-
Notifications
You must be signed in to change notification settings - Fork 17
202 lines (181 loc) · 8.46 KB
/
mercury_bot.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
name: OWNERS PR Check
# Checks OWNERS file additions and modifications submitted by mercury-bot on a
# partner's behalf, typically in response to a partner updating their project
# metadata.
#
# Automatically approves modifications mercury-bot makes. Sanity checks
# net-new OWNERS files to ensure their addition does not conflict with
# existing locks.
on:
pull_request_target:
types: [opened, synchronize, reopened, edited, ready_for_review, labeled]
paths:
- charts/partners/**/OWNERS
jobs:
owners-file-check:
name: OWNERS file PR checker
runs-on: ubuntu-20.04
if: github.event.pull_request.draft == false && github.actor == 'redhat-mercury-bot'
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Python 3.x Part 1
uses: actions/setup-python@v5
with:
python-version: "3.10"
- name: Set up Python 3.x Part 2
run: |
# set up python
python3 -m venv ve1
cd scripts
../ve1/bin/pip3 install -r requirements.txt
../ve1/bin/pip3 install .
cd ..
- name: get files changed
id: get_files_changed
env:
BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
run: |
# get files in PR
./ve1/bin/pr-artifact --api-url=${{ github.event.pull_request._links.self.href }} \
--get-files
- name: check if only an OWNERS file is pushed
id: check_for_owners
env:
pr_files_py: "${{ steps.get_files_changed.outputs.pr_files }}"
run: |
# check if PR contains just one partner OWNERS file
pr_files=($(echo "$pr_files_py" | tr -d '[],'))
echo "Files in PR: ${pr_files[@]}"
eval first_file=${pr_files[0]}
if [ ${#pr_files[@]} == 1 ]; then
eval first_file=${pr_files[0]}
if [[ $first_file == "charts/partners/"*/*"/OWNERS" ]] ; then
echo "An OWNERS file has been modified or added"
echo "merge_pr=true" | tee -a $GITHUB_OUTPUT
else
echo "The file in the PR is not a partner OWNERS file"
echo "merge_pr=false" | tee -a $GITHUB_OUTPUT
echo "msg=ERROR: PR does not include a partner OWNERS file." >> $GITHUB_OUTPUT
fi
else
echo "The PR contains multiple files."
echo "msg=ERROR: PR contains multiple files." >> $GITHUB_OUTPUT
echo "merge_pr=false" | tee -a $GITHUB_OUTPUT
fi
# We know that only one file was modified at this point, and it seems
# mergeable. Determine if that file was created or modified here.
#
# This step only checks the first file for its modification type!
- name: Determine if net-new OWNERS file
id: populate-file-mod-type
if: ${{ steps.check_for_owners.outputs.merge_pr == 'true' }}
uses: actions/github-script@v6
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const resp = await github.rest.pulls.listFiles({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: context.issue.number,
});
const ownersFile = resp.data[0];
console.log(`Modified file "${ownersFile.filename} has a status of ${ownersFile.status}`);
console.log(`setting output: net-new-owners-file=${ownersFile.status == 'added'}`);
core.setOutput('net-new-owners-file', ownersFile.status == 'added');
- name: Add category/organization/chart-name from modified file to GITHUB_OUTPUT
id: gather-metadata
env:
API_URL: ${{ github.event.pull_request._links.self.href }}
BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
run: |
./ve1/bin/extract-metadata-from-pr \
--emit-to-github-output \
${{ env.API_URL }}
# Only used to assert content of the OWNERS file.
- name: Checkout Pull Request
uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.ref }}
repository: ${{ github.event.pull_request.head.repo.full_name }}
token: ${{ secrets.BOT_TOKEN }}
fetch-depth: 0
path: "pr-branch"
# TODO: Implemented as a shell script temporarily. Future enhancement
# would re-use some existing logic that we have for the Red Hat OWNERS
# check, and build something similar for general use.
- name: Ensure OWNERS content and path content align
working-directory: "pr-branch"
id: fact-check
run: |
file=$(echo ${{ steps.get_files_changed.outputs.pr_files }} | yq .0)
owner_contents_chart_name=$(yq '.chart.name' ${file})
owner_contents_vendor_label=$(yq '.vendor.label' ${file})
echo "Chart Name Comparison: ${owner_contents_chart_name} = ${{ steps.gather-metadata.outputs.chart-name }}"
echo "Vendor Label Comparison: ${owner_contents_vendor_label} = ${{ steps.gather-metadata.outputs.organization }}"
test "${owner_contents_chart_name}" = "${{ steps.gather-metadata.outputs.chart-name }}"
test "${owner_contents_vendor_label}" = "${{ steps.gather-metadata.outputs.organization }}"
- name: Comment on PR if facts are mismatched
id: comment-if-fact-check-failure
if: failure() && steps.fact-check.outcome == 'failure'
run: |
gh pr comment ${{ github.event.number }} --body "${{ env.COMMENT_BODY }}"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
COMMENT_BODY: |
### Submission Facts Mismatch
The content of the OWNERS file and your submission path do not seem to match. Double check that
your vendor label and chart name values in your OWNERS file match with your submission path.
_This comment was auto-generated by [GitHub Actions](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})._
- name: Check if chart name is locked
id: determine-lock-status
uses: ./.github/actions/check-chart-locks
with:
chart-name: ${{ steps.gather-metadata.outputs.chart-name }}
fail-workflow-if-locked: 'false'
# Do not merge net-new OWNERS files for locked chart names. Allow a
# modification to an existing file. The mercury-bot periodically updates
# this file as users make changes to their project settings.
- name: Determine if should merge and is safe to merge
id: safe-to-merge
run: |
echo "OWNERS file is net new: ${{ steps.populate-file-mod-type.outputs.net-new-owners-file }}"
echo "Chart name is already locked: ${{ steps.determine-lock-status.outputs.chart-is-locked }}"
echo "merge_pr=${{ steps.populate-file-mod-type.outputs.net-new-owners-file == 'false' || (steps.populate-file-mod-type.outputs.net-new-owners-file == 'true' && steps.determine-lock-status.outputs.chart-is-locked == 'false') }}" | tee -a $GITHUB_OUTPUT
- name: Comment on PR
if: ${{ steps.check_for_owners.outputs.merge_pr == 'false' }}
uses: actions/github-script@v7
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
var issue_number = ${{ github.event.number }};
var comment = "${{ steps.check_for_owners.outputs.msg }}";
github.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: Number(issue_number),
body: comment
});
- name: Reflect on check for OWNERS file result
if: |
steps.check_for_owners.outputs.merge_pr == 'false'
|| steps.safe-to-merge.outputs.merge_pr == 'false'
run: |
echo "::error: The PR was not for a single partner OWNERS file, or was for a chart name locked to another contributor"
exit 1
- name: Approve PR
id: approve_pr
if: |
steps.check_for_owners.outputs.merge_pr == 'true'
&& steps.safe-to-merge.outputs.merge_pr == 'true'
uses: hmarr/auto-approve-action@v3
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Merge PR
id: merge_pr
if: ${{ steps.approve_pr.conclusion == 'success' }}
uses: pascalgn/[email protected]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
MERGE_METHOD: squash
MERGE_LABELS: ""