simp-beaker-helpers 1.32.0 → 1.33.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/workflows/pr_acceptance.yml +4 -4
- data/.github/workflows/pr_tests.yml +1 -1
- data/.github/workflows/tag_deploy_rubygem.yml +2 -2
- data/.rspec +0 -1
- data/.rubocop.yml +166 -165
- data/CHANGELOG.md +8 -0
- data/Gemfile +16 -20
- data/README.md +7 -0
- data/lib/simp/beaker_helpers/version.rb +3 -1
- data/lib/simp/beaker_helpers.rb +9 -4
- data/simp-beaker-helpers.gemspec +17 -16
- metadata +44 -39
- data/.github/workflows/pr_glci.yml +0 -190
- data/.github/workflows/pr_glci_cleanup.yml +0 -105
- data/.github/workflows/pr_glci_manual.yml +0 -143
data/Gemfile
CHANGED
@@ -1,7 +1,6 @@
|
|
1
|
-
#
|
2
|
-
|
3
|
-
|
4
|
-
gem_sources = ENV.fetch('GEM_SERVERS','https://rubygems.org').split(/[, ]+/)
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
gem_sources = ENV.fetch('GEM_SERVERS', 'https://rubygems.org').split(%r{[, ]+})
|
5
4
|
|
6
5
|
gem_sources.each { |gem_source| source gem_source }
|
7
6
|
|
@@ -9,13 +8,12 @@ gem_sources.each { |gem_source| source gem_source }
|
|
9
8
|
gemspec
|
10
9
|
|
11
10
|
# mandatory gems
|
12
|
-
gem 'bundler'
|
13
11
|
gem 'rake'
|
14
12
|
|
15
13
|
group :system_tests do
|
16
|
-
beaker_gem_options = ENV.fetch('BEAKER_GEM_OPTIONS', ['>= 4.28.1', '<
|
14
|
+
beaker_gem_options = ENV.fetch('BEAKER_GEM_OPTIONS', ['>= 4.28.1', '< 7.0.0'])
|
17
15
|
|
18
|
-
if
|
16
|
+
if beaker_gem_options.to_s.include?(':')
|
19
17
|
# Just pass in BEAKER_GEM_OPTIONS as a string that would represent the usual
|
20
18
|
# hash of options.
|
21
19
|
#
|
@@ -24,28 +22,26 @@ group :system_tests do
|
|
24
22
|
# No, this isn't robust, but it's not really an 'every day' sort of thing
|
25
23
|
# and safer than an `eval`
|
26
24
|
begin
|
27
|
-
|
28
|
-
beaker_gem_options.split(',').
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
k.delete(':').to_sym, # Convert all keys to symbols
|
33
|
-
v.strip
|
34
|
-
]
|
35
|
-
end
|
25
|
+
beaker_gem_options = Hash[
|
26
|
+
beaker_gem_options.split(',').
|
27
|
+
# Split passed options on k/v pairs
|
28
|
+
map { |x| x.gsub('"', '').strip.split(%r{:\s|\s+=>\s+}) }. # Allow for either format hash keys
|
29
|
+
map { |k, v| [k.delete(':').to_sym, v.strip] } # Convert all keys to symbols
|
36
30
|
] # Convert the whole thing to a valid Hash
|
37
|
-
rescue => e
|
31
|
+
rescue StandardError => e
|
38
32
|
raise "Invalid BEAKER_GEM_OPTIONS: '#{beaker_gem_options}' => '#{e}'"
|
39
33
|
end
|
40
|
-
else
|
41
|
-
gem 'beaker', beaker_gem_options
|
42
34
|
end
|
43
35
|
|
36
|
+
gem 'beaker', beaker_gem_options
|
37
|
+
|
38
|
+
gem 'bcrypt_pbkdf'
|
44
39
|
gem 'beaker-rspec'
|
45
40
|
gem 'beaker-windows'
|
41
|
+
gem 'ed25519'
|
46
42
|
gem 'net-ssh'
|
47
43
|
gem 'puppet', ENV.fetch('PUPPET_VERSION', ['>= 7.0.0', '< 9.0.0'])
|
44
|
+
gem 'puppetlabs_spec_helper', '>= 4.0.0', '< 8.0.0'
|
48
45
|
gem 'rubocop'
|
49
46
|
gem 'rubocop-rspec'
|
50
|
-
gem 'puppetlabs_spec_helper', '>= 4.0.0', '< 7.0.0'
|
51
47
|
end
|
data/README.md
CHANGED
@@ -47,6 +47,7 @@ Methods to assist beaker acceptance tests for SIMP.
|
|
47
47
|
* [BEAKER_RHSM_USER](#beaker_rhsm_user)
|
48
48
|
* [BEAKER_RHSM_PASS](#beaker_rhsm_pass)
|
49
49
|
* [BEAKER_inspec_version](#beaker_inspec_version)
|
50
|
+
* [BEAKER_RHSM_UNSUBSCRIBE](#beaker_rhsm_unsubscribe)
|
50
51
|
* [Examples](#examples)
|
51
52
|
* [Prep OS, Generate and copy PKI certs to each SUT](#prep-os-generate-and-copy-pki-certs-to-each-sut)
|
52
53
|
* [Specify the version of Puppet to run in the SUTs](#specify-the-version-of-puppet-to-run-in-the-suts)
|
@@ -466,6 +467,12 @@ The version of InSpec to use when running inspec tests. Currently hard-coded to
|
|
466
467
|
|
467
468
|
Set to 'latest' to use the latest available in the upstream repos.
|
468
469
|
|
470
|
+
#### BEAKER_RHSM_UNSUBSCRIBE
|
471
|
+
|
472
|
+
By default the system is unsubscribed from RHSM.
|
473
|
+
|
474
|
+
Set to 'False' to disable this behavior.
|
475
|
+
|
469
476
|
## Examples
|
470
477
|
|
471
478
|
### Prep OS, Generate and copy PKI certs to each SUT
|
data/lib/simp/beaker_helpers.rb
CHANGED
@@ -259,7 +259,8 @@ module Simp::BeakerHelpers
|
|
259
259
|
end
|
260
260
|
|
261
261
|
# Ensure that Hashes return as Hash objects
|
262
|
-
|
262
|
+
# OpenStruct objects have a marshal_dump method
|
263
|
+
found_fact.respond_to?(:marshal_dump) ? found_fact.marshal_dump : found_fact
|
263
264
|
end
|
264
265
|
|
265
266
|
# Returns the modulepath on the SUT, as an Array
|
@@ -676,7 +677,6 @@ module Simp::BeakerHelpers
|
|
676
677
|
|
677
678
|
if os_info['name'] == 'RedHat' && ENV['BEAKER_RHSM_USER'] && ENV['BEAKER_RHSM_PASS']
|
678
679
|
if os_maj_rel == '7'
|
679
|
-
on sut, %{subscription-manager repos --enable "rhel-*-optional-rpms"}
|
680
680
|
on sut, %{subscription-manager repos --enable "rhel-*-extras-rpms"}
|
681
681
|
on sut, %{subscription-manager repos --enable "rhel-ha-for-rhel-*-server-rpms"}
|
682
682
|
end
|
@@ -800,7 +800,9 @@ module Simp::BeakerHelpers
|
|
800
800
|
|
801
801
|
RSpec.configure do |c|
|
802
802
|
c.after(:all) do
|
803
|
-
|
803
|
+
unless ENV['BEAKER_RHSM_UNSUBSCRIBE'] == 'false'
|
804
|
+
rhel_rhsm_unsubscribe(sut)
|
805
|
+
end
|
804
806
|
end
|
805
807
|
end
|
806
808
|
end
|
@@ -846,7 +848,6 @@ module Simp::BeakerHelpers
|
|
846
848
|
:repo_list => {
|
847
849
|
'7' => [
|
848
850
|
'rhel-7-server-extras-rpms',
|
849
|
-
'rhel-7-server-optional-rpms',
|
850
851
|
'rhel-7-server-rh-common-rpms',
|
851
852
|
'rhel-7-server-rpms',
|
852
853
|
'rhel-7-server-supplementary-rpms'
|
@@ -854,6 +855,10 @@ module Simp::BeakerHelpers
|
|
854
855
|
'8' => [
|
855
856
|
'rhel-8-for-x86_64-baseos-rpms',
|
856
857
|
'rhel-8-for-x86_64-supplementary-rpms'
|
858
|
+
],
|
859
|
+
'9' => [
|
860
|
+
'rhel-9-for-x86_64-appstream-rpms',
|
861
|
+
'rhel-9-for-x86_64-baseos-rpms'
|
857
862
|
]
|
858
863
|
}
|
859
864
|
}
|
data/simp-beaker-helpers.gemspec
CHANGED
@@ -1,5 +1,6 @@
|
|
1
|
-
#
|
2
|
-
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
$LOAD_PATH.unshift File.expand_path('lib', __dir__)
|
3
4
|
require 'simp/beaker_helpers/version'
|
4
5
|
require 'date'
|
5
6
|
|
@@ -7,31 +8,31 @@ Gem::Specification.new do |s|
|
|
7
8
|
s.name = 'simp-beaker-helpers'
|
8
9
|
s.date = Date.today.to_s
|
9
10
|
s.summary = 'beaker helper methods for SIMP'
|
10
|
-
s.description =
|
11
|
+
s.description = <<~END_DESCRIPTION
|
11
12
|
Beaker helper methods to help scaffold SIMP acceptance tests
|
12
|
-
|
13
|
+
END_DESCRIPTION
|
13
14
|
s.version = Simp::BeakerHelpers::VERSION
|
14
15
|
s.license = 'Apache-2.0'
|
15
|
-
s.authors = ['Chris Tessmer','Trevor Vaughan']
|
16
|
+
s.authors = ['Chris Tessmer', 'Trevor Vaughan']
|
16
17
|
s.email = 'simp@simp-project.org'
|
17
18
|
s.homepage = 'https://github.com/simp/rubygem-simp-beaker-helpers'
|
18
19
|
s.metadata = {
|
19
|
-
|
20
|
-
|
20
|
+
'issue_tracker' => 'https://github.com/simp/rubygem-simp-beaker-helpers/issues'
|
21
|
+
}
|
21
22
|
|
22
|
-
s.required_ruby_version = '>= 2.
|
23
|
+
s.required_ruby_version = '>= 2.7.0'
|
23
24
|
|
24
|
-
s.add_runtime_dependency 'beaker', ['>= 4.17.0', '<
|
25
|
-
s.add_runtime_dependency 'beaker-rspec', '~> 8.0'
|
26
|
-
s.add_runtime_dependency 'beaker-puppet', ['>= 1.18.14', '< 3.0.0']
|
25
|
+
s.add_runtime_dependency 'beaker', ['>= 4.17.0', '< 7.0.0']
|
27
26
|
s.add_runtime_dependency 'beaker-docker', ['>= 0.8.3', '< 3.0.0']
|
28
|
-
s.add_runtime_dependency '
|
27
|
+
s.add_runtime_dependency 'beaker-puppet', ['>= 1.18.14', '< 5.0.0']
|
28
|
+
s.add_runtime_dependency 'beaker-rspec', '~> 8.0'
|
29
29
|
s.add_runtime_dependency 'beaker-vagrant', ['>= 0.6.4', '< 2.0.0']
|
30
|
-
s.add_runtime_dependency '
|
30
|
+
s.add_runtime_dependency 'docker-api', ['>= 2.1.0', '< 3.0.0']
|
31
|
+
s.add_runtime_dependency 'highline', ['>= 2.0', '< 4.0.0']
|
31
32
|
s.add_runtime_dependency 'nokogiri', '~> 1.8'
|
32
33
|
|
33
34
|
### s.files = Dir['Rakefile', '{bin,lib,spec}/**/*', 'README*', 'LICENSE*'] & `git ls-files -z .`.split("\0")
|
34
|
-
s.files =
|
35
|
-
s.test_files =
|
36
|
-
s.executables =
|
35
|
+
s.files = %x(git ls-files).split("\n")
|
36
|
+
s.test_files = %x(git ls-files -- {test,spec,features}/*).split("\n")
|
37
|
+
s.executables = %x(git ls-files -- bin/*).split("\n").map { |f| File.basename(f) }
|
37
38
|
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: simp-beaker-helpers
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.33.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Chris Tessmer
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date:
|
12
|
+
date: 2024-06-06 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: beaker
|
@@ -20,7 +20,7 @@ dependencies:
|
|
20
20
|
version: 4.17.0
|
21
21
|
- - "<"
|
22
22
|
- !ruby/object:Gem::Version
|
23
|
-
version:
|
23
|
+
version: 7.0.0
|
24
24
|
type: :runtime
|
25
25
|
prerelease: false
|
26
26
|
version_requirements: !ruby/object:Gem::Requirement
|
@@ -30,21 +30,27 @@ dependencies:
|
|
30
30
|
version: 4.17.0
|
31
31
|
- - "<"
|
32
32
|
- !ruby/object:Gem::Version
|
33
|
-
version:
|
33
|
+
version: 7.0.0
|
34
34
|
- !ruby/object:Gem::Dependency
|
35
|
-
name: beaker-
|
35
|
+
name: beaker-docker
|
36
36
|
requirement: !ruby/object:Gem::Requirement
|
37
37
|
requirements:
|
38
|
-
- - "
|
38
|
+
- - ">="
|
39
39
|
- !ruby/object:Gem::Version
|
40
|
-
version:
|
40
|
+
version: 0.8.3
|
41
|
+
- - "<"
|
42
|
+
- !ruby/object:Gem::Version
|
43
|
+
version: 3.0.0
|
41
44
|
type: :runtime
|
42
45
|
prerelease: false
|
43
46
|
version_requirements: !ruby/object:Gem::Requirement
|
44
47
|
requirements:
|
45
|
-
- - "
|
48
|
+
- - ">="
|
46
49
|
- !ruby/object:Gem::Version
|
47
|
-
version:
|
50
|
+
version: 0.8.3
|
51
|
+
- - "<"
|
52
|
+
- !ruby/object:Gem::Version
|
53
|
+
version: 3.0.0
|
48
54
|
- !ruby/object:Gem::Dependency
|
49
55
|
name: beaker-puppet
|
50
56
|
requirement: !ruby/object:Gem::Requirement
|
@@ -54,7 +60,7 @@ dependencies:
|
|
54
60
|
version: 1.18.14
|
55
61
|
- - "<"
|
56
62
|
- !ruby/object:Gem::Version
|
57
|
-
version:
|
63
|
+
version: 5.0.0
|
58
64
|
type: :runtime
|
59
65
|
prerelease: false
|
60
66
|
version_requirements: !ruby/object:Gem::Requirement
|
@@ -64,81 +70,81 @@ dependencies:
|
|
64
70
|
version: 1.18.14
|
65
71
|
- - "<"
|
66
72
|
- !ruby/object:Gem::Version
|
67
|
-
version:
|
73
|
+
version: 5.0.0
|
68
74
|
- !ruby/object:Gem::Dependency
|
69
|
-
name: beaker-
|
75
|
+
name: beaker-rspec
|
70
76
|
requirement: !ruby/object:Gem::Requirement
|
71
77
|
requirements:
|
72
|
-
- - "
|
73
|
-
- !ruby/object:Gem::Version
|
74
|
-
version: 0.8.3
|
75
|
-
- - "<"
|
78
|
+
- - "~>"
|
76
79
|
- !ruby/object:Gem::Version
|
77
|
-
version:
|
80
|
+
version: '8.0'
|
78
81
|
type: :runtime
|
79
82
|
prerelease: false
|
80
83
|
version_requirements: !ruby/object:Gem::Requirement
|
81
84
|
requirements:
|
82
|
-
- - "
|
83
|
-
- !ruby/object:Gem::Version
|
84
|
-
version: 0.8.3
|
85
|
-
- - "<"
|
85
|
+
- - "~>"
|
86
86
|
- !ruby/object:Gem::Version
|
87
|
-
version:
|
87
|
+
version: '8.0'
|
88
88
|
- !ruby/object:Gem::Dependency
|
89
|
-
name:
|
89
|
+
name: beaker-vagrant
|
90
90
|
requirement: !ruby/object:Gem::Requirement
|
91
91
|
requirements:
|
92
92
|
- - ">="
|
93
93
|
- !ruby/object:Gem::Version
|
94
|
-
version:
|
94
|
+
version: 0.6.4
|
95
95
|
- - "<"
|
96
96
|
- !ruby/object:Gem::Version
|
97
|
-
version:
|
97
|
+
version: 2.0.0
|
98
98
|
type: :runtime
|
99
99
|
prerelease: false
|
100
100
|
version_requirements: !ruby/object:Gem::Requirement
|
101
101
|
requirements:
|
102
102
|
- - ">="
|
103
103
|
- !ruby/object:Gem::Version
|
104
|
-
version:
|
104
|
+
version: 0.6.4
|
105
105
|
- - "<"
|
106
106
|
- !ruby/object:Gem::Version
|
107
|
-
version:
|
107
|
+
version: 2.0.0
|
108
108
|
- !ruby/object:Gem::Dependency
|
109
|
-
name:
|
109
|
+
name: docker-api
|
110
110
|
requirement: !ruby/object:Gem::Requirement
|
111
111
|
requirements:
|
112
112
|
- - ">="
|
113
113
|
- !ruby/object:Gem::Version
|
114
|
-
version:
|
114
|
+
version: 2.1.0
|
115
115
|
- - "<"
|
116
116
|
- !ruby/object:Gem::Version
|
117
|
-
version:
|
117
|
+
version: 3.0.0
|
118
118
|
type: :runtime
|
119
119
|
prerelease: false
|
120
120
|
version_requirements: !ruby/object:Gem::Requirement
|
121
121
|
requirements:
|
122
122
|
- - ">="
|
123
123
|
- !ruby/object:Gem::Version
|
124
|
-
version:
|
124
|
+
version: 2.1.0
|
125
125
|
- - "<"
|
126
126
|
- !ruby/object:Gem::Version
|
127
|
-
version:
|
127
|
+
version: 3.0.0
|
128
128
|
- !ruby/object:Gem::Dependency
|
129
129
|
name: highline
|
130
130
|
requirement: !ruby/object:Gem::Requirement
|
131
131
|
requirements:
|
132
|
-
- - "
|
132
|
+
- - ">="
|
133
133
|
- !ruby/object:Gem::Version
|
134
134
|
version: '2.0'
|
135
|
+
- - "<"
|
136
|
+
- !ruby/object:Gem::Version
|
137
|
+
version: 4.0.0
|
135
138
|
type: :runtime
|
136
139
|
prerelease: false
|
137
140
|
version_requirements: !ruby/object:Gem::Requirement
|
138
141
|
requirements:
|
139
|
-
- - "
|
142
|
+
- - ">="
|
140
143
|
- !ruby/object:Gem::Version
|
141
144
|
version: '2.0'
|
145
|
+
- - "<"
|
146
|
+
- !ruby/object:Gem::Version
|
147
|
+
version: 4.0.0
|
142
148
|
- !ruby/object:Gem::Dependency
|
143
149
|
name: nokogiri
|
144
150
|
requirement: !ruby/object:Gem::Requirement
|
@@ -153,7 +159,9 @@ dependencies:
|
|
153
159
|
- - "~>"
|
154
160
|
- !ruby/object:Gem::Version
|
155
161
|
version: '1.8'
|
156
|
-
description:
|
162
|
+
description: 'Beaker helper methods to help scaffold SIMP acceptance tests
|
163
|
+
|
164
|
+
'
|
157
165
|
email: simp@simp-project.org
|
158
166
|
executables: []
|
159
167
|
extensions: []
|
@@ -164,9 +172,6 @@ files:
|
|
164
172
|
- ".github/workflows.local.json"
|
165
173
|
- ".github/workflows/add_new_issue_to_triage_project.yml"
|
166
174
|
- ".github/workflows/pr_acceptance.yml"
|
167
|
-
- ".github/workflows/pr_glci.yml"
|
168
|
-
- ".github/workflows/pr_glci_cleanup.yml"
|
169
|
-
- ".github/workflows/pr_glci_manual.yml"
|
170
175
|
- ".github/workflows/pr_tests.yml"
|
171
176
|
- ".github/workflows/tag_deploy_rubygem.yml"
|
172
177
|
- ".gitignore"
|
@@ -247,7 +252,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
247
252
|
requirements:
|
248
253
|
- - ">="
|
249
254
|
- !ruby/object:Gem::Version
|
250
|
-
version: 2.
|
255
|
+
version: 2.7.0
|
251
256
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
252
257
|
requirements:
|
253
258
|
- - ">="
|
@@ -1,190 +0,0 @@
|
|
1
|
-
# Push/Trigger a GitLab CI pipeline for the PR HEAD, **ONLY IF:**
|
2
|
-
#
|
3
|
-
# 1. The .gitlab-ci.yaml file exists and validates
|
4
|
-
# 2. The PR submitter has write access to the target repository.
|
5
|
-
#
|
6
|
-
# ------------------------------------------------------------------------------
|
7
|
-
#
|
8
|
-
# NOTICE: **This file is maintained with puppetsync**
|
9
|
-
#
|
10
|
-
# This file is updated automatically as part of a puppet module baseline.
|
11
|
-
#
|
12
|
-
# The next baseline sync will overwrite any local changes to this file!
|
13
|
-
#
|
14
|
-
# ==============================================================================
|
15
|
-
#
|
16
|
-
# GitHub Action Secrets variables available for this pipeline:
|
17
|
-
#
|
18
|
-
# GitHub Secret variable Type Notes
|
19
|
-
# ------------------------ -------- ----------------------------------------
|
20
|
-
# GITLAB_API_PRIVATE_TOKEN Secure Should have `api` scope
|
21
|
-
# GITLAB_API_URL Optional
|
22
|
-
#
|
23
|
-
# The secure vars will be filtered in GitHub Actions log output, and aren't
|
24
|
-
# provided to untrusted builds (i.e, triggered by PR from another repository)
|
25
|
-
#
|
26
|
-
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
|
27
|
-
# WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
|
28
|
-
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!V!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
|
29
|
-
#
|
30
|
-
# DO NOT MODIFY this workflow, unless you **REALLY** know what you are doing.
|
31
|
-
#
|
32
|
-
# This workflow bypasses some of the built-in protections of the
|
33
|
-
# `pull_request_target` event by explicitly checking out the PR's **HEAD**.
|
34
|
-
# Without being VERY CAREFUL, this could easily allow a malcious PR
|
35
|
-
# contributor the chance to access secrets or a GITHUB_TOKEN with write scope!!
|
36
|
-
#
|
37
|
-
# The jobs in this workflow are designed to handle this safely -- but DO NOT
|
38
|
-
# assume any alterations will also be safe.
|
39
|
-
#
|
40
|
-
# For general information, see:
|
41
|
-
#
|
42
|
-
# https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull_request_target
|
43
|
-
#
|
44
|
-
# For further information, or if ANY of this seems confusing or unecessary:
|
45
|
-
#
|
46
|
-
# ASK FOR ASSISTANCE **BEFORE** ATTEMPTING TO MODIFY THIS WORKFLOW.
|
47
|
-
#
|
48
|
-
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
|
49
|
-
# WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
|
50
|
-
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!V!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
|
51
|
-
#
|
52
|
-
# https://docs.github.com/en/actions/reference/events-that-trigger-workflows
|
53
|
-
#
|
54
|
-
---
|
55
|
-
name: PR GLCI
|
56
|
-
on:
|
57
|
-
pull_request_target:
|
58
|
-
types: [opened, reopened, synchronize]
|
59
|
-
|
60
|
-
jobs:
|
61
|
-
|
62
|
-
# The ONLY reason we can validate the PR HEAD's content safely here is that
|
63
|
-
# we restrict ourselves to sending data elsewhere.
|
64
|
-
glci-syntax:
|
65
|
-
name: '.gitlab-ci.yml Syntax'
|
66
|
-
runs-on: ubuntu-latest
|
67
|
-
outputs:
|
68
|
-
valid: ${{ steps.validate-glci-file.outputs.valid }}
|
69
|
-
steps:
|
70
|
-
- uses: actions/checkout@v3
|
71
|
-
with:
|
72
|
-
repository: ${{ github.event.pull_request.head.repo.full_name }}
|
73
|
-
ref: ${{ github.event.pull_request.head.ref }}
|
74
|
-
- name: 'Validate GLCI file syntax'
|
75
|
-
id: validate-glci-file
|
76
|
-
uses: simp/github-action-gitlab-ci-syntax-check@main
|
77
|
-
with:
|
78
|
-
gitlab_api_private_token: ${{ secrets.GITLAB_API_PRIVATE_TOKEN }}
|
79
|
-
gitlab_api_url: ${{ secrets.GITLAB_API_URL }} # https://gitlab.com/api/v4
|
80
|
-
|
81
|
-
contributor-permissions:
|
82
|
-
name: 'PR contributor check'
|
83
|
-
runs-on: ubuntu-latest
|
84
|
-
outputs:
|
85
|
-
permitted: ${{ steps.user-repo-permissions.outputs.permitted }}
|
86
|
-
steps:
|
87
|
-
- uses: actions/github-script@v6
|
88
|
-
id: user-repo-permissions
|
89
|
-
with:
|
90
|
-
github-token: ${{secrets.GITHUB_TOKEN}}
|
91
|
-
# See:
|
92
|
-
# - https://octokit.github.io/rest.js/
|
93
|
-
# - https://docs.github.com/en/free-pro-team@latest/rest/reference/repos#get-repository-permissions-for-a-user
|
94
|
-
script: |
|
95
|
-
const project_permission = await github.request('GET /repos/{owner}/{repo}/collaborators/{username}/permission', {
|
96
|
-
headers: {
|
97
|
-
accept: 'application/vnd.github.v3+json'
|
98
|
-
},
|
99
|
-
owner: context.repo.owner,
|
100
|
-
repo: context.repo.repo,
|
101
|
-
username: context.payload.sender.login,
|
102
|
-
})
|
103
|
-
const has_write_access = perm_lvl => (perm_lvl == "admin" || perm_lvl == "write" )
|
104
|
-
const write_access_desc = perm_bool => (perm_bool ? "PERMISSION OK" : "PERMISSION DENIED" )
|
105
|
-
if( has_write_access(project_permission.data.permission )){
|
106
|
-
core.setOutput( 'permitted', 'true' )
|
107
|
-
} else {
|
108
|
-
core.setOutput( 'permitted', 'false' )
|
109
|
-
console.log(`::error ::payload user '${context.payload.sender.login}' does not have CI trigger permission for '${context.repository}; not triggering external CI'`)
|
110
|
-
}
|
111
|
-
console.log(`== payload user '${context.payload.sender.login}' CI trigger permission for '${context.repo.owner}': ${write_access_desc(has_write_access(project_permission.data.permission))}`)
|
112
|
-
|
113
|
-
|
114
|
-
trigger-when-user-has-repo-permissions:
|
115
|
-
name: 'Trigger CI [trusted users only]'
|
116
|
-
needs: [ glci-syntax, contributor-permissions ]
|
117
|
-
# This conditional provides an extra safety control, in case the workflow's
|
118
|
-
# `on` section is inadventently modified without considering the security
|
119
|
-
# implications.
|
120
|
-
#
|
121
|
-
# This job will ONLY trigger on:
|
122
|
-
#
|
123
|
-
# - [x] pull_request_target event: github.event_name == 'pull_request_target'
|
124
|
-
# AND:
|
125
|
-
# - [x] Newly-opened PRs: github.event.action == 'opened'
|
126
|
-
# - [x] Re-opened PRs: github.event.action == 'reopened'
|
127
|
-
# - [x] Commits are added to PR: github.event.action == 'synchronize'
|
128
|
-
# AND:
|
129
|
-
# - [x] .gitlab-ci.yml exists/ok: needs.glci-syntax.outputs.valid == 'true'
|
130
|
-
#
|
131
|
-
# [Not implemented] It should NEVER trigger on:
|
132
|
-
#
|
133
|
-
# - [ ] Merged PRs: github.event.pull_request.merged == 'false'
|
134
|
-
# - (the downstream GitLab mirror will take care of that)
|
135
|
-
# - Not implemented: For some reason, this conditional always fails
|
136
|
-
# - Unnecessary if on>pull_request_target>types doesn't include 'closed'
|
137
|
-
if: github.event_name == 'pull_request_target' && ( github.event.action == 'opened' || github.event.action == 'reopened' || github.event.action == 'synchronize' ) && github.event.pull_request.merged != 'true' && needs.glci-syntax.outputs.valid == 'true' && needs.contributor-permissions.outputs.permitted == 'true'
|
138
|
-
runs-on: ubuntu-latest
|
139
|
-
steps:
|
140
|
-
# Things we'd like to do:
|
141
|
-
# - [ ] if there's no GitLab mirror, make one
|
142
|
-
# - [ ] if there's no GitLab <-> GitHub integration, make one
|
143
|
-
# - [ ] if there's no PR check on the main GitHub branch, make one (?)
|
144
|
-
# - [x] Cancel any GLCI pipelines already pending/running for this branch
|
145
|
-
# - "created|waiting_for_resource|preparing|pending|running"
|
146
|
-
# - Exception: don't cancel existing pipeline for our own commit
|
147
|
-
# - [x] if PR: force-push branch to GitLab
|
148
|
-
- uses: actions/checkout@v3
|
149
|
-
if: needs.contributor-permissions.outputs.permitted == 'true'
|
150
|
-
with:
|
151
|
-
clean: true
|
152
|
-
fetch-depth: 0 # Need full checkout to push to gitlab mirror
|
153
|
-
repository: ${{ github.event.pull_request.head.repo.full_name }}
|
154
|
-
ref: ${{ github.event.pull_request.head.ref }}
|
155
|
-
|
156
|
-
- name: Trigger CI when user has Repo Permissions
|
157
|
-
if: needs.contributor-permissions.outputs.permitted == 'true'
|
158
|
-
uses: simp/github-action-gitlab-ci-pipeline-trigger@v1
|
159
|
-
with:
|
160
|
-
git_branch: ${{ github.event.pull_request.head.ref }} # TODO check for/avoid protected branches?
|
161
|
-
git_hashref: ${{ github.event.pull_request.head.sha }}
|
162
|
-
gitlab_api_private_token: ${{ secrets.GITLAB_API_PRIVATE_TOKEN }}
|
163
|
-
gitlab_group: ${{ github.event.organization.login }}
|
164
|
-
github_repository: ${{ github.repository }}
|
165
|
-
github_repository_owner: ${{ github.repository_owner }}
|
166
|
-
|
167
|
-
- name: When user does NOT have Repo Permissions
|
168
|
-
if: needs.contributor-permissions.outputs.permitted == 'false'
|
169
|
-
continue-on-error: true
|
170
|
-
run: |
|
171
|
-
echo "Ending gracefully; Contributor $GITHUB_ACTOR does not have permission to trigger CI"
|
172
|
-
false
|
173
|
-
|
174
|
-
### examine_contexts:
|
175
|
-
### name: 'Examine Context contents'
|
176
|
-
### if: always()
|
177
|
-
### runs-on: ubuntu-latest
|
178
|
-
### needs: [ glci-syntax, contributor-permissions ]
|
179
|
-
### steps:
|
180
|
-
### - name: Dump contexts
|
181
|
-
### env:
|
182
|
-
### GITHUB_CONTEXT: ${{ toJson(github) }}
|
183
|
-
### run: echo "$GITHUB_CONTEXT"
|
184
|
-
### - name: Dump needs context
|
185
|
-
### env:
|
186
|
-
### ENV_CONTEXT: ${{ toJson(needs) }}
|
187
|
-
### run: echo "$ENV_CONTEXT"
|
188
|
-
### - name: Dump env vars
|
189
|
-
### run: env | sort
|
190
|
-
|