Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PI-2302 Switch to GitHub app for bootstrap workflow #4164

Merged
merged 1 commit into from
Aug 9, 2024
Merged

PI-2302 Switch to GitHub app for bootstrap workflow #4164

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
115 changes: 71 additions & 44 deletions .github/actions/create-signed-pull-request/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,36 +1,25 @@
name: Create a signed pull request
description: Set up GPG commit verification, then create a pull request
description: Create a pull request with signed commits, using a GitHub app

inputs:
add-paths:
description: >
A comma or newline-separated list of file paths to commit.
Paths should follow git's pathspec syntax.
Defaults to adding all new and modified files.
description: A newline-separated list of file paths to commit. Paths should follow git's pathspec syntax.
body:
description: 'The body of the pull request.'
default: 'Automated changes by GitHub Actions workflow'
description: The body of the pull request. Defaults to "Automated changes by a GitHub Actions workflow.", with a link to the current run.
branch:
description: 'The pull request branch name.'
committer:
description: >
The committer name and email address in the format `Display Name <[email protected]>`.
Defaults to the GitHub Actions bot user.
default: 'probation-integration-bot <[email protected]>'
description: The pull request target branch name.
commit-message:
description: 'The message to use when committing changes.'
description: The message to use when committing changes.
labels:
description: 'A comma or newline separated list of labels.'
description: A comma or newline separated list of labels.
path:
description: >
Relative path under $GITHUB_WORKSPACE to the repository.
Defaults to $GITHUB_WORKSPACE.
private-key:
description: 'GPG private key exported as an ASCII armored version or its base64 encoding'
passphrase:
description: 'Passphrase of the GPG private key'
description: Relative path under $GITHUB_WORKSPACE to the repository. Defaults to $GITHUB_WORKSPACE.
token:
description: 'GITHUB_TOKEN or a `repo` scoped Personal Access Token (PAT)'
description: A GitHub app token
owner:
description: GitHub repository owner, defaults to current repository
repository:
description: GitHub repository name, defaults to current repository

outputs:
pull-request-number:
Expand All @@ -39,36 +28,74 @@ outputs:
pull-request-url:
description: 'The URL of the pull request.'
value: ${{ steps.pr.outputs.pull-request-url }}
pull-request-operation:
description: 'The pull request operation performed by the action, `created`, `updated` or `closed`.'
value: ${{ steps.pr.outputs.pull-request-operation }}
pull-request-head-sha:
description: 'The commit SHA of the pull request branch.'
value: ${{ steps.pr.outputs.pull-request-head-sha }}

runs:
using: composite
steps:
- name: Setup GPG commit verification
uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0
- name: Get working directory or default
run: echo "path=${path:-$GITHUB_WORKSPACE}" | tee -a "$GITHUB_ENV"
shell: bash
env:
path: ${{ inputs.path }}

- name: Get pull request body or default
run: echo "body=${body:-"Automated changes by a [GitHub Actions workflow]($url)."}" | tee -a "$GITHUB_ENV"
shell: bash
env:
body: ${{ inputs.body }}
url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}

- name: Get repository info
run: |
echo "owner=$(gh repo view "$(git remote get-url origin)" --json owner --jq .owner.login)" | tee -a "$GITHUB_ENV"
echo "repository=$(gh repo view "$(git remote get-url origin)" --json name --jq .name)" | tee -a "$GITHUB_ENV"
shell: bash
working-directory: ${{ env.path }}
env:
GITHUB_TOKEN: ${{ inputs.token }}

- name: Git add
run: |
while IFS= read -r add_path; do
if [ -n "$add_path" ]; then
echo Adding "$add_path"
git add "$add_path"
fi
done <<< "$add_paths"
git status
shell: bash
working-directory: ${{ env.path }}
env:
add_paths: ${{ inputs.add-paths }}

- name: Commit and push
uses: marcus-bcl/github-app-commit-action@main # using fork until PR is merged: https://github.com/dsanders11/github-app-commit-action/pull/23
with:
gpg_private_key: ${{ inputs.private-key }}
passphrase: ${{ inputs.passphrase }}
git_user_signingkey: true
git_commit_gpgsign: true
workdir: ${{ inputs.path }}
owner: ${{ env.owner }}
repository: ${{ env.repository }}
working-directory: ${{ env.path }}
ref: ${{ inputs.branch }}
fail-on-no-changes: false
message: ${{ inputs.commit-message }}
token: ${{ inputs.token }}

- name: Create pull request
id: pr
uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c #v6.1.0
with:
add-paths: ${{ inputs.add-paths }}
author: ${{ inputs.committer }}
base: main
body: ${{ inputs.body }}
run: |
git fetch origin "$branch"
git checkout "$branch"
url=$(gh pr create --title "$commit_message" --body "$body" --label "$labels")
echo "pull-request-url=$url" | tee -a "$GITHUB_OUTPUT"
echo "pull-request-number=$(gh pr view "$url" --json number --jq .number)" | tee -a "$GITHUB_OUTPUT"
echo "pull-request-head-sha=$(gh pr view "$url" --json headRefOid --jq .headRefOid)" | tee -a "$GITHUB_OUTPUT"
shell: bash
working-directory: ${{ env.path }}
env:
branch: ${{ inputs.branch }}
committer: ${{ inputs.committer }}
commit-message: ${{ inputs.commit-message }}
path: ${{ inputs.path }}
title: ${{ inputs.commit-message }}
token: ${{ inputs.token }}
body: ${{ env.body }}
commit_message: ${{ inputs.commit-message }}
labels: ${{ inputs.labels }}
GITHUB_TOKEN: ${{ inputs.token }}
2 changes: 1 addition & 1 deletion .github/actions/format-code/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,7 @@ runs:

- name: Commit and push
if: inputs.dry == 'false'
uses: dsanders11/github-app-commit-action@48d2ff8c1a855eb15d16afa97ae12616456d7cbc # v1.4.0
uses: dsanders11/github-app-commit-action@5c7daabae956f8143277417996b26a173439e1b7 # v1.4.1
with:
fail-on-no-changes: false
message: ${{ inputs.commit_message }}
Expand Down
80 changes: 39 additions & 41 deletions .github/workflows/bootstrap.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,11 +34,6 @@ on:
default: true
required: true
type: boolean
create_ingress:
description: Will the service provide a HTTP API?
default: false
required: true
type: boolean
create_queue:
description: Will the service consume HMPPS domain event messages?
default: true
Expand Down Expand Up @@ -71,9 +66,17 @@ jobs:
if: ${{ inputs.project_template != 'No template - I want to create the project from scratch' }}
runs-on: ubuntu-latest
steps:
- uses: actions/create-github-app-token@v1
id: app-token
with:
repositories: hmpps-probation-integration-services,hmpps-probation-integration-e2e-tests
app-id: ${{ secrets.BOT_APP_ID }}
private-key: ${{ secrets.BOT_APP_PRIVATE_KEY }}

- uses: actions/checkout@v4
with:
token: ${{ secrets.BOT_GITHUB_TOKEN }}
ref: main
token: ${{ steps.app-token.outputs.token }}

- name: Render project template
uses: ./.github/actions/render-project-template
Expand All @@ -93,15 +96,14 @@ jobs:
projects/${{ inputs.project_name }}
branch: bootstrap/${{ inputs.project_name }}
commit-message: ${{ inputs.issue_number }} Create initial project for ${{ inputs.project_name }}
private-key: ${{ secrets.BOT_GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.BOT_GPG_PASSPHRASE }}
token: ${{ secrets.BOT_GITHUB_TOKEN }} # TODO replace these usages with app token signing, once https://github.com/peter-evans/create-pull-request/pull/3057 is released
token: ${{ steps.app-token.outputs.token }}

- uses: actions/checkout@v4
with:
ref: main
path: hmpps-probation-integration-e2e-tests
repository: ministryofjustice/hmpps-probation-integration-e2e-tests
token: ${{ secrets.BOT_GITHUB_TOKEN }}
token: ${{ steps.app-token.outputs.token }}

- name: Update e2e test repo
run: sed -i '/add new projects here/i \ - '"'"'["${{ inputs.project_name }}"]'"'"'' hmpps-probation-integration-e2e-tests/.github/workflows/test-single-project.yml
Expand All @@ -114,9 +116,7 @@ jobs:
add-paths: .github/workflows
branch: ${{ inputs.issue_number }}-create-${{ inputs.project_name }}-project
commit-message: ${{ inputs.issue_number }} Add option to run tests for ${{ inputs.project_name }}
private-key: ${{ secrets.BOT_GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.BOT_GPG_PASSPHRASE }}
token: ${{ secrets.BOT_GITHUB_TOKEN }}
token: ${{ steps.app-token.outputs.token }}

- name: Create issue for manual steps
run: |
Expand Down Expand Up @@ -254,27 +254,32 @@ jobs:
- id: project_name
run: echo "with_underscores_uppercase=$(echo '${{ inputs.project_name }}' | sed 's/-/_/g' | tr '[:lower:]' '[:upper:]')" | tee -a "$GITHUB_OUTPUT"

- uses: actions/checkout@v4
- uses: actions/create-github-app-token@v1
id: app-token
with:
token: ${{ secrets.BOT_GITHUB_TOKEN }}
repositories: cloud-platform-environments
app-id: ${{ secrets.BOT_EXTERNAL_REPOS_APP_ID }}
private-key: ${{ secrets.BOT_EXTERNAL_REPOS_APP_PRIVATE_KEY }}

- uses: actions/checkout@v4

- uses: actions/checkout@v4
with:
path: cloud-platform-environments-dev
repository: ministryofjustice/cloud-platform-environments
token: ${{ secrets.BOT_GITHUB_EXTERNAL_REPOS_TOKEN }}
token: ${{ steps.app-token.outputs.token }}

- uses: actions/checkout@v4
with:
path: cloud-platform-environments-preprod
repository: ministryofjustice/cloud-platform-environments
token: ${{ secrets.BOT_GITHUB_EXTERNAL_REPOS_TOKEN }}
token: ${{ steps.app-token.outputs.token }}

- uses: actions/checkout@v4
with:
path: cloud-platform-environments-prod
repository: ministryofjustice/cloud-platform-environments
token: ${{ secrets.BOT_GITHUB_EXTERNAL_REPOS_TOKEN }}
token: ${{ steps.app-token.outputs.token }}

- name: Render Terraform queue template
run: |
Expand All @@ -299,9 +304,7 @@ jobs:
add-paths: namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-probation-integration-services-dev
branch: ${{ inputs.issue_number }}-create-${{ inputs.project_name }}-queue-dev
commit-message: ${{ inputs.issue_number }} Create SQS queues for ${{ inputs.project_name }} (dev)
private-key: ${{ secrets.BOT_GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.BOT_GPG_PASSPHRASE }}
token: ${{ secrets.BOT_GITHUB_EXTERNAL_REPOS_TOKEN }}
token: ${{ steps.app-token.outputs.token }}

- name: Create preprod pull request
id: preprod-pr
Expand All @@ -311,9 +314,7 @@ jobs:
add-paths: namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-probation-integration-services-preprod
branch: ${{ inputs.issue_number }}-create-${{ inputs.project_name }}-queue-preprod
commit-message: ${{ inputs.issue_number }} Create SQS queues for ${{ inputs.project_name }} (preprod)
private-key: ${{ secrets.BOT_GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.BOT_GPG_PASSPHRASE }}
token: ${{ secrets.BOT_GITHUB_EXTERNAL_REPOS_TOKEN }}
token: ${{ steps.app-token.outputs.token }}

- name: Create prod pull request
id: prod-pr
Expand All @@ -323,9 +324,7 @@ jobs:
add-paths: namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-probation-integration-services-prod
branch: ${{ inputs.issue_number }}-create-${{ inputs.project_name }}-queue-prod
commit-message: ${{ inputs.issue_number }} Create SQS queues for ${{ inputs.project_name }} (prod)
private-key: ${{ secrets.BOT_GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.BOT_GPG_PASSPHRASE }}
token: ${{ secrets.BOT_GITHUB_EXTERNAL_REPOS_TOKEN }}
token: ${{ steps.app-token.outputs.token }}

- name: Create issue for manual steps
run: |
Expand All @@ -351,27 +350,32 @@ jobs:
- id: project_name
run: echo "hash=$(echo -n '${{ inputs.project_name }}' | sha1sum | head -c 8)" | tee -a "$GITHUB_OUTPUT"

- uses: actions/checkout@v4
- uses: actions/create-github-app-token@v1
id: app-token
with:
token: ${{ secrets.BOT_GITHUB_TOKEN }}
repositories: cloud-platform-environments
app-id: ${{ secrets.BOT_EXTERNAL_REPOS_APP_ID }}
private-key: ${{ secrets.BOT_EXTERNAL_REPOS_APP_PRIVATE_KEY }}

- uses: actions/checkout@v4

- uses: actions/checkout@v4
with:
path: cloud-platform-environments-dev
repository: ministryofjustice/cloud-platform-environments
token: ${{ secrets.BOT_GITHUB_EXTERNAL_REPOS_TOKEN }}
token: ${{ steps.app-token.outputs.token }}

- uses: actions/checkout@v4
with:
path: cloud-platform-environments-preprod
repository: ministryofjustice/cloud-platform-environments
token: ${{ secrets.BOT_GITHUB_EXTERNAL_REPOS_TOKEN }}
token: ${{ steps.app-token.outputs.token }}

- uses: actions/checkout@v4
with:
path: cloud-platform-environments-prod
repository: ministryofjustice/cloud-platform-environments
token: ${{ secrets.BOT_GITHUB_EXTERNAL_REPOS_TOKEN }}
token: ${{ steps.app-token.outputs.token }}

- name: Add Pingdom check
run: sed -i '/add new projects here/i \ "${{ inputs.project_name }}",' 'cloud-platform-environments-prod/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-probation-integration-services-prod/resources/pingdom.tf'
Expand All @@ -390,9 +394,7 @@ jobs:
add-paths: namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-probation-integration-services-dev
branch: ${{ inputs.issue_number }}-create-${{ inputs.project_name }}-infra-dev
commit-message: ${{ inputs.issue_number }} Create certificate for ${{ inputs.project_name }} (dev)
private-key: ${{ secrets.BOT_GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.BOT_GPG_PASSPHRASE }}
token: ${{ secrets.BOT_GITHUB_EXTERNAL_REPOS_TOKEN }}
token: ${{ steps.app-token.outputs.token }}

- name: Create preprod pull request
id: preprod-pr
Expand All @@ -402,9 +404,7 @@ jobs:
add-paths: namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-probation-integration-services-preprod
branch: ${{ inputs.issue_number }}-create-${{ inputs.project_name }}-infra-preprod
commit-message: ${{ inputs.issue_number }} Create certificate for ${{ inputs.project_name }} (preprod)
private-key: ${{ secrets.BOT_GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.BOT_GPG_PASSPHRASE }}
token: ${{ secrets.BOT_GITHUB_EXTERNAL_REPOS_TOKEN }}
token: ${{ steps.app-token.outputs.token }}

- name: Create prod pull request
id: prod-pr
Expand All @@ -414,9 +414,7 @@ jobs:
add-paths: namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-probation-integration-services-prod
branch: ${{ inputs.issue_number }}-create-${{ inputs.project_name }}-infra-prod
commit-message: ${{ inputs.issue_number }} Create Pingdom check and certificate for ${{ inputs.project_name }} (prod)
private-key: ${{ secrets.BOT_GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.BOT_GPG_PASSPHRASE }}
token: ${{ secrets.BOT_GITHUB_EXTERNAL_REPOS_TOKEN }}
token: ${{ steps.app-token.outputs.token }}

- name: Create issue for manual steps
run: |
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/gradle.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ jobs:
fi

- name: Commit and push
uses: marcus-bcl/github-app-commit-action@main # using fork while waiting for merge of https://github.com/dsanders11/github-app-commit-action/pull/20
uses: dsanders11/github-app-commit-action@5c7daabae956f8143277417996b26a173439e1b7 # v1.4.1
with:
fail-on-no-changes: false
force: true
Expand Down
Loading