This repository has been archived by the owner on Aug 25, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 138
164 lines (150 loc) · 6.59 KB
/
pin_downstream.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
name: "Pin: Downstream: 2nd party"
# TODO 3rd party will be based off ActivityPub
# - References
# - RFCv5.1: IETF SCITT: Use Case: Attestations of alignment to S2C2F and org Overlays: https://github.com/ietf-scitt/use-cases/blob/a832905e3c428fd54b1c08d4851801383eac91a6/openssf_metrics.md#use-case-attestations-of-alignment-to-s2c2f-and-org-overlays
on:
pull_request_target:
types:
- opened
- synchronize
- reopened
branches:
- main
push:
branches:
- main
permissions:
contents: read
jobs:
manifest:
runs-on: ubuntu-latest
# Disabled currently
if: false
outputs:
length: ${{ steps.create-manifest-instance.outputs.length }}
manifest: ${{ steps.create-manifest-instance.outputs.github_actions_manifest }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with:
egress-policy: audit
- name: Set up Python
uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
with:
python-version: "3.11"
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Build manifest from plugins.json from pull request
id: create-manifest-instance
env:
PLUGINS_JSON: "dffml/plugins.json"
SCHEMA: "TODO-dffml-2ndparty-pin"
JSON_INDENT: " "
shell: python -u {0}
run: |
import os
import json
import pathlib
plugins = json.loads(pathlib.Path(os.environ["PLUGINS_JSON"]).read_text())
manifest = plugins["plugins"]["parties"]["2nd"]
# SECURITY Allowlist of 2nd party orgs to pin
for downstream in manifest:
if not downstream["source_url"].startswith("https://github.com/dffml/"):
raise ValueError(f"source_url not in allowed org: {downstream!r}")
github_actions_manifest = {
"include": manifest,
}
json_ld_manifest = {
"@context": {
"@vocab": os.environ["SCHEMA"],
},
**github_actions_manifest,
}
print(json.dumps(json_ld_manifest, sort_keys=True, indent=os.environ.get("JSON_INDENT", None)))
if "GITHUB_OUTPUT" in os.environ:
with open(os.environ["GITHUB_OUTPUT"], "a") as fileobj:
fileobj.write(f'length={len(manifest)}\n')
fileobj.write(f"manifest={json.dumps(manifest, sort_keys=True)}\n")
fileobj.write(f'github_actions_manifest={json.dumps(github_actions_manifest, sort_keys=True)}\n')
fileobj.write(f'json_ld_manifest={json.dumps(json_ld_manifest, sort_keys=True)}\n')
pin_downstream_pep_440:
permissions:
contents: write # for Git to git push
name: "Pin downstream to latest commit"
runs-on: ubuntu-latest
# Disabled currently
if: false
env:
PIN_PULL_REQUEST_EMAIL: '[email protected]'
PIN_PULL_REQUEST_NAME: 'Alice Alchemy'
GH_ACCESS_TOKEN: ${{ secrets.PIN_DOWNSTREAM_2ND_PARTY_GH_ACCESS_TOKEN }}
PIN_TO_COMMIT: ${{ github.event.after || github.event.pull_request.head.sha }}
UPSTREAM_PACKAGE_NAME: 'dffml'
BUMP_DEP: "dffml @ https://github.com/intel/dffml/archive/"
needs:
- manifest
strategy:
fail-fast: false
max-parallel: 100
matrix: ${{ fromJSON(needs.manifest.outputs.manifest) }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with:
egress-policy: audit
- name: Checkout downstream
env:
# TODO Pull requests on pull requests, probably from renovate/dependabot
# https://github.com/intel/dffml/pull/1061#pullrequestreview-1281885921
TARGET_REPO_URL: ${{ matrix.source_url }}
TARGET_BRANCH: ${{ matrix.branch }}
TARGET_COMMIT: ${{ matrix.branch }}
run: |
set -x
git init
git remote add origin "${TARGET_REPO_URL}"
git fetch origin "${TARGET_BRANCH}" --depth 1
git fetch origin "${TARGET_COMMIT}" --depth 1
git reset --hard "origin/${TARGET_COMMIT}"
- name: Find repo local dependent files
id: repo-local-downstream
run: |
set -x
get_files() {
git grep "${BUMP_DEP}" | sed -e 's/:.*//g' | sort | uniq
}
echo files_length=$(get_files | wc -l) >> $GITHUB_OUTPUT
- name: Update pinning of upstream within downstream
if: ${{ fromJSON(steps.repo-local-downstream.outputs.files_length) > 0 }}
id: create-pull-request
env:
NEW_HASH: ${{ env.PIN_TO_COMMIT }}
COMMIT_MESSAGE: "setup: Pin ${{ env.UPSTREAM_PACKAGE_NAME }} to ${{ env.PIN_TO_COMMIT }}\n${{ github.event.pull_request.html_url }}\n${{ github.server_url }}/${{ github.repository }}/commit/${{ env.PIN_TO_COMMIT }}\n${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
NEW_BRANCH_WITH_PIN: "pin/pep_440/${{ github.repository }}/${{ env.PIN_TO_COMMIT }}"
FILES: ${{ toJSON(steps.repo-local-downstream.outputs.files) }}
BASE: ${{ matrix.branch }}
run: |
set -x
get_files() {
git grep "${BUMP_DEP}" | sed -e 's/:.*//g' | sort | uniq
}
# https://github.com/dffml/dffml-model-transformers/blob/898af4a51d9b5d70d58ce80ba2c508f3afa82400/setup.cfg#L6
sed -i -r -e "s#${BUMP_DEP}[A-Fa-f0-9]{40}#${BUMP_DEP}${NEW_HASH}#g" $(get_files)
git checkout -b "${NEW_BRANCH_WITH_PIN}"
git config user.email "${PIN_PULL_REQUEST_EMAIL}"
git config user.name "${PIN_PULL_REQUEST_NAME}"
git commit -sam "${COMMIT_MESSAGE}"
git log -n 1 -p
mkdir -p ~/.config/gh/
echo "github.com:" > ~/.config/gh/hosts.yml
echo " oauth_token: ${GH_ACCESS_TOKEN}" >> ~/.config/gh/hosts.yml
echo " user: token" >> ~/.config/gh/hosts.yml
echo " git_protocol: https" >> ~/.config/gh/hosts.yml
gh auth setup-git
git push -u origin -f "${NEW_BRANCH_WITH_PIN}"
gh pr create --base "${BASE}" --head "${NEW_BRANCH_WITH_PIN}" --title "${COMMIT_MESSAGE}" --body "" | tee pull-request-url
PULL_REQUEST_URL="$(cat pull-request-url)"
if [[ "x${PULL_REQUEST_URL}" == "x" ]]; then
echo "No pull request URL" 1>&2
exit 1
fi
echo "url=${PULL_REQUEST_URL}" | tee -a $GITHUB_OUTPUT