simp-beaker-helpers 1.21.4 → 1.23.3

Sign up to get free protection for your applications and to get access to all the features.
Files changed (35) hide show
  1. checksums.yaml +4 -4
  2. data/.fips_fixtures +1 -0
  3. data/.fixtures.yml +6 -1
  4. data/.github/workflows.local.json +6 -0
  5. data/.github/workflows/pr_acceptance.yml +55 -0
  6. data/.github/workflows/pr_glci.yml +190 -0
  7. data/.github/workflows/pr_glci_cleanup.yml +105 -0
  8. data/.github/workflows/pr_glci_manual.yml +143 -0
  9. data/.github/workflows/pr_tests.yml +90 -0
  10. data/.github/workflows/tag_deploy_rubygem.yml +192 -0
  11. data/.gitlab-ci.yml +37 -37
  12. data/CHANGELOG.md +55 -0
  13. data/Gemfile +1 -1
  14. data/README.md +63 -5
  15. data/lib/simp/beaker_helpers.rb +165 -68
  16. data/lib/simp/beaker_helpers/inspec.rb +16 -12
  17. data/lib/simp/beaker_helpers/ssg.rb +48 -13
  18. data/lib/simp/beaker_helpers/version.rb +1 -1
  19. data/lib/simp/rake/beaker.rb +14 -2
  20. data/simp-beaker-helpers.gemspec +2 -1
  21. data/spec/acceptance/nodesets/default.yml +1 -1
  22. data/spec/acceptance/nodesets/docker.yml +12 -10
  23. data/spec/acceptance/suites/default/enable_fips_spec.rb +6 -4
  24. data/spec/acceptance/suites/default/install_simp_deps_repo_spec.rb +17 -5
  25. data/spec/acceptance/suites/fips_from_fixtures/00_default_spec.rb +11 -3
  26. data/spec/acceptance/suites/inspec/00_default_spec.rb +54 -0
  27. data/spec/acceptance/suites/inspec/metadata.yml +2 -0
  28. data/spec/acceptance/suites/inspec/nodesets +1 -0
  29. data/spec/acceptance/suites/puppet_collections/00_default_spec.rb +1 -1
  30. data/spec/acceptance/suites/ssg/00_default_spec.rb +40 -0
  31. data/spec/acceptance/suites/ssg/metadata.yml +2 -0
  32. data/spec/acceptance/suites/ssg/nodesets +1 -0
  33. data/spec/lib/simp/beaker_helpers_spec.rb +1 -3
  34. metadata +53 -39
  35. data/.travis.yml +0 -42
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 843c00fb877d83ee9cd76a342b122923764e67452b3e8974de7232193d31d387
4
- data.tar.gz: 195e83133f422f09bf168870c7acafbea8c59ed22c0bae7aea87126c4248349a
3
+ metadata.gz: 88ab91d8bd2eef77e691c0d864999426ba1321f866decc3a867075535fe23c7b
4
+ data.tar.gz: 1bf21a9614c1b814ebf80059e60b00c80defd6cc4733bbd421ce6a2620d9e744
5
5
  SHA512:
6
- metadata.gz: 3ba248b4786e0950a8f6df44e6f697e7d4f83603334e101dc49c3096403d5ded68aaf3c98845cd6b1046706021c2957556b80d792f6588e9f6a6eee9184ba4f9
7
- data.tar.gz: 40d7e4f4a8ea7ab2b6d3d841be12b95a85006093f290030c91958dd6215ac8f5cabd064af1773e94a5b2cb4c9beb86c47958b09a17fd56d4017372d4297d6cdd
6
+ metadata.gz: 3ebba34024934a95b6e2b343bbdc0bb56859a686d20c9a7053d3ffdeedd528260379a7ba82a5b5dd1914d661f46eb1e64b48aef4ee84e88e5181754a5fc151b9
7
+ data.tar.gz: 5a69d66af5c521f0ec19c52dc1501ab5731f54155b9b23ff64b6d145dff18f05e8bfbb154410c2b2e3282da6c639f05a61b4d42f515d55b36166094d8dfecac3
data/.fips_fixtures CHANGED
@@ -1,6 +1,7 @@
1
1
  ---
2
2
  fixtures:
3
3
  repositories:
4
+ crypto_policy: https://github.com/simp/pupmod-simp-crypto_policy
4
5
  fips: https://github.com/simp/pupmod-simp-fips
5
6
  augeasproviders_core: https://github.com/simp/augeasproviders_core
6
7
  augeasproviders_grub: https://github.com/simp/augeasproviders_grub
data/.fixtures.yml CHANGED
@@ -4,4 +4,9 @@ fixtures:
4
4
  stdlib: https://github.com/simp/puppetlabs-stdlib
5
5
  simplib: https://github.com/simp/pupmod-simp-simplib
6
6
  compliance_markup: https://github.com/simp/pupmod-simp-compliance_markup
7
-
7
+ disa_stig-el7-baseline:
8
+ repo: https://github.com/mitre/redhat-enterprise-linux-7-stig-baseline
9
+ target: spec/fixtures/inspec_deps/inspec_profiles/profiles
10
+ disa_stig-el8-baseline:
11
+ repo: https://github.com/mitre/redhat-enterprise-linux-8-stig-baseline
12
+ target: spec/fixtures/inspec_deps/inspec_profiles/profiles
@@ -0,0 +1,6 @@
1
+ {
2
+ "gem_build_command": "bundle exec rake pkg:gem",
3
+ "gem_release_command": "gem push dist/*.gem",
4
+ "gem_pkg_dir": "dist"
5
+ }
6
+
@@ -0,0 +1,55 @@
1
+ # Run all tests as GitHub Actions
2
+ name: Unit Tests
3
+ on:
4
+ push:
5
+ branches:
6
+ # A test branch for seeing if your tests will pass in your personal fork
7
+ - test_me_github
8
+ pull_request:
9
+ types: [opened, reopened, synchronize]
10
+
11
+ jobs:
12
+ acceptance:
13
+ runs-on:
14
+ - ubuntu-latest
15
+ strategy:
16
+ matrix:
17
+ ruby:
18
+ - 2.6
19
+ fail-fast: false
20
+ steps:
21
+ - name: checkout repo
22
+ uses: actions/checkout@v2
23
+ - name: setup ruby
24
+ uses: ruby/setup-ruby@v1
25
+ with:
26
+ ruby-version: ${{ matrix.ruby }}
27
+ - name: ensure entropy
28
+ run: |
29
+ sudo apt-get update -y
30
+ sudo apt-get install -y rng-tools
31
+ sudo systemctl start rng-tools
32
+ - name: install docker
33
+ run: |
34
+ set -x
35
+ sudo apt-get remove -y podman ||:
36
+ sudo apt-get install -y docker-ce docker docker-engine docker.io containerd runc ||:
37
+ sudo apt-get update
38
+ sudo apt autoremove -y
39
+ sudo systemctl start docker
40
+ - name: install bundler
41
+ run: |
42
+ gem install bundler
43
+ bundle update
44
+ - name: beaker
45
+ run: |
46
+ bundle exec rake beaker:suites[default,docker]
47
+ - name: beaker puppet_collections
48
+ run: |
49
+ bundle exec rake beaker:suites[puppet_collections,docker]
50
+ - name: beaker ssg
51
+ run: |
52
+ bundle exec rake beaker:suites[ssg,docker]
53
+ - name: beaker inspec
54
+ run: |
55
+ bundle exec rake beaker:suites[inspec,docker]
@@ -0,0 +1,190 @@
1
+ # Push/Trigger a GitLab CI pipeline for the PR HEAD, **ONLY IF:**
2
+ #
3
+ # 1. The .gitlab-ci.yaml file exists and validates
4
+ # 2. The PR submitter has write access to the target repository.
5
+ #
6
+ # ------------------------------------------------------------------------------
7
+ #
8
+ # NOTICE: **This file is maintained with puppetsync**
9
+ #
10
+ # This file is updated automatically as part of a puppet module baseline.
11
+ #
12
+ # The next baseline sync will overwrite any local changes to this file!
13
+ #
14
+ # ==============================================================================
15
+ #
16
+ # GitHub Action Secrets variables available for this pipeline:
17
+ #
18
+ # GitHub Secret variable Type Notes
19
+ # ------------------------ -------- ----------------------------------------
20
+ # GITLAB_API_PRIVATE_TOKEN Secure Should have `api` scope
21
+ # GITLAB_API_URL Optional
22
+ #
23
+ # The secure vars will be filtered in GitHub Actions log output, and aren't
24
+ # provided to untrusted builds (i.e, triggered by PR from another repository)
25
+ #
26
+ # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
27
+ # WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
28
+ # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!V!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
29
+ #
30
+ # DO NOT MODIFY this workflow, unless you **REALLY** know what you are doing.
31
+ #
32
+ # This workflow bypasses some of the built-in protections of the
33
+ # `pull_request_target` event by explicitly checking out the PR's **HEAD**.
34
+ # Without being VERY CAREFUL, this could easily allow a malcious PR
35
+ # contributor the chance to access secrets or a GITHUB_TOKEN with write scope!!
36
+ #
37
+ # The jobs in this workflow are designed to handle this safely -- but DO NOT
38
+ # assume any alterations will also be safe.
39
+ #
40
+ # For general information, see:
41
+ #
42
+ # https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull_request_target
43
+ #
44
+ # For further information, or if ANY of this seems confusing or unecessary:
45
+ #
46
+ # ASK FOR ASSISTANCE **BEFORE** ATTEMPTING TO MODIFY THIS WORKFLOW.
47
+ #
48
+ # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
49
+ # WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
50
+ # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!V!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
51
+ #
52
+ # https://docs.github.com/en/actions/reference/events-that-trigger-workflows
53
+ #
54
+ ---
55
+ name: PR GLCI
56
+ on:
57
+ pull_request_target:
58
+ types: [opened, reopened, synchronize]
59
+
60
+ jobs:
61
+
62
+ # The ONLY reason we can validate the PR HEAD's content safely here is that
63
+ # we restrict ourselves to sending data elsewhere.
64
+ glci-syntax:
65
+ name: '.gitlab-ci.yml Syntax'
66
+ runs-on: ubuntu-16.04
67
+ outputs:
68
+ valid: ${{ steps.validate-glci-file.outputs.valid }}
69
+ steps:
70
+ - uses: actions/checkout@v2
71
+ with:
72
+ repository: ${{ github.event.pull_request.head.repo.full_name }}
73
+ ref: ${{ github.event.pull_request.head.ref }}
74
+ - name: 'Validate GLCI file syntax'
75
+ id: validate-glci-file
76
+ uses: simp/github-action-gitlab-ci-syntax-check@main
77
+ with:
78
+ gitlab_api_private_token: ${{ secrets.GITLAB_API_PRIVATE_TOKEN }}
79
+ gitlab_api_url: ${{ secrets.GITLAB_API_URL }} # https://gitlab.com/api/v4
80
+
81
+ contributor-permissions:
82
+ name: 'PR contributor check'
83
+ runs-on: ubuntu-18.04
84
+ outputs:
85
+ permitted: ${{ steps.user-repo-permissions.outputs.permitted }}
86
+ steps:
87
+ - uses: actions/github-script@v3
88
+ id: user-repo-permissions
89
+ with:
90
+ github-token: ${{secrets.GITHUB_TOKEN}}
91
+ # See:
92
+ # - https://octokit.github.io/rest.js/
93
+ # - https://docs.github.com/en/free-pro-team@latest/rest/reference/repos#get-repository-permissions-for-a-user
94
+ script: |
95
+ const project_permission = await github.request('GET /repos/{owner}/{repo}/collaborators/{username}/permission', {
96
+ headers: {
97
+ accept: 'application/vnd.github.v3+json'
98
+ },
99
+ owner: context.repo.owner,
100
+ repo: context.repo.repo,
101
+ username: context.payload.sender.login,
102
+ })
103
+ const has_write_access = perm_lvl => (perm_lvl == "admin" || perm_lvl == "write" )
104
+ const write_access_desc = perm_bool => (perm_bool ? "PERMISSION OK" : "PERMISSION DENIED" )
105
+ if( has_write_access(project_permission.data.permission )){
106
+ core.setOutput( 'permitted', 'true' )
107
+ } else {
108
+ core.setOutput( 'permitted', 'false' )
109
+ console.log(`::error ::payload user '${context.payload.sender.login}' does not have CI trigger permission for '${context.repository}; not triggering external CI'`)
110
+ }
111
+ console.log(`== payload user '${context.payload.sender.login}' CI trigger permission for '${context.repo.owner}': ${write_access_desc(has_write_access(project_permission.data.permission))}`)
112
+
113
+
114
+ trigger-when-user-has-repo-permissions:
115
+ name: 'Trigger CI [trusted users only]'
116
+ needs: [ glci-syntax, contributor-permissions ]
117
+ # This conditional provides an extra safety control, in case the workflow's
118
+ # `on` section is inadventently modified without considering the security
119
+ # implications.
120
+ #
121
+ # This job will ONLY trigger on:
122
+ #
123
+ # - [x] pull_request_target event: github.event_name == 'pull_request_target'
124
+ # AND:
125
+ # - [x] Newly-opened PRs: github.event.action == 'opened'
126
+ # - [x] Re-opened PRs: github.event.action == 'reopened'
127
+ # - [x] Commits are added to PR: github.event.action == 'synchronize'
128
+ # AND:
129
+ # - [x] .gitlab-ci.yml exists/ok: needs.glci-syntax.outputs.valid == 'true'
130
+ #
131
+ # [Not implemented] It should NEVER trigger on:
132
+ #
133
+ # - [ ] Merged PRs: github.event.pull_request.merged == 'false'
134
+ # - (the downstream GitLab mirror will take care of that)
135
+ # - Not implemented: For some reason, this conditional always fails
136
+ # - Unnecessary if on>pull_request_target>types doesn't include 'closed'
137
+ if: github.event_name == 'pull_request_target' && ( github.event.action == 'opened' || github.event.action == 'reopened' || github.event.action == 'synchronize' ) && github.event.pull_request.merged != 'true' && needs.glci-syntax.outputs.valid == 'true' && needs.contributor-permissions.outputs.permitted == 'true'
138
+ runs-on: ubuntu-18.04
139
+ steps:
140
+ # Things we'd like to do:
141
+ # - [ ] if there's no GitLab mirror, make one
142
+ # - [ ] if there's no GitLab <-> GitHub integration, make one
143
+ # - [ ] if there's no PR check on the main GitHub branch, make one (?)
144
+ # - [x] Cancel any GLCI pipelines already pending/running for this branch
145
+ # - "created|waiting_for_resource|preparing|pending|running"
146
+ # - Exception: don't cancel existing pipeline for our own commit
147
+ # - [x] if PR: force-push branch to GitLab
148
+ - uses: actions/checkout@v2
149
+ if: needs.contributor-permissions.outputs.permitted == 'true'
150
+ with:
151
+ clean: true
152
+ fetch-depth: 0 # Need full checkout to push to gitlab mirror
153
+ repository: ${{ github.event.pull_request.head.repo.full_name }}
154
+ ref: ${{ github.event.pull_request.head.ref }}
155
+
156
+ - name: Trigger CI when user has Repo Permissions
157
+ if: needs.contributor-permissions.outputs.permitted == 'true'
158
+ uses: simp/github-action-gitlab-ci-pipeline-trigger@v1
159
+ with:
160
+ git_branch: ${{ github.event.pull_request.head.ref }} # TODO check for/avoid protected branches?
161
+ git_hashref: ${{ github.event.pull_request.head.sha }}
162
+ gitlab_api_private_token: ${{ secrets.GITLAB_API_PRIVATE_TOKEN }}
163
+ gitlab_group: ${{ github.event.organization.login }}
164
+ github_repository: ${{ github.repository }}
165
+ github_repository_owner: ${{ github.repository_owner }}
166
+
167
+ - name: When user does NOT have Repo Permissions
168
+ if: needs.contributor-permissions.outputs.permitted == 'false'
169
+ continue-on-error: true
170
+ run: |
171
+ echo "Ending gracefully; Contributor $GITHUB_ACTOR does not have permission to trigger CI"
172
+ false
173
+
174
+ ### examine_contexts:
175
+ ### name: 'Examine Context contents'
176
+ ### if: always()
177
+ ### runs-on: ubuntu-16.04
178
+ ### needs: [ glci-syntax, contributor-permissions ]
179
+ ### steps:
180
+ ### - name: Dump contexts
181
+ ### env:
182
+ ### GITHUB_CONTEXT: ${{ toJson(github) }}
183
+ ### run: echo "$GITHUB_CONTEXT"
184
+ ### - name: Dump needs context
185
+ ### env:
186
+ ### ENV_CONTEXT: ${{ toJson(needs) }}
187
+ ### run: echo "$ENV_CONTEXT"
188
+ ### - name: Dump env vars
189
+ ### run: env | sort
190
+
@@ -0,0 +1,105 @@
1
+ # When a PR is closed, clean up any associated GitLab CI pipelines & branch
2
+ #
3
+ # * Cancels all GLCI pipelines associated with the PR HEAD ref (branch)
4
+ # * Removes the PR HEAD branch from the corresponding gitlab.com/org/ project
5
+ #
6
+ # ------------------------------------------------------------------------------
7
+ #
8
+ # NOTICE: **This file is maintained with puppetsync**
9
+ #
10
+ # This file is updated automatically as part of a standardized asset baseline.
11
+ #
12
+ # The next baseline sync will overwrite any local changes to this file!
13
+ #
14
+ # ==============================================================================
15
+ #
16
+ # GitHub Action Secrets variables available for this pipeline:
17
+ #
18
+ # GitHub Secret variable Type Notes
19
+ # ------------------------ -------- ----------------------------------------
20
+ # GITLAB_API_PRIVATE_TOKEN Secure Should have `api` scope
21
+ # GITLAB_API_URL Optional
22
+ #
23
+ # The secure vars will be filtered in GitHub Actions log output, and aren't
24
+ # provided to untrusted builds (i.e, triggered by PR from another repository)
25
+ #
26
+ # ------------------------------------------------------------------------------
27
+ #
28
+ # https://docs.github.com/en/actions/reference/events-that-trigger-workflows
29
+ #
30
+ ---
31
+ name: PR GLCI Cleanup
32
+ on:
33
+ pull_request_target:
34
+ types: [closed]
35
+
36
+ jobs:
37
+ cleanup-glci-branch:
38
+ name: 'Clean up GLCI'
39
+ # This conditional provides an extra safety control, in case the workflow's
40
+ # `on` section is inadventently modified without considering the security
41
+ # implications.
42
+ if: github.event_name == 'pull_request_target' && github.event.action == 'closed'
43
+ runs-on: ubuntu-18.04
44
+ steps:
45
+ - uses: actions/checkout@v2
46
+ with:
47
+ repository: ${{ github.event.pull_request.head.repo.full_name }}
48
+ ref: ${{ github.event.pull_request.head.ref }}
49
+ - name: Trigger CI when user has Repo Permissions
50
+ env:
51
+ GITLAB_SERVER_URL: ${{ secrets.GITLAB_SERVER_URL }} # https://gitlab.com
52
+ GITLAB_API_URL: ${{ secrets.GITLAB_API_URL }} # https://gitlab.com/api/v4
53
+ GITLAB_ORG: ${{ github.event.organization.login }}
54
+ GITLAB_API_PRIVATE_TOKEN: ${{ secrets.GITLAB_API_PRIVATE_TOKEN }}
55
+ GIT_BRANCH: ${{ github.event.pull_request.head.ref }}
56
+ run: |
57
+ GITLAB_SERVER_URL="${GITLAB_SERVER_URL:-https://gitlab.com}"
58
+ GITLAB_API_URL="${GITLAB_API_URL:-${GITLAB_SERVER_URL}/api/v4}"
59
+ GIT_BRANCH="${GIT_BRANCH:-GITHUB_HEAD_REF}"
60
+ GITXXB_REPO_NAME="${GITHUB_REPOSITORY/$GITHUB_REPOSITORY_OWNER\//}"
61
+ GITLAB_PROJECT_ID="${GITLAB_ORG}%2F${GITXXB_REPO_NAME}"
62
+ # --http1.0 avoids an HTTP/2 load balancing issue when run from GA
63
+ CURL_CMD=(curl --http1.0 --fail --silent --show-error \
64
+ --header "Authorization: Bearer $GITLAB_API_PRIVATE_TOKEN" \
65
+ --header "Content-Type: application/json" \
66
+ --header "Accept: application/json" \
67
+ )
68
+
69
+ # Cancel any active/pending GitLab CI pipelines for the same project+branch
70
+ active_pipeline_ids=()
71
+ for pipe_status in created waiting_for_resource preparing pending running; do
72
+ echo " ---- checking for CI pipelines with status '$pipe_status' for project '$GITLAB_PROJECT_ID', branch '$GIT_BRANCH'"
73
+ url="${GITLAB_API_URL}/projects/${GITLAB_PROJECT_ID}/pipelines?ref=${GIT_BRANCH}&status=${pipe_status}"
74
+ active_pipelines="$("${CURL_CMD[@]}" "$url" | jq -r '.[] | .id , .web_url')"
75
+ active_pipeline_ids+=($(echo "$active_pipelines" | grep -E '^[0-9]*$'))
76
+ printf "$active_pipelines\n\n"
77
+ done
78
+ if [ "${#active_pipeline_ids[@]}" -gt 0 ]; then
79
+ printf "\nFound %s active pipeline ids:\n" "${#active_pipeline_ids[@]}"
80
+ echo "${active_pipeline_ids[@]}"
81
+ for pipe_id in "${active_pipeline_ids[@]}"; do
82
+ printf "\n ------ Cancelling pipeline ID %s...\n" "$pipe_id"
83
+ "${CURL_CMD[@]}" --request POST "${GITLAB_API_URL}/projects/${GITLAB_PROJECT_ID}/pipelines/${pipe_id}/cancel"
84
+ done
85
+ else
86
+ echo No active pipelines found
87
+ fi
88
+
89
+ echo "== Removing $GIT_BRANCH from gitlab"
90
+ git remote add gitlab "https://oauth2:${GITLAB_API_PRIVATE_TOKEN}@${GITLAB_SERVER_URL#*://}/${GITLAB_ORG}/${GITXXB_REPO_NAME}.git"
91
+ git push gitlab ":${GIT_BRANCH}" -f || : # attempt to un-weird GLCI's `changed` tracking
92
+
93
+ ### examine_contexts:
94
+ ### name: 'Examine Context contents'
95
+ ### if: always()
96
+ ### runs-on: ubuntu-16.04
97
+ ### steps:
98
+ ### - name: Dump contexts
99
+ ### env:
100
+ ### GITHUB_CONTEXT: ${{ toJson(github) }}
101
+ ### run: echo "$GITHUB_CONTEXT"
102
+ ### run: echo "$ENV_CONTEXT"
103
+ ### - name: Dump env vars
104
+ ### run: env | sort
105
+
@@ -0,0 +1,143 @@
1
+ # Manually trigger GLCI pipelines for a PR
2
+ # ------------------------------------------------------------------------------
3
+ #
4
+ # NOTICE: **This file is maintained with puppetsync**
5
+ #
6
+ # This file is updated automatically as part of a standardized asset baseline.
7
+ #
8
+ # The next baseline sync will overwrite any local changes to this file!
9
+ #
10
+ # ==============================================================================
11
+ #
12
+ # This pipeline uses the following GitHub Action Secrets:
13
+ #
14
+ # GitHub Secret variable Type Notes
15
+ # ------------------------ -------- ----------------------------------------
16
+ # GITLAB_API_PRIVATE_TOKEN Required GitLab token (should have `api` scope)
17
+ # NO_SCOPE_GITHUB_TOKEN Required GitHub token (should have no scopes)
18
+ # GITLAB_SERVER_URL Optional Specify a GL server other than gitlab.com
19
+ # The secure vars will be filtered in GitHub Actions log output, and aren't
20
+ # provided to untrusted builds (i.e, triggered by PR from another repository)
21
+ #
22
+ # ------------------------------------------------------------------------------
23
+ #
24
+ # NOTES:
25
+ # It is necessary to provide NO_SCOPE_GITHUB_TOKEN because $secrets.GITHUB_AUTO
26
+ # is NOT provide to manually-triggered (`workflow_dispatch`) events, in order
27
+ # to prevent recursive triggers between workflows
28
+ #
29
+ # Reference:
30
+ #
31
+ # https://docs.github.com/en/actions/reference/events-that-trigger-workflows#triggering-new-workflows-using-a-personal-access-token
32
+ ---
33
+ name: 'Manual: PR GLCI'
34
+
35
+ on:
36
+ workflow_dispatch:
37
+ inputs:
38
+ pr_number:
39
+ description: "PR number to trigger GLCI"
40
+ required: true
41
+
42
+ jobs:
43
+ glci-syntax:
44
+ name: '.gitlab-ci.yml Syntax'
45
+ runs-on: ubuntu-18.04
46
+ outputs:
47
+ valid: ${{ steps.validate-glci-file.outputs.valid }}
48
+ pr_head_ref: ${{ steps.get-pr.outputs.pr_head_ref }}
49
+ pr_head_sha: ${{ steps.get-pr.outputs.pr_head_sha }}
50
+ pr_head_label: ${{ steps.get-pr.outputs.pr_head_label }}
51
+ pr_head_full_name: ${{ steps.get-pr.outputs.pr_full_name }}
52
+ steps:
53
+ - uses: actions/github-script@v3
54
+ id: get-pr
55
+ with:
56
+ github-token: ${{secrets.NO_SCOPE_GITHUB_TOKEN}}
57
+ # See:
58
+ # - https://octokit.github.io/rest.js/
59
+ script: |
60
+ console.log(`== pr number: ${context.payload.inputs.pr_number}`)
61
+ const pr = await github.request('get /repos/{owner}/{repo}/pulls/{pull_number}', {
62
+ headers: {
63
+ accept: 'application/vnd.github.v3+json'
64
+ },
65
+ owner: context.repo.owner,
66
+ repo: context.repo.repo,
67
+ pull_number: context.payload.inputs.pr_number
68
+ });
69
+
70
+ console.log("\n\n== pr\n");
71
+ console.log(pr);
72
+ console.log("\n\n== pr.data.head\n");
73
+ console.log(pr.data.head);
74
+ console.log(pr.status);
75
+
76
+ // PR must have been returned
77
+ if ( pr.status != 200 ) {
78
+ //#console.log(`::error ::Error looking up PR \#${context.payload.inputs.pr_number}: HTTP Response ${pr.status}`)
79
+ return(false)
80
+ }
81
+
82
+ // TODO: should either of these conditions really prevent a GLCI trigger?
83
+ if ( pr.data.state != 'open' ) {
84
+ console.log(`::error ::PR# ${context.payload.inputs.pr_number} is not open`)
85
+ }
86
+ if ( pr.data.merged ) {
87
+ console.log(`::error ::PR# ${context.payload.inputs.pr_number} is already merged`)
88
+ }
89
+ core.setOutput( 'pr_head_sha', pr.data.head.sha )
90
+ core.setOutput( 'pr_head_ref', pr.data.head.ref )
91
+ core.setOutput( 'pr_head_label', pr.data.head.label )
92
+ core.setOutput( 'pr_head_full_name', pr.data.head.full_name )
93
+ - uses: actions/checkout@v2
94
+ with:
95
+ repository: ${{ steps.get-pr.outputs.pr_head_full_name }}
96
+ ref: ${{ steps.get-pr.outputs.pr_head_sha }}
97
+ token: ${{secrets.NO_SCOPE_GITHUB_TOKEN}}
98
+ clean: true
99
+ - name: 'Validate GLCI file syntax'
100
+ id: validate-glci-file
101
+ uses: simp/github-action-gitlab-ci-syntax-check@main
102
+ with:
103
+ gitlab_api_private_token: ${{ secrets.GITLAB_API_PRIVATE_TOKEN }}
104
+ gitlab_api_url: ${{ secrets.GITLAB_API_URL }} # https://gitlab.com/api/v4
105
+
106
+ trigger-when-user-has-repo-permissions:
107
+ name: 'Trigger CI'
108
+ needs: [ glci-syntax ]
109
+ runs-on: ubuntu-18.04
110
+ steps:
111
+ - uses: actions/checkout@v2
112
+ with:
113
+ repository: ${{ needs.glci-syntax.outputs.pr_head_full_name }}
114
+ ref: ${{ needs.glci-syntax.outputs.pr_head_sha }}
115
+ token: ${{secrets.NO_SCOPE_GITHUB_TOKEN}}
116
+ fetch-depth: 0 # Need full checkout to push to gitlab mirror
117
+ clean: true
118
+ - name: Trigger CI when user has Repo Permissions
119
+ uses: simp/github-action-gitlab-ci-pipeline-trigger@v1
120
+ with:
121
+ git_hashref: ${{ needs.glci-syntax.outputs.pr_head_sha }}
122
+ git_branch: ${{ needs.glci-syntax.outputs.pr_head_ref }}
123
+ gitlab_api_private_token: ${{ secrets.GITLAB_API_PRIVATE_TOKEN }}
124
+ gitlab_group: ${{ github.event.organization.login }}
125
+ github_repository: ${{ github.repository }}
126
+ github_repository_owner: ${{ github.repository_owner }}
127
+
128
+ ### examine_contexts:
129
+ ### needs: [ glci-syntax ]
130
+ ### name: 'Examine Context contents'
131
+ ### if: always()
132
+ ### runs-on: ubuntu-18.04
133
+ ### steps:
134
+ ### - name: Dump contexts
135
+ ### env:
136
+ ### GITHUB_CONTEXT: ${{ toJson(github) }}
137
+ ### run: echo "$GITHUB_CONTEXT"
138
+ ### - name: Dump 'needs' context
139
+ ### env:
140
+ ### ENV_CONTEXT: ${{ toJson(needs) }}
141
+ ### run: echo "$ENV_CONTEXT"
142
+ ### - name: Dump env vars
143
+ ### run: env | sort