Skip to content

Commit cc27b8d

Browse files
authored
(SIMP-10392) GHA: Trigger rpm_release workflow (#436)
This patch ensures that a GitHub release will trigger the `release_rpm` GHA workflow. The patch enforces a standardized asset baseline using simp/puppetsync, and may apply other updates to ensure conformity. [SIMP-10393] #close [SIMP-10392] #comment Add `release_rpms` to simp-doc
1 parent 96dd1bf commit cc27b8d

6 files changed

Lines changed: 610 additions & 178 deletions

File tree

.github/workflows/pr_glci.yml

Lines changed: 27 additions & 84 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,14 @@
33
# 1. The .gitlab-ci.yaml file exists and validates
44
# 2. The PR submitter has write access to the target repository.
55
#
6+
# ------------------------------------------------------------------------------
7+
#
8+
# NOTICE: **This file is maintained with puppetsync**
9+
#
10+
# This file is updated automatically as part of a puppet module baseline.
11+
#
12+
# The next baseline sync will overwrite any local changes to this file!
13+
#
614
# ==============================================================================
715
#
816
# GitHub Action Secrets variables available for this pipeline:
@@ -57,47 +65,18 @@ jobs:
5765
name: '.gitlab-ci.yml Syntax'
5866
runs-on: ubuntu-latest
5967
outputs:
60-
exists: ${{ steps.glci-file-exists.outputs.exists }}
6168
valid: ${{ steps.validate-glci-file.outputs.valid }}
6269
steps:
6370
- uses: actions/checkout@v2
6471
with:
6572
repository: ${{ github.event.pull_request.head.repo.full_name }}
6673
ref: ${{ github.event.pull_request.head.ref }}
67-
- name: 'Does GLCI file exist?'
68-
id: glci-file-exists
69-
run: |
70-
if [ -f .gitlab-ci.yml ]; then
71-
echo '.gitlab-ci.yml exists'
72-
echo '::set-output name=exists::true'
73-
else
74-
echo '::error ::The ".gitlab-ci.yml" file is missing!'
75-
echo '::set-output name=exists::false'
76-
false
77-
fi
7874
- name: 'Validate GLCI file syntax'
7975
id: validate-glci-file
80-
if: steps.glci-file-exists.outputs.exists == 'true'
81-
env:
82-
GITLAB_API_URL: ${{ secrets.GITLAB_API_URL }} # https://gitlab.com/api/v4
83-
GITLAB_API_PRIVATE_TOKEN: ${{ secrets.GITLAB_API_PRIVATE_TOKEN }}
84-
run: |
85-
GITLAB_API_URL="${GITLAB_API_URL:-https://gitlab.com/api/v4}"
86-
CURL_CMD=(curl --http1.1 --fail --silent --show-error --header 'Content-Type: application/json' --data @-)
87-
[ -n "$GITLAB_API_PRIVATE_TOKEN" ] && CURL_CMD+=(--header "Authorization: Bearer $GITLAB_API_PRIVATE_TOKEN")
88-
data="$(jq --null-input --arg yaml "$(<.gitlab-ci.yml)" '.content=$yaml' )"
89-
response="$(echo "$data" | "${CURL_CMD[@]}" "${GITLAB_API_URL}/ci/lint?include_merged_yaml=true" | jq . )"
90-
status=$( echo "$response" | jq .status )
91-
if [[ "$status" == '"valid"' ]]; then
92-
echo '.gitlab-ci.yml is valid'
93-
echo '::set-output name=valid::true'
94-
else
95-
echo '::set-output name=valid::false'
96-
echo '::error::The .gitlab-ci.yml" file is invalid!'
97-
echo "$response" | jq -r '.errors[] | . = "::error ::\(.)"'
98-
printf "::debug ::.gitlab-ci.yml CI lint service response: %s\n" "$response"
99-
false
100-
fi
76+
uses: simp/github-action-gitlab-ci-syntax-check@main
77+
with:
78+
gitlab_api_private_token: ${{ secrets.GITLAB_API_PRIVATE_TOKEN }}
79+
gitlab_api_url: ${{ secrets.GITLAB_API_URL }} # https://gitlab.com/api/v4
10180

10281
contributor-permissions:
10382
name: 'PR contributor check'
@@ -145,14 +124,16 @@ jobs:
145124
# AND:
146125
# - [x] Newly-opened PRs: github.event.action == 'opened'
147126
# - [x] Re-opened PRs: github.event.action == 'reopened'
148-
# - [x] Commites are added to PR: github.event.action == 'synchronize'
127+
# - [x] Commits are added to PR: github.event.action == 'synchronize'
149128
# AND:
150129
# - [x] .gitlab-ci.yml exists/ok: needs.glci-syntax.outputs.valid == 'true'
151130
#
152-
# It will NOT Trigger on:
131+
# [Not implemented] It should NEVER trigger on:
153132
#
154133
# - [ ] Merged PRs: github.event.pull_request.merged == 'false'
155-
# - (the downstream GitLab mirror will take care of that)
134+
# - (the downstream GitLab mirror will take care of that)
135+
# - Not implemented: For some reason, this conditional always fails
136+
# - Unnecessary if on>pull_request_target>types doesn't include 'closed'
156137
if: github.event_name == 'pull_request_target' && ( github.event.action == 'opened' || github.event.action == 'reopened' || github.event.action == 'synchronize' ) && github.event.pull_request.merged != 'true' && needs.glci-syntax.outputs.valid == 'true' && needs.contributor-permissions.outputs.permitted == 'true'
157138
runs-on: ubuntu-18.04
158139
steps:
@@ -162,64 +143,26 @@ jobs:
162143
# - [ ] if there's no PR check on the main GitHub branch, make one (?)
163144
# - [x] Cancel any GLCI pipelines already pending/running for this branch
164145
# - "created|waiting_for_resource|preparing|pending|running"
146+
# - Exception: don't cancel existing pipeline for our own commit
165147
# - [x] if PR: force-push branch to GitLab
166148
- uses: actions/checkout@v2
167149
if: needs.contributor-permissions.outputs.permitted == 'true'
168150
with:
151+
clean: true
169152
fetch-depth: 0 # Need full checkout to push to gitlab mirror
170153
repository: ${{ github.event.pull_request.head.repo.full_name }}
171154
ref: ${{ github.event.pull_request.head.ref }}
172155

173156
- name: Trigger CI when user has Repo Permissions
174157
if: needs.contributor-permissions.outputs.permitted == 'true'
175-
env:
176-
GITLAB_SERVER_URL: ${{ secrets.GITLAB_SERVER_URL }} # https://gitlab.com
177-
GITLAB_API_URL: ${{ secrets.GITLAB_API_URL }} # https://gitlab.com/api/v4
178-
GITLAB_ORG: 'simp'
179-
GITLAB_API_PRIVATE_TOKEN: ${{ secrets.GITLAB_API_PRIVATE_TOKEN }}
180-
GIT_BRANCH: ${{ github.event.pull_request.head.ref }}
181-
run: |
182-
GITLAB_SERVER_URL="${GITLAB_SERVER_URL:-https://gitlab.com}"
183-
GITLAB_API_URL="${GITLAB_API_URL:-${GITLAB_SERVER_URL}/api/v4}"
184-
GIT_BRANCH="${GIT_BRANCH:-GITHUB_HEAD_REF}"
185-
GITXXB_REPO_NAME="${GITHUB_REPOSITORY/$GITHUB_REPOSITORY_OWNER\//}"
186-
GITLAB_PROJECT_ID="${GITLAB_ORG}%2F${GITXXB_REPO_NAME}"
187-
# --http1.0 avoids an HTTP/2 load balancing issue when run from GA
188-
CURL_CMD=(curl --http1.0 --fail --silent --show-error \
189-
--header "Authorization: Bearer $GITLAB_API_PRIVATE_TOKEN" \
190-
--header "Content-Type: application/json" \
191-
--header "Accept: application/json" \
192-
)
193-
194-
# Cancel any active/pending GitLab CI pipelines for the same project+branch
195-
active_pipeline_ids=()
196-
for pipe_status in created waiting_for_resource preparing pending running; do
197-
echo " ---- checking for CI pipelines with status '$pipe_status' for project '$GITLAB_PROJECT_ID', branch '$GIT_BRANCH'"
198-
url="${GITLAB_API_URL}/projects/${GITLAB_PROJECT_ID}/pipelines?ref=${GIT_BRANCH}&status=${pipe_status}"
199-
active_pipelines="$("${CURL_CMD[@]}" "$url" | jq -r '.[] | .id , .web_url')"
200-
active_pipeline_ids+=($(echo "$active_pipelines" | grep -E '^[0-9]*$'))
201-
printf "$active_pipelines\n\n"
202-
done
203-
if [ "${#active_pipeline_ids[@]}" -gt 0 ]; then
204-
printf "\nFound %s active pipeline ids:\n" "${#active_pipeline_ids[@]}"
205-
echo "${active_pipeline_ids[@]}"
206-
for pipe_id in "${active_pipeline_ids[@]}"; do
207-
printf "\n ------ Cancelling pipeline ID %s...\n" "$pipe_id"
208-
"${CURL_CMD[@]}" --request POST "${GITLAB_API_URL}/projects/${GITLAB_PROJECT_ID}/pipelines/${pipe_id}/cancel"
209-
done
210-
else
211-
echo No active pipelines found
212-
fi
213-
214-
echo "== Pushing $GIT_BRANCH to gitlab"
215-
git remote add gitlab "https://oauth2:${GITLAB_API_PRIVATE_TOKEN}@${GITLAB_SERVER_URL#*://}/${GITLAB_ORG}/${GITXXB_REPO_NAME}.git"
216-
#git branch "$GIT_BRANCH" HEAD
217-
git log --color --graph --abbrev-commit -5 \
218-
--pretty=format:'%C(red)%h%C(reset) -%C(yellow)%d%Creset %s %Cgreen(%ci) %C(bold blue)<%an>%Creset'
219-
git push gitlab ":${GIT_BRANCH}" -f || : # attempt to un-weird GLCI's `changed` tracking
220-
git push gitlab "${GIT_BRANCH}" -f
221-
echo "Pushed branch '${GIT_BRANCH}' to gitlab"
222-
echo " A new pipeline should be at: https://${GITLAB_SERVER_URL#*://}/${GITLAB_ORG}/${GITXXB_REPO_NAME}/-/pipelines/"
158+
uses: simp/github-action-gitlab-ci-pipeline-trigger@v1
159+
with:
160+
git_branch: ${{ github.event.pull_request.head.ref }} # TODO check for/avoid protected branches?
161+
git_hashref: ${{ github.event.pull_request.head.sha }}
162+
gitlab_api_private_token: ${{ secrets.GITLAB_API_PRIVATE_TOKEN }}
163+
gitlab_group: ${{ github.event.organization.login }}
164+
github_repository: ${{ github.repository }}
165+
github_repository_owner: ${{ github.repository_owner }}
223166

224167
- name: When user does NOT have Repo Permissions
225168
if: needs.contributor-permissions.outputs.permitted == 'false'

.github/workflows/pr_glci_cleanup.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,14 @@
33
# * Cancels all GLCI pipelines associated with the PR HEAD ref (branch)
44
# * Removes the PR HEAD branch from the corresponding gitlab.com/org/ project
55
#
6+
# ------------------------------------------------------------------------------
7+
#
8+
# NOTICE: **This file is maintained with puppetsync**
9+
#
10+
# This file is updated automatically as part of a standardized asset baseline.
11+
#
12+
# The next baseline sync will overwrite any local changes to this file!
13+
#
614
# ==============================================================================
715
#
816
# GitHub Action Secrets variables available for this pipeline:
Lines changed: 48 additions & 94 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,36 @@
1-
1+
# Manually trigger GLCI pipelines for a PR
2+
# ------------------------------------------------------------------------------
3+
#
4+
# NOTICE: **This file is maintained with puppetsync**
5+
#
6+
# This file is updated automatically as part of a standardized asset baseline.
7+
#
8+
# The next baseline sync will overwrite any local changes to this file!
9+
#
10+
# ==============================================================================
11+
#
12+
# This pipeline uses the following GitHub Action Secrets:
13+
#
14+
# GitHub Secret variable Type Notes
15+
# ------------------------ -------- ----------------------------------------
16+
# GITLAB_API_PRIVATE_TOKEN Required GitLab token (should have `api` scope)
17+
# NO_SCOPE_GITHUB_TOKEN Required GitHub token (should have no scopes)
18+
# GITLAB_SERVER_URL Optional Specify a GL server other than gitlab.com
19+
# The secure vars will be filtered in GitHub Actions log output, and aren't
20+
# provided to untrusted builds (i.e, triggered by PR from another repository)
21+
#
22+
# ------------------------------------------------------------------------------
23+
#
224
# NOTES:
3-
# $secrets.GITHUB_AUTO is not set for workflow_dispatch events
25+
# It is necessary to provide NO_SCOPE_GITHUB_TOKEN because $secrets.GITHUB_AUTO
26+
# is NOT provide to manually-triggered (`workflow_dispatch`) events, in order
27+
# to prevent recursive triggers between workflows
28+
#
29+
# Reference:
430
#
531
# https://docs.github.com/en/actions/reference/events-that-trigger-workflows#triggering-new-workflows-using-a-personal-access-token
632
---
7-
name: 'Manual: GLCI for PR'
33+
name: 'Manual: PR GLCI'
834

935
on:
1036
workflow_dispatch:
@@ -16,9 +42,8 @@ on:
1642
jobs:
1743
glci-syntax:
1844
name: '.gitlab-ci.yml Syntax'
19-
runs-on: ubuntu-latest
45+
runs-on: ubuntu-18.04
2046
outputs:
21-
exists: ${{ steps.glci-file-exists.outputs.exists }}
2247
valid: ${{ steps.validate-glci-file.outputs.valid }}
2348
pr_head_ref: ${{ steps.get-pr.outputs.pr_head_ref }}
2449
pr_head_sha: ${{ steps.get-pr.outputs.pr_head_sha }}
@@ -28,7 +53,7 @@ jobs:
2853
- uses: actions/github-script@v3
2954
id: get-pr
3055
with:
31-
github-token: ${{secrets.SIMP_AUTO_GITHUB_TOKEN__NO_SCOPE}}
56+
github-token: ${{secrets.NO_SCOPE_GITHUB_TOKEN}}
3257
# See:
3358
# - https://octokit.github.io/rest.js/
3459
script: |
@@ -69,112 +94,42 @@ jobs:
6994
with:
7095
repository: ${{ steps.get-pr.outputs.pr_head_full_name }}
7196
ref: ${{ steps.get-pr.outputs.pr_head_sha }}
72-
token: ${{secrets.SIMP_AUTO_GITHUB_TOKEN__NO_SCOPE}}
97+
token: ${{secrets.NO_SCOPE_GITHUB_TOKEN}}
7398
clean: true
74-
- name: 'Does GLCI file exist?'
75-
id: glci-file-exists
76-
run: |
77-
if [ -f .gitlab-ci.yml ]; then
78-
echo '.gitlab-ci.yml exists'
79-
echo '::set-output name=exists::true'
80-
else
81-
echo '::error ::The ".gitlab-ci.yml" file is missing!'
82-
echo '::set-output name=exists::false'
83-
false
84-
fi
8599
- name: 'Validate GLCI file syntax'
86100
id: validate-glci-file
87-
if: steps.glci-file-exists.outputs.exists == 'true'
88-
env:
89-
GITLAB_API_URL: ${{ secrets.GITLAB_API_URL }} # https://gitlab.com/api/v4
90-
GITLAB_API_PRIVATE_TOKEN: ${{ secrets.GITLAB_API_PRIVATE_TOKEN }}
91-
run: |
92-
GITLAB_API_URL="${GITLAB_API_URL:-https://gitlab.com/api/v4}"
93-
CURL_CMD=(curl --http1.1 --fail --silent --show-error --header 'Content-Type: application/json' --data @-)
94-
[ -n "$GITLAB_API_PRIVATE_TOKEN" ] && CURL_CMD+=(--header "Authorization: Bearer $GITLAB_API_PRIVATE_TOKEN")
95-
data="$(jq --null-input --arg yaml "$(<.gitlab-ci.yml)" '.content=$yaml' )"
96-
response="$(echo "$data" | "${CURL_CMD[@]}" "${GITLAB_API_URL}/ci/lint?include_merged_yaml=true" | jq . )"
97-
status=$( echo "$response" | jq .status )
98-
if [[ "$status" == '"valid"' ]]; then
99-
echo '.gitlab-ci.yml is valid'
100-
echo '::set-output name=valid::true'
101-
else
102-
echo '::set-output name=valid::false'
103-
echo '::error::The .gitlab-ci.yml" file is invalid!'
104-
echo "$response" | jq -r '.errors[] | . = "::error ::\(.)"'
105-
printf "::debug ::.gitlab-ci.yml CI lint service response: %s\n" "$response"
106-
false
107-
fi
101+
uses: simp/github-action-gitlab-ci-syntax-check@main
102+
with:
103+
gitlab_api_private_token: ${{ secrets.GITLAB_API_PRIVATE_TOKEN }}
104+
gitlab_api_url: ${{ secrets.GITLAB_API_URL }} # https://gitlab.com/api/v4
108105

109106
trigger-when-user-has-repo-permissions:
110107
name: 'Trigger CI'
111108
needs: [ glci-syntax ]
112-
runs-on: ubuntu-latest
109+
runs-on: ubuntu-18.04
113110
steps:
114111
- uses: actions/checkout@v2
115112
with:
116113
repository: ${{ needs.glci-syntax.outputs.pr_head_full_name }}
117114
ref: ${{ needs.glci-syntax.outputs.pr_head_sha }}
118-
token: ${{secrets.SIMP_AUTO_GITHUB_TOKEN__NO_SCOPE}}
115+
token: ${{secrets.NO_SCOPE_GITHUB_TOKEN}}
119116
fetch-depth: 0 # Need full checkout to push to gitlab mirror
120117
clean: true
121-
- name: Trigger CI
122-
env:
123-
GITLAB_SERVER_URL: ${{ secrets.GITLAB_SERVER_URL }} # https://gitlab.com
124-
GITLAB_API_URL: ${{ secrets.GITLAB_API_URL }} # https://gitlab.com/api/v4
125-
GITLAB_ORG: 'simp'
126-
GITLAB_API_PRIVATE_TOKEN: ${{ secrets.GITLAB_API_PRIVATE_TOKEN }}
127-
GIT_BRANCH: ${{ needs.glci-syntax.outputs.pr_head_ref }}
128-
run: |
129-
GITLAB_SERVER_URL="${GITLAB_SERVER_URL:-https://gitlab.com}"
130-
GITLAB_API_URL="${GITLAB_API_URL:-${GITLAB_SERVER_URL}/api/v4}"
131-
GITXXB_REPO_NAME="${GITHUB_REPOSITORY/$GITHUB_REPOSITORY_OWNER\//}"
132-
GITLAB_PROJECT_ID="${GITLAB_ORG}%2F${GITXXB_REPO_NAME}"
133-
# --http1.0 avoids an HTTP/2 load balancing issue when run from GA
134-
CURL_CMD=(curl --http1.0 --fail --silent --show-error \
135-
--header "Authorization: Bearer $GITLAB_API_PRIVATE_TOKEN" \
136-
--header "Content-Type: application/json" \
137-
--header "Accept: application/json" \
138-
)
139-
140-
# Cancel any active/pending GitLab CI pipelines for the same project+branch
141-
active_pipeline_ids=()
142-
for pipe_status in created waiting_for_resource preparing pending running; do
143-
echo " ---- checking for CI pipelines with status '$pipe_status' for project '$GITLAB_PROJECT_ID', branch '$GIT_BRANCH'"
144-
url="${GITLAB_API_URL}/projects/${GITLAB_PROJECT_ID}/pipelines?ref=${GIT_BRANCH}&status=${pipe_status}"
145-
active_pipelines="$("${CURL_CMD[@]}" "$url" | jq -r '.[] | .id , .web_url')"
146-
active_pipeline_ids+=($(echo "$active_pipelines" | grep -E '^[0-9]*$'))
147-
printf "$active_pipelines\n\n"
148-
done
149-
if [ "${#active_pipeline_ids[@]}" -gt 0 ]; then
150-
printf "\nFound %s active pipeline ids:\n" "${#active_pipeline_ids[@]}"
151-
echo "${active_pipeline_ids[@]}"
152-
for pipe_id in "${active_pipeline_ids[@]}"; do
153-
printf "\n ------ Cancelling pipeline ID %s...\n" "$pipe_id"
154-
"${CURL_CMD[@]}" --request POST "${GITLAB_API_URL}/projects/${GITLAB_PROJECT_ID}/pipelines/${pipe_id}/cancel"
155-
done
156-
else
157-
echo No active pipelines found
158-
fi
159-
160-
# Should we protect against pushing default branches?
161-
echo "== Pushing '$GIT_BRANCH' to gitlab"
162-
git remote add gitlab "https://oauth2:${GITLAB_API_PRIVATE_TOKEN}@${GITLAB_SERVER_URL#*://}/${GITLAB_ORG}/${GITXXB_REPO_NAME}.git"
163-
git branch "$GIT_BRANCH" HEAD || :
164-
git branch -av
165-
git log --color --graph --abbrev-commit -5 \
166-
--pretty=format:'%C(red)%h%C(reset) -%C(yellow)%d%Creset %s %Cgreen(%ci) %C(bold blue)<%an>%Creset'
167-
git push gitlab ":${GIT_BRANCH}" -f || : # attempt to un-weird GLCI's `changed` tracking
168-
echo "== git push --verbose gitlab ${GIT_BRANCH}"
169-
git push --verbose gitlab "${GIT_BRANCH}"
170-
echo "Pushed branch '${GIT_BRANCH}' to gitlab"
171-
echo " A new pipeline should be at: https://${GITLAB_SERVER_URL#*://}/${GITLAB_ORG}/${GITXXB_REPO_NAME}/-/pipelines/"
118+
- name: Trigger CI when user has Repo Permissions
119+
uses: simp/github-action-gitlab-ci-pipeline-trigger@v1
120+
with:
121+
git_hashref: ${{ needs.glci-syntax.outputs.pr_head_sha }}
122+
git_branch: ${{ needs.glci-syntax.outputs.pr_head_ref }}
123+
gitlab_api_private_token: ${{ secrets.GITLAB_API_PRIVATE_TOKEN }}
124+
gitlab_group: ${{ github.event.organization.login }}
125+
github_repository: ${{ github.repository }}
126+
github_repository_owner: ${{ github.repository_owner }}
172127

173128
### examine_contexts:
174129
### needs: [ glci-syntax ]
175130
### name: 'Examine Context contents'
176131
### if: always()
177-
### runs-on: ubuntu-latest
132+
### runs-on: ubuntu-18.04
178133
### steps:
179134
### - name: Dump contexts
180135
### env:
@@ -186,4 +141,3 @@ jobs:
186141
### run: echo "$ENV_CONTEXT"
187142
### - name: Dump env vars
188143
### run: env | sort
189-

0 commit comments

Comments
 (0)