fa-harness-tools 1.0.4 → 1.0.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a3cee0250f6a943fb938d11c0e118f53d26ea03be5edb7e8f8fc7fb0f73e154e
-  data.tar.gz: 030ab9dac48945eac8366a8cfcbafecc4bbbeebc5dc16254f97bfa3cfdb26368
+  metadata.gz: 43514c409f804648259a4b51366d9d4eec846c54badb0642a9fb3d916d13ad8d
+  data.tar.gz: 5c5e29f48aaf5e1f82a7cc608523086728e1085e89c9dde688c47db522b73b9f
 SHA512:
-  metadata.gz: 3f00171760572605f0282595bc852bf20181768464dd9811051cb71a6658daa9692bdb77c46dbb180eca6c982b17736cf0f4c24e89cf6fba60fcddd379d81a08
-  data.tar.gz: 863db5b6b4230a1d2fedd00ab20f05d830fb682bc9b4947f1e4bdd69429dfa90ba637fac2afabd6cd7c8c7b71271e6a53346593325e46a0c7c6377453c86e7bd
+  metadata.gz: 070f23a423e9e104c294eb3c6fd47fb0d45d5edc904be12cef90e1c83cd22e372b97e7544f9f3824006066e1c3a285274a3c10e0d6b7b0badf5360acaf2dcc86
+  data.tar.gz: 5cce7e38b1286181ae729433d5fdcd556dccb4c79500ee5b1c3cc471263ed767e714453ae10f910399954c4606c4ec1fbefbfec648e9f822a22ae151ba3b8ed8

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    fa-harness-tools (1.0.4)
+    fa-harness-tools (1.0.5)
       octokit (~> 4.0)
       tzinfo (~> 2.0)
       tzinfo-data (~> 1.0)
@@ -11,15 +11,16 @@ GEM
   specs:
     addressable (2.7.0)
       public_suffix (>= 2.0.2, < 5.0)
-    concurrent-ruby (1.1.5)
+    concurrent-ruby (1.1.6)
     diff-lcs (1.3)
-    faraday (0.17.0)
+    faraday (1.0.1)
       multipart-post (>= 1.2, < 3)
     multipart-post (2.1.1)
-    octokit (4.14.0)
+    octokit (4.18.0)
+      faraday (>= 0.9)
       sawyer (~> 0.8.0, >= 0.5.3)
-    public_suffix (4.0.1)
-    rake (10.5.0)
+    public_suffix (4.0.5)
+    rake (13.0.1)
     rspec (3.9.0)
       rspec-core (~> 3.9.0)
       rspec-expectations (~> 3.9.0)
@@ -37,9 +38,9 @@ GEM
       addressable (>= 2.3.5)
       faraday (> 0.8, < 2.0)
     timecop (0.9.1)
-    tzinfo (2.0.0)
+    tzinfo (2.0.2)
       concurrent-ruby (~> 1.0)
-    tzinfo-data (1.2019.3)
+    tzinfo-data (1.2020.1)
       tzinfo (>= 1.0.0)
 
 PLATFORMS
@@ -48,7 +49,7 @@ PLATFORMS
 DEPENDENCIES
   bundler (~> 1.0)
   fa-harness-tools!
-  rake (~> 10.0)
+  rake (~> 13.0)
   rspec (~> 3.8)
   timecop (~> 0.9)
 

data/README.md

@@ -22,6 +22,8 @@ Or install it yourself as:
 
 Examples below use [variables defined by Harness](https://docs.harness.io/article/9dvxcegm90-variables) so should be suitable to use directly in Harness scripts.
 
+Full scripts that can be used in Harness are available in the [examples/](examples/) directory.
+
 ### Required environment variables
 
 * `GITHUB_OAUTH_TOKEN` must be exported, containing a valid [personal access token](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line) for GitHub

data/examples/create-deployment-tag/README.md

@@ -0,0 +1,17 @@
+# Create deployment Git tags
+
+## Purpose
+
+Can be added to a Harness pipeline to add a Git tag on every deployment. The tags can then be used by the other pre-flight checks.
+
+## Requirements
+
+1. Add a GitHub OAuth token to the Harness secrets manager, named `github-oauth-token`
+2. Assumes the artifact build number is the commit ID
+3. fa-harness-tools is installed on the Harness delegates (`gem install -v $VERSION fa-harness-tools`)
+
+## Installation
+
+Add the script to the Harness template library and then add to the last phase of the deployment workflow.
+
+Define the `ONLY_ENVIRONMENT` variable input on the template, defaulting to `false`.

data/examples/create-deployment-tag/create-deployment-tag.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+#
+# Creates a Git tag to mark successful deployment with fa-harness-tools
+#
+# Optionally set ONLY_ENVIRONMENT to only tag when running a deployment in
+# that Harness environment.
+
+set -e
+
+export GITHUB_OAUTH_TOKEN="${secrets.getValue("github-oauth-token")}"
+
+if [ -z "${ONLY_ENVIRONMENT}" -o "${ONLY_ENVIRONMENT}" = "${env.name}" ]; then
+  create-deployment-tag \
+    --build-no "${artifact.buildNo}" \
+    --environment "${env.name}" \
+    --repository "${artifact.source.repositoryName}" \
+    --tagger-email "noreply@example.com" \
+    --tagger-name "Harness"
+fi

data/examples/production-preflight-checks/README.md

@@ -0,0 +1,20 @@
+# Production pre-flight checks
+
+## Purpose
+
+Can be added to a Harness pipeline to enforce a set of strict requirements for production deployments:
+
+1. Only deploy within the daily deployment window/schedule
+2. Only deploy builds from the master branch
+3. Automated (triggered) deployments may only deploy forwards
+4. Manual deployments may only deploy forwards or roll back three deployments
+
+## Requirements
+
+1. Add a GitHub OAuth token to the Harness secrets manager, named `github-oauth-token`
+2. Assumes the artifact build number is the commit ID
+3. fa-harness-tools is installed on the Harness delegates (`gem install -v $VERSION fa-harness-tools`)
+
+## Installation
+
+Add the script to the Harness template library and then add to an early phase of the deployment workflow.

data/examples/production-preflight-checks/production-preflight-checks.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+#
+# Runs production deployment checks from fa-harness-tools
+
+set -e
+
+export GITHUB_OAUTH_TOKEN="${secrets.getValue("github-oauth-token")}"
+
+run() {
+  CMD=$1
+  shift
+  $CMD \
+    --build-no "${artifact.buildNo}" \
+    --environment "${env.name}" \
+    --repository "${artifact.source.repositoryName}" \
+    "$@"
+}
+
+# 1. Check we're within the daily deployment schedule
+check-schedule
+
+# 2. Check the commit is on the master branch
+run check-branch-protection
+
+if [[ "${deploymentTriggeredBy}" =~ "Deployment Trigger" ]]; then
+  # 3. For automated deployments (trigger from CI), check deployment is fast-forward
+  run check-forward-deploy
+else
+  # 3. For user deployments, check deployment is fast-forward or within last three deployments for rollbacks
+  run check-recent-deploy --allowed-rollback-count 3
+fi
+
+exit 0

data/fa-harness-tools.gemspec

@@ -31,7 +31,7 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency "tzinfo-data", "~> 1.0"
 
   spec.add_development_dependency "bundler", "~> 1.0"
-  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rake", "~> 13.0"
   spec.add_development_dependency "rspec", "~> 3.8"
   spec.add_development_dependency "timecop", "~> 0.9"
 end

data/lib/fa-harness-tools/check_recent_deploy.rb

@@ -42,7 +42,7 @@ module FaHarnessTools
         return true, "first deploy"
       end
 
-      latest_allowed_rev = latest_allowed_tag[:commit][:sha]
+      latest_allowed_rev = @client.get_commit_sha_from_tag(latest_allowed_tag)
       rev = @context.new_commit_sha
 
       if @client.is_ancestor_of?(latest_allowed_rev, rev)

data/lib/fa-harness-tools/github_client.rb

@@ -17,17 +17,24 @@ module FaHarnessTools
 
     # Return all tags starting "harness-deploy-ENV-"
     #
-    # Used to find deployments in an environment. The commit SHA of the tag is
-    # in [:commit][:sha] in the returned hash.
+    # Used to find deployments in an environment. Provides only the tag name
+    # and object, though that may be an annotated tag or a commit.
+    #
+    # Use #get_commit_sha_from_tag to reliably find the commit that a tag
+    # points to.
     #
     # @return [Array[Hash]] Array of tag data hash, or [] if none
     def all_deploy_tags(prefix:, environment:)
-      @octokit.auto_paginate = true
-      @octokit.tags(owner_repo).find_all do |tag|
-        tag[:name].start_with?("#{prefix}-#{environment}-")
+      # #refs is a much quicker way than #tags to pull back all tag names, so
+      # we prefer this and then fetch commit information only when we need it
+      @octokit.refs(owner_repo, "tags/#{prefix}-#{environment}-").map do |ref|
+        {
+          name: ref[:ref][10..-1], # remove refs/tags/ prefix
+          object: ref[:object],
+        }
       end
-    ensure
-      @octokit.auto_paginate = false
+    rescue Octokit::NotFound
+      []
     end
 
     # Return the last (when sorted) tag starting "harness-deploy-ENV-"
@@ -39,7 +46,11 @@ module FaHarnessTools
     def last_deploy_tag(prefix:, environment:)
       last_tag = all_deploy_tags(prefix: prefix, environment: environment).
         sort_by { |tag| tag[:name] }.last
-      last_tag ? last_tag : nil
+      return nil unless last_tag
+
+      last_tag.merge(
+        commit: { sha: get_commit_sha_from_tag(last_tag) },
+      )
     end
 
     # Return a full commit SHA from a short SHA
@@ -52,6 +63,28 @@ module FaHarnessTools
       commit[:sha]
     end
 
+    # Return a full commit SHA from a tag
+    #
+    # The `tag` argument should be a Hash of tag data with an :object that can
+    # either be an annotated tag or a commit object.
+    #
+    # @return [String] Full commit SHA
+    # @raise [LookupError] If tag cannot be found
+    def get_commit_sha_from_tag(tag)
+      case tag[:object][:type]
+      when "commit"
+        tag[:object][:sha]
+      when "tag"
+        # When a tag points to a tag, recurse into it until we find a commit object
+        refed_tag = @octokit.tag(owner_repo, tag[:object][:sha])
+        get_commit_sha_from_tag(refed_tag.to_h.merge(tag.slice(:name)))
+      else
+        raise LookupError, "Tag #{tag[:name]} points to a non-commit object (#{tag[:object].inspect})"
+      end
+    rescue Octokit::NotFound
+      raise LookupError, "Unable to find tag #{tag.inspect} in Git repo"
+    end
+
     # Checks if <ancestor> is an ancestor of <commit>
     #
     # i.e. commit and ancestor are directly related

data/lib/fa-harness-tools/version.rb

@@ -1,3 +1,3 @@
 module FaHarnessTools
-  VERSION = "1.0.4"
+  VERSION = "1.0.5"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: fa-harness-tools
 version: !ruby/object:Gem::Version
-  version: 1.0.4
+  version: 1.0.5
 platform: ruby
 authors:
 - FreeAgent
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-11-26 00:00:00.000000000 Z
+date: 2020-05-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: octokit
@@ -72,14 +72,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '13.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '13.0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -133,6 +133,10 @@ files:
 - Rakefile
 - bin/console
 - bin/setup
+- examples/create-deployment-tag/README.md
+- examples/create-deployment-tag/create-deployment-tag.sh
+- examples/production-preflight-checks/README.md
+- examples/production-preflight-checks/production-preflight-checks.sh
 - exe/check-branch-protection
 - exe/check-forward-deploy
 - exe/check-recent-deploy