-
Notifications
You must be signed in to change notification settings - Fork 296
180 lines (161 loc) · 7.12 KB
/
dry-run.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
# This workflow executes a dry-run of the sync-team tool after a push to any pull request.
# This allows us to see which changes would be applied to live services after the PR
# would be merged.
#
# The workflow uses the `workflow_run` trigger, which should always run in the default branch of
# this repository. This is required so that the workflow has permissions to post PR comments.
# We should not check out any code from the PR, as it could present a security hazard.
# Instead, we simply download a GitHub artifact with a directory of JSON files and use that as
# input for sync-team.
# This artifact is created and uploaded on PR pushes using the CI workflow in `main.yml`.
# Details about `workflow_run`:
# https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#workflow_run:
name: sync-team dry-run
on:
workflow_run:
workflows: [ CI ]
types:
- completed
jobs:
dry-run:
runs-on: ubuntu-latest
if: ${{ github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'pull_request' }}
concurrency:
# Only run this once at a time on any given PR
group: dry-run-${{ github.event.workflow_run.head_branch }}
cancel-in-progress: true
permissions:
pull-requests: write
steps:
- uses: actions/checkout@v4
with:
repository: rust-lang/sync-team
persist-credentials: false
- name: Install Rust Stable
run: |
rustc -vV
rustup update stable
rustup default stable
rustc -vV
# Pinning a specific version to avoid surprises
- uses: Swatinem/rust-cache@27b8ea9368cf428f0bfe41b0876b1a7e809d9844
- name: Download built JSON API
uses: actions/download-artifact@v4
with:
name: team-api-output
path: team-api
run-id: ${{ github.event.workflow_run.id }}
github-token: ${{ secrets.GITHUB_TOKEN }}
# GitHub tokens generated from GitHub Apps can access resources from one organization,
# so we need to generate a token for each organization.
- name: Generate GitHub token (rust-lang)
uses: actions/create-github-app-token@v1
id: rust-lang-token
with:
# GitHub App ID secret name
app-id: ${{ secrets.SYNC_TEAM_GH_APP_ID }}
# GitHub App private key secret name
private-key: ${{ secrets.SYNC_TEAM_GH_APP_PRIVATE_KEY }}
# Set the owner, so the token can be used in all repositories
owner: rust-lang
- name: Generate GitHub token (rust-lang-ci)
uses: actions/create-github-app-token@v1
id: rust-lang-ci-token
with:
app-id: ${{ secrets.SYNC_TEAM_GH_APP_ID }}
private-key: ${{ secrets.SYNC_TEAM_GH_APP_PRIVATE_KEY }}
owner: rust-lang-ci
- name: Generate GitHub token (rust-lang-deprecated)
uses: actions/create-github-app-token@v1
id: rust-lang-deprecated-token
with:
app-id: ${{ secrets.SYNC_TEAM_GH_APP_ID }}
private-key: ${{ secrets.SYNC_TEAM_GH_APP_PRIVATE_KEY }}
owner: rust-lang-deprecated
- name: Generate GitHub token (rust-lang-nursery)
uses: actions/create-github-app-token@v1
id: rust-lang-nursery-token
with:
app-id: ${{ secrets.SYNC_TEAM_GH_APP_ID }}
private-key: ${{ secrets.SYNC_TEAM_GH_APP_PRIVATE_KEY }}
owner: rust-lang-nursery
- name: Generate GitHub token (bors-rs)
uses: actions/create-github-app-token@v1
id: bors-rs-token
with:
app-id: ${{ secrets.SYNC_TEAM_GH_APP_ID }}
private-key: ${{ secrets.SYNC_TEAM_GH_APP_PRIVATE_KEY }}
owner: bors-rs
- name: Generate GitHub token (rust-analyzer)
uses: actions/create-github-app-token@v1
id: rust-analyzer-token
with:
app-id: ${{ secrets.SYNC_TEAM_GH_APP_ID }}
private-key: ${{ secrets.SYNC_TEAM_GH_APP_PRIVATE_KEY }}
owner: rust-analyzer
- name: Generate GitHub token (rust-embedded)
uses: actions/create-github-app-token@v1
id: rust-embedded-token
with:
app-id: ${{ secrets.SYNC_TEAM_GH_APP_ID }}
private-key: ${{ secrets.SYNC_TEAM_GH_APP_PRIVATE_KEY }}
owner: rust-embedded
- name: Generate GitHub token (rust-dev-tools)
uses: actions/create-github-app-token@v1
id: rust-dev-tools-token
with:
app-id: ${{ secrets.SYNC_TEAM_GH_APP_ID }}
private-key: ${{ secrets.SYNC_TEAM_GH_APP_PRIVATE_KEY }}
owner: rust-dev-tools
- name: Run sync-team dry-run check
env:
GITHUB_TOKEN_RUST_LANG: ${{ steps.rust-lang-token.outputs.token }}
GITHUB_TOKEN_RUST_LANG_CI: ${{ steps.rust-lang-ci-token.outputs.token }}
GITHUB_TOKEN_RUST_LANG_DEPRECATED: ${{ steps.rust-lang-deprecated-token.outputs.token }}
GITHUB_TOKEN_RUST_LANG_NURSERY: ${{ steps.rust-lang-nursery-token.outputs.token }}
GITHUB_TOKEN_BORS_RS: ${{ steps.bors-rs-token.outputs.token }}
GITHUB_TOKEN_RUST_ANALYZER: ${{ steps.rust-analyzer-token.outputs.token }}
GITHUB_TOKEN_RUST_EMBEDDED: ${{ steps.rust-embedded-token.outputs.token }}
GITHUB_TOKEN_RUST_DEV_TOOLS: ${{ steps.rust-dev-tools-token.outputs.token }}
run: |
# Perform build and execution separately to avoid any potential output from
# cargo leaking into the output file.
cargo build --release
./target/release/sync-team print-plan --services github --team-json team-api 2>&1 | tee -a output.txt
- name: Prepare comment
run: |
cat > comment.txt << EOL
<details>
<summary>Dry-run check results</summary>
<pre><code>
EOL
cat output.txt >> comment.txt
printf "</pre></code>\n</details>\n" >> comment.txt
cat comment.txt
- name: Extract PR number
run: |
# We read the PR number that is stored in the uploaded archive
# and check that it is an integer (as the workflow could upload whatever it wants).
UNSANITIZED_PR=`cat team-api/pr.txt`
if [[ ${UNSANITIZED_PR} =~ ^[0-9]+$ ]]; then
echo "PR_NUMBER=${UNSANITIZED_PR}" >> $GITHUB_ENV
else
echo "Invalid PR number passed: ${UNSANITIZED_PR}"
exit 1
fi
- name: Send comment
env:
GH_TOKEN: ${{ github.token }}
run: |
PR=${PR_NUMBER}
echo "Pull request ${PR}"
# --edit-last doesn't work if there is no previous comment, so we have to figure out
# if we should create a comment or not
if gh issue view ${PR} --repo rust-lang/team --json comments \
--jq '.comments.[].author.login' | grep --quiet --fixed-strings "github-actions"; then
echo "Editing comment"
gh pr comment ${PR} --repo rust-lang/team --body-file comment.txt --edit-last
else
echo "Creating new comment"
gh pr comment ${PR} --repo rust-lang/team --body-file comment.txt
fi