simp-beaker-helpers 1.20.1 → 1.23.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.fips_fixtures +1 -0
- data/.github/workflows.local.json +6 -0
- data/.github/workflows/pr_glci.yml +190 -0
- data/.github/workflows/pr_glci_cleanup.yml +105 -0
- data/.github/workflows/pr_glci_manual.yml +143 -0
- data/.github/workflows/tag_deploy_rubygem.yml +192 -0
- data/.gitlab-ci.yml +24 -37
- data/CHANGELOG.md +56 -0
- data/Gemfile +1 -1
- data/README.md +63 -5
- data/lib/simp/beaker_helpers.rb +441 -250
- data/lib/simp/beaker_helpers/ssg.rb +22 -4
- data/lib/simp/beaker_helpers/version.rb +1 -1
- data/lib/simp/rake/beaker.rb +6 -0
- data/simp-beaker-helpers.gemspec +5 -1
- data/spec/acceptance/nodesets/docker.yml +60 -0
- data/spec/acceptance/suites/default/check_puppet_version_spec.rb +1 -1
- data/spec/acceptance/suites/default/fixture_modules_spec.rb +6 -0
- data/spec/acceptance/suites/default/install_simp_deps_repo_spec.rb +17 -5
- data/spec/acceptance/suites/default/nodesets +1 -1
- data/spec/acceptance/suites/fips_from_fixtures/00_default_spec.rb +1 -0
- data/spec/acceptance/suites/fips_from_fixtures/nodesets +1 -1
- data/spec/acceptance/suites/snapshot/nodesets +1 -1
- metadata +45 -42
- data/.travis.yml +0 -42
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 77288902c91655a0e3f5c7db8d5573375e3c341638a8bfc3be82b76f7753f3f6
|
4
|
+
data.tar.gz: ec02b6c05c5b1b69615b83b7ed5682d1e2ba9619d72752c4adfa5d48e3e3ec61
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 6c006e7df61eaeb23dce36101ae518d88f99f34778821402973cf5c9358226572beab46c319fafee6487bbf325dbe07f72f7343c49d023e3d9949dd695092b57
|
7
|
+
data.tar.gz: f0535c393d9a6b6b8e3e9484fcf52e78adc4892bd0eca8255479eb06185e9865ddad9af2c6c5f3cd67d55c537632f88e178c39e6ad4a48757e2b61d7b229b826
|
data/.fips_fixtures
CHANGED
@@ -1,6 +1,7 @@
|
|
1
1
|
---
|
2
2
|
fixtures:
|
3
3
|
repositories:
|
4
|
+
crypto_policy: https://github.com/simp/pupmod-simp-crypto_policy
|
4
5
|
fips: https://github.com/simp/pupmod-simp-fips
|
5
6
|
augeasproviders_core: https://github.com/simp/augeasproviders_core
|
6
7
|
augeasproviders_grub: https://github.com/simp/augeasproviders_grub
|
@@ -0,0 +1,190 @@
|
|
1
|
+
# Push/Trigger a GitLab CI pipeline for the PR HEAD, **ONLY IF:**
|
2
|
+
#
|
3
|
+
# 1. The .gitlab-ci.yaml file exists and validates
|
4
|
+
# 2. The PR submitter has write access to the target repository.
|
5
|
+
#
|
6
|
+
# ------------------------------------------------------------------------------
|
7
|
+
#
|
8
|
+
# NOTICE: **This file is maintained with puppetsync**
|
9
|
+
#
|
10
|
+
# This file is updated automatically as part of a puppet module baseline.
|
11
|
+
#
|
12
|
+
# The next baseline sync will overwrite any local changes to this file!
|
13
|
+
#
|
14
|
+
# ==============================================================================
|
15
|
+
#
|
16
|
+
# GitHub Action Secrets variables available for this pipeline:
|
17
|
+
#
|
18
|
+
# GitHub Secret variable Type Notes
|
19
|
+
# ------------------------ -------- ----------------------------------------
|
20
|
+
# GITLAB_API_PRIVATE_TOKEN Secure Should have `api` scope
|
21
|
+
# GITLAB_API_URL Optional
|
22
|
+
#
|
23
|
+
# The secure vars will be filtered in GitHub Actions log output, and aren't
|
24
|
+
# provided to untrusted builds (i.e, triggered by PR from another repository)
|
25
|
+
#
|
26
|
+
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
|
27
|
+
# WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
|
28
|
+
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!V!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
|
29
|
+
#
|
30
|
+
# DO NOT MODIFY this workflow, unless you **REALLY** know what you are doing.
|
31
|
+
#
|
32
|
+
# This workflow bypasses some of the built-in protections of the
|
33
|
+
# `pull_request_target` event by explicitly checking out the PR's **HEAD**.
|
34
|
+
# Without being VERY CAREFUL, this could easily allow a malcious PR
|
35
|
+
# contributor the chance to access secrets or a GITHUB_TOKEN with write scope!!
|
36
|
+
#
|
37
|
+
# The jobs in this workflow are designed to handle this safely -- but DO NOT
|
38
|
+
# assume any alterations will also be safe.
|
39
|
+
#
|
40
|
+
# For general information, see:
|
41
|
+
#
|
42
|
+
# https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull_request_target
|
43
|
+
#
|
44
|
+
# For further information, or if ANY of this seems confusing or unecessary:
|
45
|
+
#
|
46
|
+
# ASK FOR ASSISTANCE **BEFORE** ATTEMPTING TO MODIFY THIS WORKFLOW.
|
47
|
+
#
|
48
|
+
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
|
49
|
+
# WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
|
50
|
+
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!V!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
|
51
|
+
#
|
52
|
+
# https://docs.github.com/en/actions/reference/events-that-trigger-workflows
|
53
|
+
#
|
54
|
+
---
|
55
|
+
name: PR GLCI
|
56
|
+
on:
|
57
|
+
pull_request_target:
|
58
|
+
types: [opened, reopened, synchronize]
|
59
|
+
|
60
|
+
jobs:
|
61
|
+
|
62
|
+
# The ONLY reason we can validate the PR HEAD's content safely here is that
|
63
|
+
# we restrict ourselves to sending data elsewhere.
|
64
|
+
glci-syntax:
|
65
|
+
name: '.gitlab-ci.yml Syntax'
|
66
|
+
runs-on: ubuntu-16.04
|
67
|
+
outputs:
|
68
|
+
valid: ${{ steps.validate-glci-file.outputs.valid }}
|
69
|
+
steps:
|
70
|
+
- uses: actions/checkout@v2
|
71
|
+
with:
|
72
|
+
repository: ${{ github.event.pull_request.head.repo.full_name }}
|
73
|
+
ref: ${{ github.event.pull_request.head.ref }}
|
74
|
+
- name: 'Validate GLCI file syntax'
|
75
|
+
id: validate-glci-file
|
76
|
+
uses: simp/github-action-gitlab-ci-syntax-check@main
|
77
|
+
with:
|
78
|
+
gitlab_api_private_token: ${{ secrets.GITLAB_API_PRIVATE_TOKEN }}
|
79
|
+
gitlab_api_url: ${{ secrets.GITLAB_API_URL }} # https://gitlab.com/api/v4
|
80
|
+
|
81
|
+
contributor-permissions:
|
82
|
+
name: 'PR contributor check'
|
83
|
+
runs-on: ubuntu-18.04
|
84
|
+
outputs:
|
85
|
+
permitted: ${{ steps.user-repo-permissions.outputs.permitted }}
|
86
|
+
steps:
|
87
|
+
- uses: actions/github-script@v3
|
88
|
+
id: user-repo-permissions
|
89
|
+
with:
|
90
|
+
github-token: ${{secrets.GITHUB_TOKEN}}
|
91
|
+
# See:
|
92
|
+
# - https://octokit.github.io/rest.js/
|
93
|
+
# - https://docs.github.com/en/free-pro-team@latest/rest/reference/repos#get-repository-permissions-for-a-user
|
94
|
+
script: |
|
95
|
+
const project_permission = await github.request('GET /repos/{owner}/{repo}/collaborators/{username}/permission', {
|
96
|
+
headers: {
|
97
|
+
accept: 'application/vnd.github.v3+json'
|
98
|
+
},
|
99
|
+
owner: context.repo.owner,
|
100
|
+
repo: context.repo.repo,
|
101
|
+
username: context.payload.sender.login,
|
102
|
+
})
|
103
|
+
const has_write_access = perm_lvl => (perm_lvl == "admin" || perm_lvl == "write" )
|
104
|
+
const write_access_desc = perm_bool => (perm_bool ? "PERMISSION OK" : "PERMISSION DENIED" )
|
105
|
+
if( has_write_access(project_permission.data.permission )){
|
106
|
+
core.setOutput( 'permitted', 'true' )
|
107
|
+
} else {
|
108
|
+
core.setOutput( 'permitted', 'false' )
|
109
|
+
console.log(`::error ::payload user '${context.payload.sender.login}' does not have CI trigger permission for '${context.repository}; not triggering external CI'`)
|
110
|
+
}
|
111
|
+
console.log(`== payload user '${context.payload.sender.login}' CI trigger permission for '${context.repo.owner}': ${write_access_desc(has_write_access(project_permission.data.permission))}`)
|
112
|
+
|
113
|
+
|
114
|
+
trigger-when-user-has-repo-permissions:
|
115
|
+
name: 'Trigger CI [trusted users only]'
|
116
|
+
needs: [ glci-syntax, contributor-permissions ]
|
117
|
+
# This conditional provides an extra safety control, in case the workflow's
|
118
|
+
# `on` section is inadventently modified without considering the security
|
119
|
+
# implications.
|
120
|
+
#
|
121
|
+
# This job will ONLY trigger on:
|
122
|
+
#
|
123
|
+
# - [x] pull_request_target event: github.event_name == 'pull_request_target'
|
124
|
+
# AND:
|
125
|
+
# - [x] Newly-opened PRs: github.event.action == 'opened'
|
126
|
+
# - [x] Re-opened PRs: github.event.action == 'reopened'
|
127
|
+
# - [x] Commits are added to PR: github.event.action == 'synchronize'
|
128
|
+
# AND:
|
129
|
+
# - [x] .gitlab-ci.yml exists/ok: needs.glci-syntax.outputs.valid == 'true'
|
130
|
+
#
|
131
|
+
# [Not implemented] It should NEVER trigger on:
|
132
|
+
#
|
133
|
+
# - [ ] Merged PRs: github.event.pull_request.merged == 'false'
|
134
|
+
# - (the downstream GitLab mirror will take care of that)
|
135
|
+
# - Not implemented: For some reason, this conditional always fails
|
136
|
+
# - Unnecessary if on>pull_request_target>types doesn't include 'closed'
|
137
|
+
if: github.event_name == 'pull_request_target' && ( github.event.action == 'opened' || github.event.action == 'reopened' || github.event.action == 'synchronize' ) && github.event.pull_request.merged != 'true' && needs.glci-syntax.outputs.valid == 'true' && needs.contributor-permissions.outputs.permitted == 'true'
|
138
|
+
runs-on: ubuntu-18.04
|
139
|
+
steps:
|
140
|
+
# Things we'd like to do:
|
141
|
+
# - [ ] if there's no GitLab mirror, make one
|
142
|
+
# - [ ] if there's no GitLab <-> GitHub integration, make one
|
143
|
+
# - [ ] if there's no PR check on the main GitHub branch, make one (?)
|
144
|
+
# - [x] Cancel any GLCI pipelines already pending/running for this branch
|
145
|
+
# - "created|waiting_for_resource|preparing|pending|running"
|
146
|
+
# - Exception: don't cancel existing pipeline for our own commit
|
147
|
+
# - [x] if PR: force-push branch to GitLab
|
148
|
+
- uses: actions/checkout@v2
|
149
|
+
if: needs.contributor-permissions.outputs.permitted == 'true'
|
150
|
+
with:
|
151
|
+
clean: true
|
152
|
+
fetch-depth: 0 # Need full checkout to push to gitlab mirror
|
153
|
+
repository: ${{ github.event.pull_request.head.repo.full_name }}
|
154
|
+
ref: ${{ github.event.pull_request.head.ref }}
|
155
|
+
|
156
|
+
- name: Trigger CI when user has Repo Permissions
|
157
|
+
if: needs.contributor-permissions.outputs.permitted == 'true'
|
158
|
+
uses: simp/github-action-gitlab-ci-pipeline-trigger@v1
|
159
|
+
with:
|
160
|
+
git_branch: ${{ github.event.pull_request.head.ref }} # TODO check for/avoid protected branches?
|
161
|
+
git_hashref: ${{ github.event.pull_request.head.sha }}
|
162
|
+
gitlab_api_private_token: ${{ secrets.GITLAB_API_PRIVATE_TOKEN }}
|
163
|
+
gitlab_group: ${{ github.event.organization.login }}
|
164
|
+
github_repository: ${{ github.repository }}
|
165
|
+
github_repository_owner: ${{ github.repository_owner }}
|
166
|
+
|
167
|
+
- name: When user does NOT have Repo Permissions
|
168
|
+
if: needs.contributor-permissions.outputs.permitted == 'false'
|
169
|
+
continue-on-error: true
|
170
|
+
run: |
|
171
|
+
echo "Ending gracefully; Contributor $GITHUB_ACTOR does not have permission to trigger CI"
|
172
|
+
false
|
173
|
+
|
174
|
+
### examine_contexts:
|
175
|
+
### name: 'Examine Context contents'
|
176
|
+
### if: always()
|
177
|
+
### runs-on: ubuntu-16.04
|
178
|
+
### needs: [ glci-syntax, contributor-permissions ]
|
179
|
+
### steps:
|
180
|
+
### - name: Dump contexts
|
181
|
+
### env:
|
182
|
+
### GITHUB_CONTEXT: ${{ toJson(github) }}
|
183
|
+
### run: echo "$GITHUB_CONTEXT"
|
184
|
+
### - name: Dump needs context
|
185
|
+
### env:
|
186
|
+
### ENV_CONTEXT: ${{ toJson(needs) }}
|
187
|
+
### run: echo "$ENV_CONTEXT"
|
188
|
+
### - name: Dump env vars
|
189
|
+
### run: env | sort
|
190
|
+
|
@@ -0,0 +1,105 @@
|
|
1
|
+
# When a PR is closed, clean up any associated GitLab CI pipelines & branch
|
2
|
+
#
|
3
|
+
# * Cancels all GLCI pipelines associated with the PR HEAD ref (branch)
|
4
|
+
# * Removes the PR HEAD branch from the corresponding gitlab.com/org/ project
|
5
|
+
#
|
6
|
+
# ------------------------------------------------------------------------------
|
7
|
+
#
|
8
|
+
# NOTICE: **This file is maintained with puppetsync**
|
9
|
+
#
|
10
|
+
# This file is updated automatically as part of a standardized asset baseline.
|
11
|
+
#
|
12
|
+
# The next baseline sync will overwrite any local changes to this file!
|
13
|
+
#
|
14
|
+
# ==============================================================================
|
15
|
+
#
|
16
|
+
# GitHub Action Secrets variables available for this pipeline:
|
17
|
+
#
|
18
|
+
# GitHub Secret variable Type Notes
|
19
|
+
# ------------------------ -------- ----------------------------------------
|
20
|
+
# GITLAB_API_PRIVATE_TOKEN Secure Should have `api` scope
|
21
|
+
# GITLAB_API_URL Optional
|
22
|
+
#
|
23
|
+
# The secure vars will be filtered in GitHub Actions log output, and aren't
|
24
|
+
# provided to untrusted builds (i.e, triggered by PR from another repository)
|
25
|
+
#
|
26
|
+
# ------------------------------------------------------------------------------
|
27
|
+
#
|
28
|
+
# https://docs.github.com/en/actions/reference/events-that-trigger-workflows
|
29
|
+
#
|
30
|
+
---
|
31
|
+
name: PR GLCI Cleanup
|
32
|
+
on:
|
33
|
+
pull_request_target:
|
34
|
+
types: [closed]
|
35
|
+
|
36
|
+
jobs:
|
37
|
+
cleanup-glci-branch:
|
38
|
+
name: 'Clean up GLCI'
|
39
|
+
# This conditional provides an extra safety control, in case the workflow's
|
40
|
+
# `on` section is inadventently modified without considering the security
|
41
|
+
# implications.
|
42
|
+
if: github.event_name == 'pull_request_target' && github.event.action == 'closed'
|
43
|
+
runs-on: ubuntu-18.04
|
44
|
+
steps:
|
45
|
+
- uses: actions/checkout@v2
|
46
|
+
with:
|
47
|
+
repository: ${{ github.event.pull_request.head.repo.full_name }}
|
48
|
+
ref: ${{ github.event.pull_request.head.ref }}
|
49
|
+
- name: Trigger CI when user has Repo Permissions
|
50
|
+
env:
|
51
|
+
GITLAB_SERVER_URL: ${{ secrets.GITLAB_SERVER_URL }} # https://gitlab.com
|
52
|
+
GITLAB_API_URL: ${{ secrets.GITLAB_API_URL }} # https://gitlab.com/api/v4
|
53
|
+
GITLAB_ORG: ${{ github.event.organization.login }}
|
54
|
+
GITLAB_API_PRIVATE_TOKEN: ${{ secrets.GITLAB_API_PRIVATE_TOKEN }}
|
55
|
+
GIT_BRANCH: ${{ github.event.pull_request.head.ref }}
|
56
|
+
run: |
|
57
|
+
GITLAB_SERVER_URL="${GITLAB_SERVER_URL:-https://gitlab.com}"
|
58
|
+
GITLAB_API_URL="${GITLAB_API_URL:-${GITLAB_SERVER_URL}/api/v4}"
|
59
|
+
GIT_BRANCH="${GIT_BRANCH:-GITHUB_HEAD_REF}"
|
60
|
+
GITXXB_REPO_NAME="${GITHUB_REPOSITORY/$GITHUB_REPOSITORY_OWNER\//}"
|
61
|
+
GITLAB_PROJECT_ID="${GITLAB_ORG}%2F${GITXXB_REPO_NAME}"
|
62
|
+
# --http1.0 avoids an HTTP/2 load balancing issue when run from GA
|
63
|
+
CURL_CMD=(curl --http1.0 --fail --silent --show-error \
|
64
|
+
--header "Authorization: Bearer $GITLAB_API_PRIVATE_TOKEN" \
|
65
|
+
--header "Content-Type: application/json" \
|
66
|
+
--header "Accept: application/json" \
|
67
|
+
)
|
68
|
+
|
69
|
+
# Cancel any active/pending GitLab CI pipelines for the same project+branch
|
70
|
+
active_pipeline_ids=()
|
71
|
+
for pipe_status in created waiting_for_resource preparing pending running; do
|
72
|
+
echo " ---- checking for CI pipelines with status '$pipe_status' for project '$GITLAB_PROJECT_ID', branch '$GIT_BRANCH'"
|
73
|
+
url="${GITLAB_API_URL}/projects/${GITLAB_PROJECT_ID}/pipelines?ref=${GIT_BRANCH}&status=${pipe_status}"
|
74
|
+
active_pipelines="$("${CURL_CMD[@]}" "$url" | jq -r '.[] | .id , .web_url')"
|
75
|
+
active_pipeline_ids+=($(echo "$active_pipelines" | grep -E '^[0-9]*$'))
|
76
|
+
printf "$active_pipelines\n\n"
|
77
|
+
done
|
78
|
+
if [ "${#active_pipeline_ids[@]}" -gt 0 ]; then
|
79
|
+
printf "\nFound %s active pipeline ids:\n" "${#active_pipeline_ids[@]}"
|
80
|
+
echo "${active_pipeline_ids[@]}"
|
81
|
+
for pipe_id in "${active_pipeline_ids[@]}"; do
|
82
|
+
printf "\n ------ Cancelling pipeline ID %s...\n" "$pipe_id"
|
83
|
+
"${CURL_CMD[@]}" --request POST "${GITLAB_API_URL}/projects/${GITLAB_PROJECT_ID}/pipelines/${pipe_id}/cancel"
|
84
|
+
done
|
85
|
+
else
|
86
|
+
echo No active pipelines found
|
87
|
+
fi
|
88
|
+
|
89
|
+
echo "== Removing $GIT_BRANCH from gitlab"
|
90
|
+
git remote add gitlab "https://oauth2:${GITLAB_API_PRIVATE_TOKEN}@${GITLAB_SERVER_URL#*://}/${GITLAB_ORG}/${GITXXB_REPO_NAME}.git"
|
91
|
+
git push gitlab ":${GIT_BRANCH}" -f || : # attempt to un-weird GLCI's `changed` tracking
|
92
|
+
|
93
|
+
### examine_contexts:
|
94
|
+
### name: 'Examine Context contents'
|
95
|
+
### if: always()
|
96
|
+
### runs-on: ubuntu-16.04
|
97
|
+
### steps:
|
98
|
+
### - name: Dump contexts
|
99
|
+
### env:
|
100
|
+
### GITHUB_CONTEXT: ${{ toJson(github) }}
|
101
|
+
### run: echo "$GITHUB_CONTEXT"
|
102
|
+
### run: echo "$ENV_CONTEXT"
|
103
|
+
### - name: Dump env vars
|
104
|
+
### run: env | sort
|
105
|
+
|
@@ -0,0 +1,143 @@
|
|
1
|
+
# Manually trigger GLCI pipelines for a PR
|
2
|
+
# ------------------------------------------------------------------------------
|
3
|
+
#
|
4
|
+
# NOTICE: **This file is maintained with puppetsync**
|
5
|
+
#
|
6
|
+
# This file is updated automatically as part of a standardized asset baseline.
|
7
|
+
#
|
8
|
+
# The next baseline sync will overwrite any local changes to this file!
|
9
|
+
#
|
10
|
+
# ==============================================================================
|
11
|
+
#
|
12
|
+
# This pipeline uses the following GitHub Action Secrets:
|
13
|
+
#
|
14
|
+
# GitHub Secret variable Type Notes
|
15
|
+
# ------------------------ -------- ----------------------------------------
|
16
|
+
# GITLAB_API_PRIVATE_TOKEN Required GitLab token (should have `api` scope)
|
17
|
+
# NO_SCOPE_GITHUB_TOKEN Required GitHub token (should have no scopes)
|
18
|
+
# GITLAB_SERVER_URL Optional Specify a GL server other than gitlab.com
|
19
|
+
# The secure vars will be filtered in GitHub Actions log output, and aren't
|
20
|
+
# provided to untrusted builds (i.e, triggered by PR from another repository)
|
21
|
+
#
|
22
|
+
# ------------------------------------------------------------------------------
|
23
|
+
#
|
24
|
+
# NOTES:
|
25
|
+
# It is necessary to provide NO_SCOPE_GITHUB_TOKEN because $secrets.GITHUB_AUTO
|
26
|
+
# is NOT provide to manually-triggered (`workflow_dispatch`) events, in order
|
27
|
+
# to prevent recursive triggers between workflows
|
28
|
+
#
|
29
|
+
# Reference:
|
30
|
+
#
|
31
|
+
# https://docs.github.com/en/actions/reference/events-that-trigger-workflows#triggering-new-workflows-using-a-personal-access-token
|
32
|
+
---
|
33
|
+
name: 'Manual: PR GLCI'
|
34
|
+
|
35
|
+
on:
|
36
|
+
workflow_dispatch:
|
37
|
+
inputs:
|
38
|
+
pr_number:
|
39
|
+
description: "PR number to trigger GLCI"
|
40
|
+
required: true
|
41
|
+
|
42
|
+
jobs:
|
43
|
+
glci-syntax:
|
44
|
+
name: '.gitlab-ci.yml Syntax'
|
45
|
+
runs-on: ubuntu-18.04
|
46
|
+
outputs:
|
47
|
+
valid: ${{ steps.validate-glci-file.outputs.valid }}
|
48
|
+
pr_head_ref: ${{ steps.get-pr.outputs.pr_head_ref }}
|
49
|
+
pr_head_sha: ${{ steps.get-pr.outputs.pr_head_sha }}
|
50
|
+
pr_head_label: ${{ steps.get-pr.outputs.pr_head_label }}
|
51
|
+
pr_head_full_name: ${{ steps.get-pr.outputs.pr_full_name }}
|
52
|
+
steps:
|
53
|
+
- uses: actions/github-script@v3
|
54
|
+
id: get-pr
|
55
|
+
with:
|
56
|
+
github-token: ${{secrets.NO_SCOPE_GITHUB_TOKEN}}
|
57
|
+
# See:
|
58
|
+
# - https://octokit.github.io/rest.js/
|
59
|
+
script: |
|
60
|
+
console.log(`== pr number: ${context.payload.inputs.pr_number}`)
|
61
|
+
const pr = await github.request('get /repos/{owner}/{repo}/pulls/{pull_number}', {
|
62
|
+
headers: {
|
63
|
+
accept: 'application/vnd.github.v3+json'
|
64
|
+
},
|
65
|
+
owner: context.repo.owner,
|
66
|
+
repo: context.repo.repo,
|
67
|
+
pull_number: context.payload.inputs.pr_number
|
68
|
+
});
|
69
|
+
|
70
|
+
console.log("\n\n== pr\n");
|
71
|
+
console.log(pr);
|
72
|
+
console.log("\n\n== pr.data.head\n");
|
73
|
+
console.log(pr.data.head);
|
74
|
+
console.log(pr.status);
|
75
|
+
|
76
|
+
// PR must have been returned
|
77
|
+
if ( pr.status != 200 ) {
|
78
|
+
//#console.log(`::error ::Error looking up PR \#${context.payload.inputs.pr_number}: HTTP Response ${pr.status}`)
|
79
|
+
return(false)
|
80
|
+
}
|
81
|
+
|
82
|
+
// TODO: should either of these conditions really prevent a GLCI trigger?
|
83
|
+
if ( pr.data.state != 'open' ) {
|
84
|
+
console.log(`::error ::PR# ${context.payload.inputs.pr_number} is not open`)
|
85
|
+
}
|
86
|
+
if ( pr.data.merged ) {
|
87
|
+
console.log(`::error ::PR# ${context.payload.inputs.pr_number} is already merged`)
|
88
|
+
}
|
89
|
+
core.setOutput( 'pr_head_sha', pr.data.head.sha )
|
90
|
+
core.setOutput( 'pr_head_ref', pr.data.head.ref )
|
91
|
+
core.setOutput( 'pr_head_label', pr.data.head.label )
|
92
|
+
core.setOutput( 'pr_head_full_name', pr.data.head.full_name )
|
93
|
+
- uses: actions/checkout@v2
|
94
|
+
with:
|
95
|
+
repository: ${{ steps.get-pr.outputs.pr_head_full_name }}
|
96
|
+
ref: ${{ steps.get-pr.outputs.pr_head_sha }}
|
97
|
+
token: ${{secrets.NO_SCOPE_GITHUB_TOKEN}}
|
98
|
+
clean: true
|
99
|
+
- name: 'Validate GLCI file syntax'
|
100
|
+
id: validate-glci-file
|
101
|
+
uses: simp/github-action-gitlab-ci-syntax-check@main
|
102
|
+
with:
|
103
|
+
gitlab_api_private_token: ${{ secrets.GITLAB_API_PRIVATE_TOKEN }}
|
104
|
+
gitlab_api_url: ${{ secrets.GITLAB_API_URL }} # https://gitlab.com/api/v4
|
105
|
+
|
106
|
+
trigger-when-user-has-repo-permissions:
|
107
|
+
name: 'Trigger CI'
|
108
|
+
needs: [ glci-syntax ]
|
109
|
+
runs-on: ubuntu-18.04
|
110
|
+
steps:
|
111
|
+
- uses: actions/checkout@v2
|
112
|
+
with:
|
113
|
+
repository: ${{ needs.glci-syntax.outputs.pr_head_full_name }}
|
114
|
+
ref: ${{ needs.glci-syntax.outputs.pr_head_sha }}
|
115
|
+
token: ${{secrets.NO_SCOPE_GITHUB_TOKEN}}
|
116
|
+
fetch-depth: 0 # Need full checkout to push to gitlab mirror
|
117
|
+
clean: true
|
118
|
+
- name: Trigger CI when user has Repo Permissions
|
119
|
+
uses: simp/github-action-gitlab-ci-pipeline-trigger@v1
|
120
|
+
with:
|
121
|
+
git_hashref: ${{ needs.glci-syntax.outputs.pr_head_sha }}
|
122
|
+
git_branch: ${{ needs.glci-syntax.outputs.pr_head_ref }}
|
123
|
+
gitlab_api_private_token: ${{ secrets.GITLAB_API_PRIVATE_TOKEN }}
|
124
|
+
gitlab_group: ${{ github.event.organization.login }}
|
125
|
+
github_repository: ${{ github.repository }}
|
126
|
+
github_repository_owner: ${{ github.repository_owner }}
|
127
|
+
|
128
|
+
### examine_contexts:
|
129
|
+
### needs: [ glci-syntax ]
|
130
|
+
### name: 'Examine Context contents'
|
131
|
+
### if: always()
|
132
|
+
### runs-on: ubuntu-18.04
|
133
|
+
### steps:
|
134
|
+
### - name: Dump contexts
|
135
|
+
### env:
|
136
|
+
### GITHUB_CONTEXT: ${{ toJson(github) }}
|
137
|
+
### run: echo "$GITHUB_CONTEXT"
|
138
|
+
### - name: Dump 'needs' context
|
139
|
+
### env:
|
140
|
+
### ENV_CONTEXT: ${{ toJson(needs) }}
|
141
|
+
### run: echo "$ENV_CONTEXT"
|
142
|
+
### - name: Dump env vars
|
143
|
+
### run: env | sort
|