Skip to content

grept

grept #147

Workflow file for this run

---
name: grept
on:
schedule:
- cron: '43 0 * * 0'
workflow_dispatch:
inputs:
query:
description: '(Optional) GitHub search query for repos in the Azure organization'
type: string
required: false
default: null
permissions:
issues: write
jobs:
getrepos:
name: get repos
runs-on: ubuntu-latest
env:
query: "terraform-azurerm-avm-"
outputs:
repoarray: ${{ steps.graphql.outputs.repoarray }}
steps:
- name: query GitHub graphql API
id: graphql # TODO replace with CSV output when ready
run: |
RESULT=$(gh api graphql --paginate -f query='query {
search(query: "${{ inputs.query || env.query }} user:azure", type: REPOSITORY, first: 100) {
repositoryCount
edges {
node {
... on Repository {
name
}
}
}
}
}')
NUMREPOS=$(echo $RESULT | jq '.data.search.repositoryCount')
echo "Number of repos found: $NUMREPOS"
REPOARRAY=$(echo $RESULT | jq -c '.data.search.edges | [.[].node.name]')
echo repoarray="$REPOARRAY"
echo repoarray="$REPOARRAY" >> "$GITHUB_OUTPUT"
env:
GH_TOKEN: ${{ secrets.USER_PAT }}
governance:
name: governance
runs-on: ubuntu-latest
needs: getrepos
env:
GITHUB_USER: matt-FFFFFF
GREPT_CONFIG: "git::https://github.com/Azure/Azure-Verified-Modules-Grept.git//terraform"
outputs:
result: ${{ steps.set-output.outputs.result }}
strategy:
max-parallel: 2
matrix:
repo: ${{ fromJson(needs.getrepos.outputs.repoarray) }}
exclude:
- repo: "terraform-azurerm-avm-template"
fail-fast: false
steps:
- name: set env result=success
run: |
echo 'result=success' >> "$GITHUB_ENV"
- name: checkout remote
id: checkout
run: |
git clone "https://${{ env.GITHUB_USER }}:${{ secrets.USER_PAT }}@github.com/Azure/${{ matrix.repo }}.git"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: grept apply and auto remediate
run: |
echo "==> Checking code repository with grept against ${{ env.GREPT_CONFIG }}..."
docker run --pull always --rm -v "$(pwd)":/src -w /src -e OVERRIDE_GITHUB_REPOSITORY="$OVERRIDE_GITHUB_REPOSITORY" -e OVERRIDE_GITHUB_REPOSITORY_OWNER="$OVERRIDE_GITHUB_REPOSITORY_OWNER" mcr.microsoft.com/azterraform:latest /usr/local/go/bin/grept apply --auto "${{ env.GREPT_CONFIG }}"
working-directory: ${{ matrix.repo }}
env:
OVERRIDE_GITHUB_REPOSITORY: Azure/${{ matrix.repo }}
OVERRIDE_GITHUB_REPOSITORY_OWNER: Azure
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: avm pre-commit
run: |
./avm pre-commit
working-directory: ${{ matrix.repo }}
continue-on-error: true
env:
OVERRIDE_GITHUB_REPOSITORY: Azure/${{ matrix.repo }}
OVERRIDE_GITHUB_REPOSITORY_OWNER: Azure
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: detect changes
id: changes
run: |
if [[ -z $(git status -s) ]]; then
echo "No changes detected"
echo 'detected=false' >> "$GITHUB_OUTPUT"
exit 0
fi
echo "Changes detected"
echo 'detected=true' >> "$GITHUB_OUTPUT"
working-directory: ${{ matrix.repo }}
- name: commit changes to branch and push to origin
if: steps.changes.outputs.detected == 'true'
run: |
git config --global user.email "github-actions[bot]@users.noreply.github.com"
git config --global user.name "github-actions[bot]"
BRANCH="grept-apply-$(date +%s)"
echo "branch=$BRANCH" >> "$GITHUB_ENV"
git checkout -b "$BRANCH"
git add .
git commit -m "fix: grept apply"
git push --set-upstream origin "$BRANCH"
working-directory: ${{ matrix.repo }}
- name: create PR body
if: steps.changes.outputs.detected == 'true'
id: prbody
run: |
tee prbody.md <<EOF
## Repository governance update
This PR was automatically created by the AVM Team hive-mind using the [grept](https://github.com/Azure/grept) governance tool.
We have detected that some files need updating to meet the AVM governance standards.
Please review and merge with alacrity.
Grept config source: \`${{ env.GREPT_CONFIG }}\`
Thanks! The AVM team :heart:
EOF
working-directory: ${{ matrix.repo }}
- name: show body
if: steps.changes.outputs.detected == 'true'
run: |
echo "Displaying PR body:"
cat prbody.md
working-directory: ${{ matrix.repo }}
- name: create pull request
if: steps.changes.outputs.detected == 'true'
id: pr
run: |
PR_URL=$(gh pr create --title "chore: repository governance" --body-file prbody.md)
echo pull-request-number=$(gh pr view $PR_URL --json number | jq -r '.number') >> "$GITHUB_OUTPUT"
env:
GH_TOKEN: ${{ secrets.USER_PAT }}
working-directory: ${{ matrix.repo }}
- name: close and comment out of date prs
if: steps.changes.outputs.detected == 'true'
run: |
PULL_REQUESTS=$(gh pr list --search "chore: repository governance" --json number,headRefName)
echo "$PULL_REQUESTS" | jq -r '.[] | select(.number != ${{ steps.pr.outputs.pull-request-number }}) | .number' | xargs -I {} gh pr close {} --delete-branch --comment "Supersceeded by #${{ steps.pr.outputs.pull-request-number }}"
env:
GH_TOKEN: ${{ secrets.USER_PAT }}
working-directory: ${{ matrix.repo }}
- name: set env result=failure
if: ${{ failure() }}
run: |
echo 'result=failed' >> "$GITHUB_ENV"
if [ ! -z "${{ env.branch }}" ]; then
git push origin --delete "${{ env.branch }}"
fi
working-directory: ${{ matrix.repo }}
- name: set output
if: ${{ always() }}
id: set-output
run: |
echo "result=${{ env.result }}" >> "$GITHUB_OUTPUT"
- name: sleep for rate limit
if: ${{ always() }}
id: sleep
run: sleep 30
report:
name: report
runs-on: ubuntu-latest
needs: governance
if: ${{ failure() }}
steps:
- name: raise issue
run: |
## BLOCKED on matrix outputs: https://github.com/actions/runner/pull/2477
## gh issue create --repo ${{ github.repository }} --title "Repository governance failure" --body "The following repositories failed governance checks:\n\n```json\n${{ toJSON(join(needs.governance.outputs)) }}\n```\n"
gh issue create --repo ${{ github.repository }} --assignee matt-FFFFFF --title "Repository governance failure" --body "The following repositories failed governance checks: <${{ github.server_url}}/${{ github.repository }}/actions/runs/${{ github.run_id}}>"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}