PSCE-408 feat: adds flags to set git provider information when intera…

…cting with the API (RedHatProductSecurity#217)

* feat: adds GitProviderFactory class

The GitProviderFactory class manages the creation
of the GitProvider based on input and default logic.

Signed-off-by: Jennifer Power <[email protected]>

* refactor: organizes arguments by groups

As the arguments list grows, grouping will make
understanding how to use and when to set much
clearer

Signed-off-by: Jennifer Power <[email protected]>

* feat: adds arguments for providing git provider type and url

Using flag option to add to logic Git provider group for
useful help messages

Signed-off-by: Jennifer Power <[email protected]>

* docs: updates README.md with support Git provider information

Signed-off-by: Jennifer Power <[email protected]>

* fix: updates logic to throw error with no with-token flag is set

The logic was checking if with_token is None or empty which is
never true. This change updates the with-token flag to set to
true to evaluate if standard input should be read.

Signed-off-by: Jennifer Power <[email protected]>

* feat: adds an environment variable option for token

To simplify running locally in headless mode, an environment
variable would be suitable over piping to standard input. This
also simplifies the action entrypoint scripts.

Signed-off-by: Jennifer Power <[email protected]>

* docs: adds guidance in action files around the "github_token" input

Signed-off-by: Jennifer Power <[email protected]>

* fix: updates with-token flag to use const parameter

This returns the with-token flag to its original implementation
to avoid breaking changes, but uses the const instead of default parameter.
This will make sure sys.stdin is only set if the flag is present.

Signed-off-by: Jennifer Power <[email protected]>

* fix: updates entrypoint base to ignore empty target branch

Signed-off-by: Jennifer Power <[email protected]>

* docs: updates token input descriptions in actions files

Signed-off-by: Jennifer Power <[email protected]>

* docs: updates "update-actions-readmes" to handle newlines

Newlines in descriptions caused issues in table formatting

Signed-off-by: Jennifer Power <[email protected]>

* refactor: moves auto-detect logic to entrypoint base

All reusable input/output logic should be defined in
entrypoint_base.py for easier management and readability

Signed-off-by: Jennifer Power <[email protected]>

* docs: minor docstring grammar fixes

Signed-off-by: Jennifer Power <[email protected]>

* fix: updates load_provider_from_environment to use configured logger

Signed-off-by: Jennifer Power <[email protected]>

---------

Signed-off-by: Jennifer Power <[email protected]>

CONTRIBUTING.md

@@ -192,5 +192,5 @@ cat my-token.txt | podman secret create repo-secret -
 4. Run the container
 
 ```bash
-podman run --entrypoint /entrypoint.sh --secret repo-secret,type=env,target=GITHUB_TOKEN --env-file=envfile -v my-trestle-space:/data -w /data localhost:5000/trestlebot:latest
+podman run --entrypoint /entrypoint.sh --secret repo-secret,type=env,target=TRESTLEBOT_REPO_ACCESS_TOKEN --env-file=envfile -v my-trestle-space:/data -w /data localhost:5000/trestlebot:latest
 ```

README.md

@@ -37,9 +37,12 @@ Below is a table of the available commands and their current availability as a G
 
 For detailed documentation on how to use each action, see the README.md in each folder under [actions](./actions/).
 
-### Supported Continuous Integration Systems
+### Supported Git Providers
 
-- GitHub Actions
+> Note: Only applicable if using `trestle-bot` to create pull requests. Automatically detecting the git
+provider information is supported for GitHub Actions (GitHub) and GitLab CI (GitLab).
+
+- GitHub
 - GitLab
 
 ### Run as a Container

actions/autosync/README.md

@@ -26,7 +26,7 @@ name: Example Workflow
 | markdown_path | Path relative to the repository path where the Trestle markdown files are located. See action README.md for more information. | None | True |
 | oscal_model | OSCAL Model type to assemble. Values can be catalog, profile, compdef, or ssp. | None | True |
 | dry_run | Runs tasks without pushing changes to the repository. | false | False |
-| github_token | GitHub token used to make authenticated API requests | None | False |
+| github_token | "GitHub token used to make authenticated API requests. Note: You should use a defined secret like "secrets.GITHUB_TOKEN" in your workflow file, do not hardcode the token." | None | False |
 | version | Version of the OSCAL model to set during assembly into JSON. | None | False |
 | skip_assemble | Skip assembly task. Defaults to false | false | False |
 | skip_regenerate | Skip regenerate task. Defaults to false. | false | False |

actions/autosync/action.yml

@@ -14,7 +14,9 @@ inputs:
     required: false
     default: "false"
   github_token:
-    description: "GitHub token used to make authenticated API requests"
+    description: |
+      "GitHub token used to make authenticated API requests.
+      Note: You should use a defined secret like "secrets.GITHUB_TOKEN" in your workflow file, do not hardcode the token."
     required: false
   version:
     description: "Version of the OSCAL model to set during assembly into JSON."
@@ -91,7 +93,7 @@ runs:
   image: "../../Dockerfile"
   entrypoint: "/auto-sync-entrypoint.sh"
   env:
-    GITHUB_TOKEN: ${{ inputs.github_token }}
+    TRESTLEBOT_REPO_ACCESS_TOKEN: ${{ inputs.github_token }}
 
 branding:
   icon: "check"

actions/autosync/auto-sync-entrypoint.sh

@@ -42,14 +42,4 @@ if [[ ${INPUT_VERBOSE} == true ]]; then
     command+=" --verbose"
 fi
 
-# Only set the token value when is a target branch so pull requests can be created
-if [[ -n ${INPUT_TARGET_BRANCH} ]]; then
-  if [[ -z ${GITHUB_TOKEN} ]]; then
-    echo "Set the GITHUB_TOKEN env variable."
-    exit 1
-  fi
-
-  command+=" --with-token - <<<\"${GITHUB_TOKEN}\""
-fi
-
 eval "${command}"

actions/create-cd/README.md

@@ -33,7 +33,7 @@ name: Example Workflow
 | component_description | Description of the component to create | None | True |
 | filter_by_profile | Name of the profile in the workspace to filter controls by | None | False |
 | dry_run | Runs tasks without pushing changes to the repository. | false | False |
-| github_token | GitHub token used to make authenticated API requests | None | False |
+| github_token | "GitHub token used to make authenticated API requests. Note: You should use a defined secret like "secrets.GITHUB_TOKEN" in your workflow file, do not hardcode the token." | None | False |
 | commit_message | Commit message | Sync automatic updates | False |
 | pull_request_title | Custom pull request title | Automatic updates from trestlebot | False |
 | branch | Name of the Git branch to which modifications should be pushed. Required if Action is used on the `pull_request` event. | ${{ github.ref_name }} | False |

actions/create-cd/action.yml

@@ -30,7 +30,9 @@ inputs:
     required: false
     default: "false"
   github_token:
-    description: "GitHub token used to make authenticated API requests"
+    description: |
+      "GitHub token used to make authenticated API requests.
+      Note: You should use a defined secret like "secrets.GITHUB_TOKEN" in your workflow file, do not hardcode the token."
     required: false
   commit_message:
     description: Commit message
@@ -89,7 +91,7 @@ runs:
   image: "../../Dockerfile"
   entrypoint: "/create-cd-entrypoint.sh"
   env:
-    GITHUB_TOKEN: ${{ inputs.github_token }}
+    TRESTLEBOT_REPO_ACCESS_TOKEN: ${{ inputs.github_token }}
 
 branding:
   icon: "check"

actions/create-cd/create-cd-entrypoint.sh

@@ -36,14 +36,4 @@ if [[ ${INPUT_DRY_RUN} == true ]]; then
     command+=" --dry-run"
 fi
 
-# Only set the token value when is a target branch so pull requests can be created
-if [[ -n ${INPUT_TARGET_BRANCH} ]]; then
-  if [[ -z ${GITHUB_TOKEN} ]]; then
-    echo "Set the GITHUB_TOKEN env variable."
-    exit 1
-  fi
-
-  command+=" --with-token - <<<\"${GITHUB_TOKEN}\""
-fi
-
 eval "${command}"

actions/rules-transform/README.md

@@ -34,7 +34,7 @@ With custom rules directory:
 | --- | --- | --- | --- |
 | rules_view_path | Path relative to the repository path where the Trestle rules view files are located. Defaults to `rules/`. | rules/ | False |
 | dry_run | Runs tasks without pushing changes to the repository. | false | False |
-| github_token | GitHub token used to make authenticated API requests | None | False |
+| github_token | "GitHub token used to make authenticated API requests. Note: You should use a defined secret like "secrets.GITHUB_TOKEN" in your workflow file, do not hardcode the token." | None | False |
 | skip_items | Comma-separated glob patterns list of content by Trestle name to skip during task execution. For example `compdef_x,compdef_y*,`. | None | False |
 | commit_message | Commit message | Sync automatic updates | False |
 | pull_request_title | Custom pull request title | Automatic updates from trestlebot | False |

actions/rules-transform/action.yml

@@ -12,7 +12,9 @@ inputs:
     required: false
     default: "false"
   github_token:
-    description: "GitHub token used to make authenticated API requests"
+    description: |
+      "GitHub token used to make authenticated API requests.
+      Note: You should use a defined secret like "secrets.GITHUB_TOKEN" in your workflow file, do not hardcode the token."
     required: false
   skip_items:
     description: "Comma-separated glob patterns list of content by Trestle name to skip during task execution. For example `compdef_x,compdef_y*,`."
@@ -74,7 +76,7 @@ runs:
   image: "../../Dockerfile"
   entrypoint: "/rules-transform-entrypoint.sh"
   env:
-    GITHUB_TOKEN: ${{ inputs.github_token }}
+    TRESTLEBOT_REPO_ACCESS_TOKEN: ${{ inputs.github_token }}
 
 branding:
   icon: "check"

actions/rules-transform/rules-transform-entrypoint.sh

@@ -31,15 +31,4 @@ if [[ ${INPUT_DRY_RUN} == true ]]; then
     command+=" --dry-run"
 fi
 
-
-# Only set the token value when is a target branch so pull requests can be created
-if [[ -n ${INPUT_TARGET_BRANCH} ]]; then
-  if [[ -z ${GITHUB_TOKEN} ]]; then
-    echo "Set the GITHUB_TOKEN env variable."
-    exit 1
-  fi
-
-  command+=" --with-token - <<<\"${GITHUB_TOKEN}\""
-fi
-
 eval "${command}"

actions/sync-upstreams/README.md

@@ -24,7 +24,7 @@ name: Example Workflow
 | --- | --- | --- | --- |
 | sources | A newline separated list of upstream sources to sync with a repo@branch format. For example, `https://github.com/myorg/myprofiles@main` | None | True |
 | dry_run | Runs tasks without pushing changes to the repository. | false | False |
-| github_token | GitHub token used to make authenticated API requests | None | False |
+| github_token | "GitHub token used to make authenticated API requests. Note: You should use a defined secret like "secrets.GITHUB_TOKEN" in your workflow file, do not hardcode the token." | None | False |
 | include_model_names | Comma-separated glob pattern list of model names (i.e. trestle directory name) to include in the sync. For example, `*framework-v2`. Defaults to include all model names. | None | False |
 | exclude_model_names | Comma-separated glob pattern of model names (i.e. trestle directory name) to exclude from the sync. For example, `*framework-v1`. Defaults to skip no model names. | None | False |
 | skip_validation | Skip validation of the upstream OSCAL content. Defaults to false | false | False |

actions/sync-upstreams/action.yml

@@ -11,7 +11,9 @@ inputs:
     required: false
     default: "false"
   github_token:
-    description: "GitHub token used to make authenticated API requests"
+    description: |
+      "GitHub token used to make authenticated API requests.
+      Note: You should use a defined secret like "secrets.GITHUB_TOKEN" in your workflow file, do not hardcode the token."
     required: false
   include_model_names:
     description: "Comma-separated glob pattern list of model names (i.e. trestle directory name) to include in the sync. For example, `*framework-v2`. Defaults to include all model names."
@@ -80,7 +82,7 @@ runs:
   image: "../../Dockerfile"
   entrypoint: "/sync-upstreams-entrypoint.sh"
   env:
-    GITHUB_TOKEN: ${{ inputs.github_token }}
+    TRESTLEBOT_REPO_ACCESS_TOKEN: ${{ inputs.github_token }}
 
 branding:
   icon: "check"

actions/sync-upstreams/sync-upstreams-entrypoint.sh

@@ -39,14 +39,4 @@ if [[ ${INPUT_SKIP_VALIDATION} == true ]]; then
     command+=" --skip-validation"
 fi
 
-# Only set the token value when is a target branch so pull requests can be created
-if [[ -n ${INPUT_TARGET_BRANCH} ]]; then
-  if [[ -z ${GITHUB_TOKEN} ]]; then
-    echo "Set the GITHUB_TOKEN env variable."
-    exit 1
-  fi
-
-  command+=" --with-token - <<<\"${GITHUB_TOKEN}\""
-fi
-
 eval "${command}"

scripts/update_action_readmes.py

@@ -48,18 +48,27 @@ def generate_inputs_markdown_table(inputs: Dict[str, Any]) -> str:
     """Generate the Action Inputs markdown table"""
     table = "| Name | Description | Default | Required |\n| --- | --- | --- | --- |\n"
     for name, input in inputs.items():
-        table += f"| {name} | {input.get('description', None)} | {input.get('default', None)} | {input.get('required', None)} |\n"  # noqa E501
+        if input_description := input.get('description', None):
+            input_description = format_descriptions(input_description)
+        table += f"| {name} | {input_description} | {input.get('default', None)} | {input.get('required', None)} |\n"  # noqa E501
     return table
 
 
 def generate_outputs_markdown_table(outputs: Dict[str, Any]) -> str:
     """Generate the Action Outputs markdown table"""
     table = "| Name | Description |\n| --- | --- |\n"
     for name, output in outputs.items():
-        table += f"| {name} | {output.get('description', None)} |\n"
+        if output_description := output.get('description', None):
+            output_description = format_descriptions(output_description)
+        table += f"| {name} | {output_description} |\n"
     return table
 
 
+def format_descriptions(description: str) -> str:
+    """Ensure descriptions are a single line."""
+    return " ".join(description.splitlines())
+
+
 def replace(all_content: str, start: str, end: str, new_content: str) -> str:
     """Replace the content between start (plus a new line) and end with new_content"""
     start_line = all_content.find(start)

tests/trestlebot/entrypoints/test_autosync.py

@@ -136,37 +136,3 @@ def test_invalid_working_dir(valid_args_dict: Dict[str, str], caplog: Any) -> No
         and "Root path . is not a valid trestle project root" in record.message
         for record in caplog.records
     )
-
-
-@patch(
-    "trestlebot.entrypoints.log.configure_logger",
-    Mock(side_effect=configure_test_logger),
-)
-def test_with_target_branch(
-    tmp_trestle_dir: str, valid_args_dict: Dict[str, str], caplog: Any
-) -> None:
-    """Test with target branch set an an unsupported Git provider"""
-    args_dict = valid_args_dict
-
-    args_dict["target-branch"] = "main"
-    args_dict["working-dir"] = tmp_trestle_dir
-
-    # Patch is_github_actions since these tests will be running in
-    # GitHub Actions
-    with patch(
-        "trestlebot.entrypoints.entrypoint_base.is_github_actions"
-    ) as mock_check, patch("sys.argv", ["trestlebot", *args_dict_to_list(args_dict)]):
-        mock_check.return_value = False
-
-        with pytest.raises(SystemExit, match="2"):
-            cli_main()
-
-    assert any(
-        record.levelno == logging.ERROR
-        and "Invalid args --target-branch: target-branch flag is set with an "
-        "unset git provider. To test locally, set the GITHUB_ACTIONS or GITLAB_CI environment variable."
-        in record.message
-        for record in caplog.records
-    )
-
-    mock_check.assert_called_once()