118- token : ${{secrets.SIMP_AUTO_GITHUB_TOKEN__NO_SCOPE }}
115+ token : ${{secrets.NO_SCOPE_GITHUB_TOKEN }}
119116 fetch-depth : 0 # Need full checkout to push to gitlab mirror
120117 clean : true
121- - name : Trigger CI
122- env :
123- GITLAB_SERVER_URL : ${{ secrets.GITLAB_SERVER_URL }} # https://gitlab.com
124- GITLAB_API_URL : ${{ secrets.GITLAB_API_URL }} # https://gitlab.com/api/v4
125- GITLAB_ORG : ' simp'
126- GITLAB_API_PRIVATE_TOKEN : ${{ secrets.GITLAB_API_PRIVATE_TOKEN }}
127- GIT_BRANCH : ${{ needs.glci-syntax.outputs.pr_head_ref }}
128- run : |
129- GITLAB_SERVER_URL="${GITLAB_SERVER_URL:-https://gitlab.com}"
130- GITLAB_API_URL="${GITLAB_API_URL:-${GITLAB_SERVER_URL}/api/v4}"
131- GITXXB_REPO_NAME="${GITHUB_REPOSITORY/$GITHUB_REPOSITORY_OWNER\//}"
132- GITLAB_PROJECT_ID="${GITLAB_ORG}%2F${GITXXB_REPO_NAME}"
133- # --http1.0 avoids an HTTP/2 load balancing issue when run from GA
134- CURL_CMD=(curl --http1.0 --fail --silent --show-error \
135- --header "Authorization: Bearer $GITLAB_API_PRIVATE_TOKEN" \
136- --header "Content-Type: application/json" \
137- --header "Accept: application/json" \
138- )
139-
140- # Cancel any active/pending GitLab CI pipelines for the same project+branch
141- active_pipeline_ids=()
142- for pipe_status in created waiting_for_resource preparing pending running; do
143- echo " ---- checking for CI pipelines with status '$pipe_status' for project '$GITLAB_PROJECT_ID', branch '$GIT_BRANCH'"
144- url="${GITLAB_API_URL}/projects/${GITLAB_PROJECT_ID}/pipelines?ref=${GIT_BRANCH}&status=${pipe_status}"
145- active_pipelines="$("${CURL_CMD[@]}" "$url" | jq -r '.[] | .id , .web_url')"
146- active_pipeline_ids+=($(echo "$active_pipelines" | grep -E '^[0-9]*$'))
147- printf "$active_pipelines\n\n"
148- done
149- if [ "${#active_pipeline_ids[@]}" -gt 0 ]; then
150- printf "\nFound %s active pipeline ids:\n" "${#active_pipeline_ids[@]}"
151- echo "${active_pipeline_ids[@]}"
152- for pipe_id in "${active_pipeline_ids[@]}"; do
153- printf "\n ------ Cancelling pipeline ID %s...\n" "$pipe_id"
154- "${CURL_CMD[@]}" --request POST "${GITLAB_API_URL}/projects/${GITLAB_PROJECT_ID}/pipelines/${pipe_id}/cancel"
155- done
156- else
157- echo No active pipelines found
158- fi
159-
160- # Should we protect against pushing default branches?
161- echo "== Pushing '$GIT_BRANCH' to gitlab"
162- git remote add gitlab "https://oauth2:${GITLAB_API_PRIVATE_TOKEN}@${GITLAB_SERVER_URL#*://}/${GITLAB_ORG}/${GITXXB_REPO_NAME}.git"
163- git branch "$GIT_BRANCH" HEAD || :
164- git branch -av
165- git log --color --graph --abbrev-commit -5 \
166- --pretty=format:'%C(red)%h%C(reset) -%C(yellow)%d%Creset %s %Cgreen(%ci) %C(bold blue)<%an>%Creset'
167- git push gitlab ":${GIT_BRANCH}" -f || : # attempt to un-weird GLCI's `changed` tracking
168- echo "== git push --verbose gitlab ${GIT_BRANCH}"
169- git push --verbose gitlab "${GIT_BRANCH}"
170- echo "Pushed branch '${GIT_BRANCH}' to gitlab"
171- echo " A new pipeline should be at: https://${GITLAB_SERVER_URL#*://}/${GITLAB_ORG}/${GITXXB_REPO_NAME}/-/pipelines/"
118+ - name : Trigger CI when user has Repo Permissions
119+ uses : simp/github-action-gitlab-ci-pipeline-trigger@v1
120+ with :
121+ git_hashref : ${{ needs.glci-syntax.outputs.pr_head_sha }}
122+ git_branch : ${{ needs.glci-syntax.outputs.pr_head_ref }}
123+ gitlab_api_private_token : ${{ secrets.GITLAB_API_PRIVATE_TOKEN }}
124+ gitlab_group : ${{ github.event.organization.login }}
125+ github_repository : ${{ github.repository }}
126+ github_repository_owner : ${{ github.repository_owner }}
172127
173128# ## examine_contexts:
174129# ## needs: [ glci-syntax ]
175130# ## name: 'Examine Context contents'
176131# ## if: always()
177- ### runs-on: ubuntu-latest
132+ # ## runs-on: ubuntu-18.04
178133# ## steps:
179134# ## - name: Dump contexts
180135# ## env:
@@ -186,4 +141,3 @@ jobs:
186141# ## run: echo "$ENV_CONTEXT"
187142# ## - name: Dump env vars
188143# ## run: env | sort
189-
0 commit comments