Use App Token (#9)

Frc5572 · Jan 12, 2025 · f128459 · f128459
1 parent f0b6c83
commit f128459
Show file tree

Hide file tree

Showing 4 changed files with 68 additions and 24 deletions.
diff --git a/.github/workflows/update-dependencies.yml b/.github/workflows/update-dependencies.yml
@@ -14,28 +14,44 @@ on:
 
 permissions:
   packages: read
-  contents: write
-  pull-requests: write
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   vendor-update-check:
     name: Check for Vendor Updates
     runs-on: ubuntu-latest
     container: ghcr.io/frc5572/workflows/vendor-update:${{ inputs.version }}
-    steps:
+    steps:      
       - name: Update Git
         run: |
           apk update && apk add git --update-cache
+      - name: Generate a token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ vars.VENDOR_UPDATE_APP_ID }}
+          private-key: ${{ secrets.VENDOR_UPDATE_PRIVATE_KEY }}
       - name: Checkout
         uses: actions/checkout@v4
-      - name: Run Update check
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          persist-credentials: false
+      - name: Get GitHub App User ID
+        id: get-user-id
+        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+        env:
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+      - name: Setup GIT
         run: |
           git config --system --add safe.directory "*"
-          git config --system user.name "Vendor Updater"
-          git config --system user.email "[email protected]"
-          git remote set-url origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/$GITHUB_REPOSITORY
+          git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]'
+          git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com'
+          git remote set-url origin https://x-access-token:${{ env.GITHUB_TOKEN }}@github.com/$GITHUB_REPOSITORY
+        env:
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+      - name: Run Update check
+        run: |
           python /app/vendor-update.py
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
           BASE_BRANCH: ${{ inputs.base_branch }}
           REPO_PATH: ${{ github.repository }}
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -1,8 +1,11 @@
 {
-    "editor.codeActionsOnSave": {
-      "source.organizeImports": "explicit"
-    },
-    "editor.formatOnSave": true,
-    "editor.formatOnPaste": true,
-    "terminal.integrated.defaultProfile.windows": "Git Bash"
+  "editor.codeActionsOnSave": {
+    "source.organizeImports": "explicit"
+  },
+  "editor.formatOnSave": true,
+  "editor.formatOnPaste": true,
+  "terminal.integrated.defaultProfile.windows": "Git Bash",
+  "[python]": {
+    "editor.defaultFormatter": "ms-python.black-formatter"
+  }
 }
diff --git a/vendor-update/pr-template.j2 b/vendor-update/pr-template.j2
@@ -1,8 +1,9 @@
-# SUMMARY
 The following vendor dependencies have been updated.
 
 | Vendor | Change |
 |---|---|
 {% for item in deps -%}
 | {{ item.name }} | {{ item.old_version }} -> {{ item.new_version }} |
-{% endfor %}
+{% endfor %}
+
+- [ ] This PR has been deployed and tested to the robot to confirm functionality?
diff --git a/vendor-update/vendor-update.py b/vendor-update/vendor-update.py
@@ -19,17 +19,34 @@
 GITHUB_TOKEN = os.getenv("GITHUB_TOKEN", None)
 BASE_BRANCH = os.getenv("BASE_BRANCH", "main")
 REPO_PATH = os.getenv("REPO_PATH", None)
+PR_TITLE = []
+
 
 if __name__ == "__main__":
     auth = Auth.Token(GITHUB_TOKEN)
     g = Github(auth=auth)
     repo = Repo(Path.cwd())
     try:
-        repo.delete_head(BRANCH_NAME)
+        repo.git.checkout(BRANCH_NAME)
+        current_branch = repo.active_branch
+        target_branch = repo.heads[BASE_BRANCH]
+        rebase_branch = repo.create_head("temp_rebase_branch", target_branch)
+        repo.head.reference = rebase_branch
+        repo.head.reset(index=True, working_tree=True)
+        try:
+            repo.git.rebase(current_branch)
+        except exc.GitCommandError as e:
+            # Handle rebase conflicts if any
+            print("Rebase conflicts occurred. Resolve them manually.")
+            print(e)
+        else:
+            # Delete the original branch
+            repo.delete_head(current_branch)
+            # Rename the rebased branch to the original branch name
+            rebase_branch.rename(current_branch)
+            # Update the remote branch (if needed)
     except exc.GitCommandError:
-        pass
-    new_branch = repo.create_head(BRANCH_NAME)
-    new_branch.checkout(force=True)
+        repo.git.checkout("-b", BRANCH_NAME)
 
     print("Checking for WPILIB Updates")
     update_wpilib = False
@@ -46,7 +63,9 @@
     if parse(wpilib_latest_version) > parse(wpilib_version):
         print(f"New WPILIB Version: {wpilib_latest_version}. Updating build.gradle.")
         with build_gradle.open(mode="w", encoding="utf-8") as f:
-            new_build = re.sub(WPILIB_REGEX, rf'\1"{wpilib_latest_version}"', build_file)
+            new_build = re.sub(
+                WPILIB_REGEX, rf'\1"{wpilib_latest_version}"', build_file
+            )
             f.write(new_build)
         update_wpilib = True
         repo.git.add("build.gradle")
@@ -57,6 +76,7 @@
                 "new_version": wpilib_latest_version,
             }
         )
+        PR_TITLE.append("WPILib")
     else:
         print("No new version of WPILIB.")
     print("Checking for Vendor Dep Updates")
@@ -94,12 +114,13 @@
     modified_deps = [x for x in untracked + diffs if x.startswith("vendordeps")]
     if len(modified_deps) > 0:
         repo.git.add("vendordeps/*")
+        PR_TITLE.append("Vendor Dependency")
     else:
         print("No vendor updates")
     if len(modified_deps) == 0 and not update_wpilib:
         sys.exit(0)
 
-    repo.index.commit("Updating Vendor Dependencies and WPILIB")
+    repo.index.commit(f"Updating {', '.join([x.get('name') for x in UPDATED_DEPS])}")
     repo.git.push("--force", "--set-upstream", "origin", repo.head.ref)
 
     gh_repo = g.get_repo(REPO_PATH)
@@ -108,8 +129,11 @@
     )
     with open(SCRIPT_PATH.joinpath("pr-template.j2")) as f:
         body = Template(f.read()).render(deps=UPDATED_DEPS)
+    title = f"{" and ".join(PR_TITLE)} Updates"
     if pulls.totalCount == 0:
-        gh_repo.create_pull(base=BASE_BRANCH, head=BRANCH_NAME, title="Vendor Dependency Updates", body=body, draft=True)
+        gh_repo.create_pull(
+            base=BASE_BRANCH, head=BRANCH_NAME, title=title, body=body, draft=True
+        )
     elif pulls.totalCount == 1:
         pull: PullRequest = pulls[0]
-        pull.edit(body=body)
+        pull.edit(body=body, title=title)