grept #172
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: grept | |
| on: | |
| schedule: | |
| - cron: '43 0 * * 0' | |
| workflow_dispatch: | |
| inputs: | |
| query: | |
| description: '(Optional) GitHub search query for repos in the Azure organization' | |
| type: string | |
| required: false | |
| default: null | |
| permissions: | |
| issues: write | |
| jobs: | |
| getrepos: | |
| name: get repos | |
| runs-on: ubuntu-latest | |
| env: | |
| query: "terraform-azurerm-avm-" | |
| outputs: | |
| repoarray: ${{ steps.graphql.outputs.repoarray }} | |
| steps: | |
| - name: query GitHub graphql API | |
| id: graphql # TODO replace with CSV output when ready | |
| run: | | |
| RESULT=$(gh api graphql --paginate -f query='query { | |
| search(query: "${{ inputs.query || env.query }} user:azure", type: REPOSITORY, first: 100) { | |
| repositoryCount | |
| edges { | |
| node { | |
| ... on Repository { | |
| name | |
| } | |
| } | |
| } | |
| } | |
| }') | |
| NUMREPOS=$(echo $RESULT | jq '.data.search.repositoryCount') | |
| echo "Number of repos found: $NUMREPOS" | |
| REPOARRAY=$(echo $RESULT | jq -c '.data.search.edges | [.[].node.name]') | |
| echo repoarray="$REPOARRAY" | |
| echo repoarray="$REPOARRAY" >> "$GITHUB_OUTPUT" | |
| env: | |
| GH_TOKEN: ${{ secrets.USER_PAT }} | |
| governance: | |
| name: governance | |
| runs-on: ubuntu-latest | |
| needs: getrepos | |
| env: | |
| GITHUB_USER: matt-FFFFFF | |
| GREPT_CONFIG: "git::https://github.com/Azure/Azure-Verified-Modules-Grept.git//terraform" | |
| outputs: | |
| result: ${{ steps.set-output.outputs.result }} | |
| strategy: | |
| max-parallel: 2 | |
| matrix: | |
| repo: ${{ fromJson(needs.getrepos.outputs.repoarray) }} | |
| exclude: | |
| - repo: "terraform-azurerm-avm-template" | |
| fail-fast: false | |
| steps: | |
| - name: set env result=success | |
| run: | | |
| echo 'result=success' >> "$GITHUB_ENV" | |
| - name: checkout remote | |
| id: checkout | |
| run: | | |
| git clone "https://${{ env.GITHUB_USER }}:${{ secrets.USER_PAT }}@github.com/Azure/${{ matrix.repo }}.git" | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: grept apply and auto remediate | |
| run: | | |
| echo "==> Checking code repository with grept against ${{ env.GREPT_CONFIG }}..." | |
| docker run --pull always --rm -v "$(pwd)":/src -w /src -e OVERRIDE_GITHUB_REPOSITORY="$OVERRIDE_GITHUB_REPOSITORY" -e OVERRIDE_GITHUB_REPOSITORY_OWNER="$OVERRIDE_GITHUB_REPOSITORY_OWNER" mcr.microsoft.com/azterraform:latest /usr/local/go/bin/grept apply --auto "${{ env.GREPT_CONFIG }}" | |
| working-directory: ${{ matrix.repo }} | |
| env: | |
| OVERRIDE_GITHUB_REPOSITORY: Azure/${{ matrix.repo }} | |
| OVERRIDE_GITHUB_REPOSITORY_OWNER: Azure | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: avm pre-commit | |
| run: | | |
| ./avm pre-commit | |
| working-directory: ${{ matrix.repo }} | |
| continue-on-error: true | |
| env: | |
| OVERRIDE_GITHUB_REPOSITORY: Azure/${{ matrix.repo }} | |
| OVERRIDE_GITHUB_REPOSITORY_OWNER: Azure | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: detect changes | |
| id: changes | |
| run: | | |
| if [[ -z $(git status -s) ]]; then | |
| echo "No changes detected" | |
| echo 'detected=false' >> "$GITHUB_OUTPUT" | |
| exit 0 | |
| fi | |
| echo "Changes detected" | |
| echo 'detected=true' >> "$GITHUB_OUTPUT" | |
| working-directory: ${{ matrix.repo }} | |
| - name: commit changes to branch and push to origin | |
| if: steps.changes.outputs.detected == 'true' | |
| run: | | |
| git config --global user.email "github-actions[bot]@users.noreply.github.com" | |
| git config --global user.name "github-actions[bot]" | |
| BRANCH="grept-apply-$(date +%s)" | |
| echo "branch=$BRANCH" >> "$GITHUB_ENV" | |
| git checkout -b "$BRANCH" | |
| git add . | |
| git commit -m "fix: grept apply" | |
| git push --set-upstream origin "$BRANCH" | |
| working-directory: ${{ matrix.repo }} | |
| - name: create PR body | |
| if: steps.changes.outputs.detected == 'true' | |
| id: prbody | |
| run: | | |
| tee prbody.md <<EOF | |
| ## Repository governance update | |
| This PR was automatically created by the AVM Team hive-mind using the [grept](https://github.com/Azure/grept) governance tool. | |
| We have detected that some files need updating to meet the AVM governance standards. | |
| Please review and merge with alacrity. | |
| Grept config source: \`${{ env.GREPT_CONFIG }}\` | |
| Thanks! The AVM team :heart: | |
| EOF | |
| working-directory: ${{ matrix.repo }} | |
| - name: show body | |
| if: steps.changes.outputs.detected == 'true' | |
| run: | | |
| echo "Displaying PR body:" | |
| cat prbody.md | |
| working-directory: ${{ matrix.repo }} | |
| - name: create pull request | |
| if: steps.changes.outputs.detected == 'true' | |
| id: pr | |
| run: | | |
| PR_URL=$(gh pr create --title "chore: repository governance" --body-file prbody.md) | |
| echo pull-request-number=$(gh pr view $PR_URL --json number | jq -r '.number') >> "$GITHUB_OUTPUT" | |
| env: | |
| GH_TOKEN: ${{ secrets.USER_PAT }} | |
| working-directory: ${{ matrix.repo }} | |
| - name: close and comment out of date prs | |
| if: steps.changes.outputs.detected == 'true' | |
| run: | | |
| PULL_REQUESTS=$(gh pr list --search "chore: repository governance" --json number,headRefName) | |
| echo "$PULL_REQUESTS" | jq -r '.[] | select(.number != ${{ steps.pr.outputs.pull-request-number }}) | .number' | xargs -I {} gh pr close {} --delete-branch --comment "Supersceeded by #${{ steps.pr.outputs.pull-request-number }}" | |
| env: | |
| GH_TOKEN: ${{ secrets.USER_PAT }} | |
| working-directory: ${{ matrix.repo }} | |
| - name: set env result=failure | |
| if: ${{ failure() }} | |
| run: | | |
| echo 'result=failed' >> "$GITHUB_ENV" | |
| if [ ! -z "${{ env.branch }}" ]; then | |
| git push origin --delete "${{ env.branch }}" | |
| fi | |
| working-directory: ${{ matrix.repo }} | |
| - name: set output | |
| if: ${{ always() }} | |
| id: set-output | |
| run: | | |
| echo "result=${{ env.result }}" >> "$GITHUB_OUTPUT" | |
| - name: sleep for rate limit | |
| if: ${{ always() }} | |
| id: sleep | |
| run: sleep 30 | |
| report: | |
| name: report | |
| runs-on: ubuntu-latest | |
| needs: governance | |
| if: ${{ failure() }} | |
| steps: | |
| - name: raise issue | |
| run: | | |
| ## BLOCKED on matrix outputs: https://github.com/actions/runner/pull/2477 | |
| ## gh issue create --repo ${{ github.repository }} --title "Repository governance failure" --body "The following repositories failed governance checks:\n\n```json\n${{ toJSON(join(needs.governance.outputs)) }}\n```\n" | |
| gh issue create --repo ${{ github.repository }} --assignee matt-FFFFFF --title "Repository governance failure" --body "The following repositories failed governance checks: <${{ github.server_url}}/${{ github.repository }}/actions/runs/${{ github.run_id}}>" | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} |