.github/workflows/build.yml

name: CI

on:
  pull_request_target:
    types: [opened, synchronize, reopened, edited, ready_for_review, labeled]

jobs:
  chart-certification:
    name: Chart Certification
    runs-on: ubuntu-22.04
    if: |
      github.event.pull_request.draft == false &&
      (github.event.action != 'labeled' || github.event.label.name == 'force-publish') &&
      github.actor != 'redhat-mercury-bot'
    steps:
      - name: Checkout
        uses: actions/checkout@v2

      - name: Set up Python 3.x Part 1
        uses: actions/setup-python@v2
        with:
          python-version: "3.9"

      - name: Set up Python 3.x Part 2
        run: |
          # set up python
          python3 -m venv ve1
          cd scripts && ../ve1/bin/pip3 install -r requirements.txt && cd ..
          cd scripts && ../ve1/bin/python3 setup.py install && cd ..

      - name: Check for CI changes
        id: check_ci_changes
        env:
          BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
        run: |
          # check if workflow testing should run.
          echo "[INFO] check if PR contains only workflow changes and user is authorized"
          ve1/bin/check-pr-for-ci --verify-user=${{ github.event.pull_request.user.login }} --api-url=${{ github.event.pull_request._links.self.href }}

      - name: Check if PR created as part of release process
        id: check_created_release_pr
        if: ${{ steps.check_ci_changes.outputs.run-tests != true }}
        env:
          BOT_NAME: ${{ secrets.BOT_NAME }}
          BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
        run: |
          # check if PR was created as part of release processing
          ./ve1/bin/release-checker --api-url=${{ github.event.pull_request._links.self.href }} \
                                    --sender='${{ github.event.sender.login }}' \
                                    --pr_branch='${{ github.event.pull_request.head.ref }}' \
                                    --pr_body="${{ github.event.pull_request.body }}" \
                                    --pr_base_repo='${{ github.event.pull_request.base.repo.full_name }}' \
                                    --pr_head_repo='${{ github.event.pull_request.head.repo.full_name }}'

      - name: Exit if build not required
        id: check_build_required
        env:
          RUN_TESTS: ${{ steps.check_ci_changes.outputs.run-tests }}
          NOT_CI_AUTHORIZED: ${{ steps.check_ci_changes.outputs.workflow-only-but-not-authorized }}
          NO_CODE_TO_BUILD: ${{ steps.check_ci_changes.outputs.do-not-build }}
          DEV_PR_FOR_RELEASE: ${{ steps.check_created_release_pr.outputs.dev_release_branch }}
          CHARTS_PR_FOR_RELEASE: ${{ steps.check_created_release_pr.outputs.charts_release_branch }}
        run: |
          # exit if build not required
          if [ "${RUN_TESTS}" == "true" ] || [ "${NOT_CI_AUTHORIZED}" == "true" ]; then
            echo "The PR is workflow changes only - do not continue."
            exit 0
          elif [ "${NO_CODE_TO_BUILD}" == "true" ]; then
            echo "The PR does not contain changes which need build or test."
            exit 0
          elif [ "${DEV_PR_FOR_RELEASE}" == "true" ]; then
            echo "The PR is part of release processing for the development repository - do not continue."
          elif [ "${CHART_PR_FOR_RELEASE}" == "true" ]; then
            echo "The PR is part of release processing for the charts repository - do not continue."
          else
            echo "run-build=true" >> $GITHUB_OUTPUT
          fi

      - name: Set Environment
        id: set-env
        run: |
          #set environment based on repository
          if [ $GITHUB_REPOSITORY == "openshift-helm-charts/charts" ]; then
            echo "Use latest verifier image"
            echo "verifier-action-image=latest" >> $GITHUB_OUTPUT
          else
            echo "Use dev verifier image"
            echo "verifier-action-image=0.1.0" >> $GITHUB_OUTPUT
          fi
          echo "insecure_skip_tls_verify=true" >> $GITHUB_OUTPUT

      - name: Checkout
        if: ${{ steps.check_build_required.outputs.run-build == 'true' }}
        uses: actions/checkout@v2
        with:
          ref: ${{ github.event.pull_request.head.ref }}
          repository: ${{ github.event.pull_request.head.repo.full_name }}
          path: "pr-branch"

      - name: Check PR Content
        id: check_pr_content
        if: ${{ steps.check_build_required.outputs.run-build == 'true' }}
        continue-on-error: true
        env:
          GITHUB_REF: ${{ github.ref }}
          BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
        run: |
          INDEX_BRANCH=$(if [ "${GITHUB_REF}" = "refs/heads/main" ]; then echo "refs/heads/gh-pages"; else echo "${GITHUB_REF}-gh-pages"; fi)
           ./ve1/bin/check-pr-content --index-branch=${INDEX_BRANCH} --repository=${{ github.repository }} --api-url=${{ github.event.pull_request._links.self.href }}

      - name: Add 'content-ok' label
        uses: actions/github-script@v3
        if: ${{ steps.check_pr_content.outcome == 'success'}}
        continue-on-error: true
        with:
          github-token: ${{secrets.GITHUB_TOKEN}}
          script: |
            github.issues.addLabels({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              labels: ['content-ok']
            })

      - name: Remove 'content-ok' label
        uses: actions/github-script@v3
        if: ${{ steps.check_pr_content.outcome == 'failure' && contains( github.event.pull_request.labels.*.name, 'content-ok') }}
        continue-on-error: true
        with:
          github-token: ${{secrets.GITHUB_TOKEN}}
          script: |
            github.issues.removeLabel({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              name: 'content-ok'
            })

      - name: Reflect on PR Content check
        if: ${{ steps.check_pr_content.outcome == 'failure'}}
        run: |
          echo "The 'PR Content check' step has failed."
          exit 1

      - name: Remove 'authorized-request' label from PR
        uses: actions/github-script@v3
        if: ${{ steps.check_build_required.outputs.run-build == 'true' && contains( github.event.pull_request.labels.*.name, 'authorized-request') }}
        continue-on-error: true
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            var issue_number = ${{ github.event.number }};
            github.issues.removeLabel({
              owner: context.repo.owner,
              repo: context.repo.repo,
              issue_number: Number(issue_number),
              name: 'authorized-request'
            })

      - name: install chart verifier for action
        uses: redhat-actions/openshift-tools-installer@v1
        with:
          source: github
          skip_cache: true
          chart-verifier: ${{ steps.set-env.outputs.verifier-action-image }}

      - name: determine verify requirements
        if: ${{ steps.check_build_required.outputs.run-build == 'true' }}
        id: verify_requires
        env:
          BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
        working-directory: ./pr-branch
        run: |
          ../ve1/bin/get-verify-params --directory=pr --api-url=${{ github.event.pull_request._links.self.href }}

      - name: Install oc
        if: ${{ steps.verify_requires.outputs.cluster_needed == 'true' }}
        uses: redhat-actions/openshift-tools-installer@v1
        with:
          oc: latest

      - name: Set cluster login params
        id: login-params
        if: ${{ steps.verify_requires.outputs.cluster_needed == 'true' }}
        run: |
          #calculate cluster params
          API_SERVER=$( echo -n ${{ secrets.API_SERVER }} | base64 -d)
          echo "API_SERVER=${API_SERVER}" >> $GITHUB_OUTPUT

      - uses: redhat-actions/oc-login@v1
        id: oc_login
        if: ${{ steps.verify_requires.outputs.cluster_needed == 'true' }}
        with:
          openshift_server_url: ${{ steps.login-params.outputs.API_SERVER }}
          openshift_token: ${{ secrets.CLUSTER_TOKEN }}
          insecure_skip_tls_verify: ${{ steps.set-env.outputs.insecure_skip_tls_verify }}

      - name: create service account
        id: create_service_account
        if: ${{ steps.verify_requires.outputs.cluster_needed == 'true' }}
        env:
          API_SERVER: ${{ steps.login-params.outputs.API_SERVER }}
          BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
        run: |
          ve1/bin/sa-for-chart-testing --create charts-${{ github.event.number }} --token token.txt --server ${API_SERVER}
          echo "delete_namespace=true" >> $GITHUB_OUTPUT
          echo $KUBECONFIG

      - uses: redhat-actions/chart-verifier@v1.1
        id: run-verifier
        if: ${{ steps.verify_requires.outputs.report_needed == 'true' }}
        with:
            chart_uri: ${{ steps.verify_requires.outputs.verify_uri }}
            verify_args: ${{ steps.verify_requires.outputs.verify_args }}
            report_type: all
            fail: false

      - name: check-verifier-result
        id: check-verifier-result
        if: ${{ always() && steps.run-verifier.outcome == 'failure' }}
        run: |
          error_message="The chart verifier returned an error when trying to obtain a verification report for the chart."
          echo "verifier_error_message=$error_message" >> $GITHUB_OUTPUT

      - name: Check Report
        id: check_report
        if: ${{ steps.check_build_required.outputs.run-build == 'true' }}
        env:
          BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
          VENDOR_TYPE: ${{ steps.check_pr_content.outputs.category }}
          WEB_CATALOG_ONLY: ${{ steps.check_pr_content.outputs.webCatalogOnly }}
          REPORT_GENERATED: ${{ steps.verify_requires.outputs.report_needed }}
          GENERATED_REPORT_PATH: ${{ steps.run-verifier.outputs.report_file }}
          REPORT_SUMMARY_PATH: ${{ steps.run-verifier.outputs.report_info_file }}
          WORKFLOW_WORKING_DIRECTORY: "../pr"
        run: |
          cd pr-branch
          ../ve1/bin/chart-pr-review --directory=../pr --verify-user=${{ github.event.pull_request.user.login }} --api-url=${{ github.event.pull_request._links.self.href }}
          cd ..

      - name: Delete Namespace
        if: ${{ always() && steps.oc_login.conclusion == 'success' }}
        env:
          KUBECONFIG: /tmp/ci-kubeconfig
        run: |
          API_SERVER=$( echo -n ${{ secrets.API_SERVER }} | base64 -d)
          oc login --token=${{ secrets.CLUSTER_TOKEN }} --server=${API_SERVER} --insecure-skip-tls-verify=${{ steps.set-env.outputs.insecure_skip_tls_verify }}
          ve1/bin/sa-for-chart-testing --delete charts-${{ github.event.number }}

      - name: Save PR artifact
        env:
          BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
        if: ${{ always() && steps.check_build_required.outputs.run-build == 'true' }}
        run: |
          ve1/bin/pr-artifact --directory=./pr --pr-number=${{ github.event.number }} --api-url=${{ github.event.pull_request._links.self.href }}

      - name: Prepare PR comment
        id: pr_comment
        if: ${{ always() && steps.check_build_required.outputs.run-build == 'true' }}
        env:
          BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
          PR_CONTENT_ERROR_MESSAGE: ${{ steps.check_pr_content.outputs.pr-content-error-message }}
          OWNERS_ERROR_MESSAGE: ${{ steps.check_pr_content.outputs.owners-error-message }}
          COMMUNITY_MANUAL_REVIEW: ${{ steps.check_report.outputs.community_manual_review_required }}
          OC_INSTALL_RESULT: ${{ steps.install-oc.conclusion }}
          VERIFIER_ERROR_MESSAGE: ${{ steps.check-verifier-result.outputs.verifier_error_message }}
        run: |
          ve1/bin/pr-comment ${{ steps.check_pr_content.outcome }} ${{ steps.run-verifier.outcome }} ${{ steps.check_report.conclusion }}

      - name: Comment on PR
        if: ${{ always() && steps.check_build_required.outputs.run-build == 'true' }}
        uses: actions/github-script@v3
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            var fs = require('fs');
            var issue_number = ${{ github.event.number }};
            var comment = fs.readFileSync('./pr/comment', {encoding:'utf8', flag:'r'});
            github.issues.createComment({
              owner: context.repo.owner,
              repo: context.repo.repo,
              issue_number: Number(issue_number),
              body: comment
            });

      - name: Add 'authorized-request' label to PR
        if: ${{ always() && steps.check_pr_content.outcome == 'success' && steps.run-verifier.outcome != 'failure' && steps.check_build_required.outputs.run-build == 'true' }}
        uses: actions/github-script@v3
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            var fs = require('fs');
            var issue_number = ${{ github.event.number }};
            var vendor_label = fs.readFileSync('./pr/vendor');
            var chart_name = fs.readFileSync('./pr/chart');
            if (vendor_label.toString() !== "" && chart_name.toString() !== "") {
              github.issues.addLabels({
                issue_number: Number(issue_number),
                owner: context.repo.owner,
                repo: context.repo.repo,
                labels: ['authorized-request']
            })};

      - name: Approve PR
        id: approve_pr
        if: ${{ steps.check_report.conclusion == 'success' }}
        uses: hmarr/auto-approve-action@v2
        with:
          github-token: ${{ secrets.BOT_TOKEN }}

      - name: Merge PR
        id: merge_pr
        if: ${{ steps.approve_pr.conclusion == 'success' }}
        uses: pascalgn/automerge-action@v0.13.1
        env:
          GITHUB_TOKEN: ${{ secrets.BOT_TOKEN }}
          MERGE_METHOD: squash
          MERGE_LABELS: ""

      - name: Check for PR merge
        if: ${{ steps.check_build_required.outputs.run-build == 'true' }}
        env:
          BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
        run: |
          ./ve1/bin/check-auto-merge --api-url=${{ github.event.pull_request._links.self.href }}

      - name: Block until there is no running workflow
        if: ${{ steps.check_build_required.outputs.run-build == 'true' }}
        uses: softprops/turnstyle@v1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Configure Git
        if: ${{ steps.check_build_required.outputs.run-build == 'true' }}
        run: |
          git config --global user.name "github-actions[bot]"
          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"

      - name: Release Charts
        if: ${{ steps.check_build_required.outputs.run-build == 'true' }}
        env:
          BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
          GITHUB_REF: ${{ github.ref }}
          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
          REPORT_CONTENT: ${{steps.check_report.outputs.report_content}}
          CHART_ENTRY_NAME: ${{ steps.check_pr_content.outputs.chart-entry-name }}
          CHART_NAME_WITH_VERSION: ${{ steps.check_pr_content.outputs.chart-name-with-version }}
          REDHAT_TO_COMMUNITY: ${{ steps.check_report.outputs.redhat_to_community }}
          WEB_CATALOG_ONLY: ${{ steps.check_pr_content.outputs.webCatalogOnly }}
        id: release-charts
        run: |
          tar zxvf ./scripts/dependencies/helm-chart-releaser/chart-releaser_1.2.0_linux_amd64.tar.gz
          sudo cp -f cr /usr/local/bin/cr
          INDEX_BRANCH=$(if [ "${GITHUB_REF}" = "refs/heads/main" ]; then echo "refs/heads/gh-pages"; else echo "${GITHUB_REF}-gh-pages"; fi)
          CWD=`pwd`
          cd pr-branch
          ../ve1/bin/chart-repo-manager --repository=${{ github.repository }} --index-branch=${INDEX_BRANCH} --api-url=${{ github.event.pull_request._links.self.href }} --pr-number=${{ github.event.number }}
          cd ${CWD}

      - name: Release
        if: ${{ steps.release-charts.outputs.tag != '' }}
        uses: softprops/action-gh-release@v0.1.12
        continue-on-error: true
        with:
          tag_name: ${{ steps.release-charts.outputs.tag }}
          files: |
              ${{ steps.release-charts.outputs.report_file }}
              ${{ steps.release-charts.outputs.public_key_file }}
          fail_on_unmatched_files: true
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Add metrics
        if: ${{ always() && steps.check_build_required.outputs.run-build == 'true' && env.GITHUB_REPOSITORY != 'openshift-helm-charts/sandbox' }}
        env:
          BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
        run: |
          if [ $GITHUB_REPOSITORY == "openshift-helm-charts/charts" ]; then
              WRITE_KEY=${{ secrets.SEGMENT_WRITE_KEY }}
              ID_PREFIX="helm-metric-pr"
              echo "Use segment production write key"
          else
              WRITE_KEY=${{ secrets.SEGMENT_TEST_WRITE_KEY }}
              ID_PREFIX="helm-test-metric-pr"
              echo "Use segment test write key"
          fi

          if [ "${WRITE_KEY}" != "" ]; then
              echo "add PR run metric"
              ve1/bin/metrics --write-key="${WRITE_KEY}" \
                              --metric-type="pull_request" \
                              --message-file="${{ steps.pr_comment.outputs.message-file }}" \
                              --pr-number="${{ github.event.number }}" \
                              --pr-action="${{ github.event.action }}" \
                              --repository="${GITHUB_REPOSITORY}" \
                              --prefix="${ID_PREFIX}" \
                              --pr_dir="./pr-branch"
          else
              echo "Do not collect metrics, required segment write key is not set"
          fi