From b40299cb4ce5d82ec468c50bacf41d91af802102 Mon Sep 17 00:00:00 2001 From: Zhijie Yang Date: Wed, 7 Aug 2024 15:58:05 +0200 Subject: [PATCH 01/34] feat(ci): add access checker --- .github/workflows/Documentation.yaml | 12 ++++++ .github/workflows/Image.yaml | 13 +++++- .github/workflows/Release.yaml | 8 ++++ .github/workflows/Tests.yaml | 8 ++++ .github/workflows/_Test-OCI-Factory.yaml | 8 ++++ .github/workflows/_Validate-access.yaml | 54 ++++++++++++++++++++++++ CODEOWNERS | 1 + 7 files changed, 102 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/_Validate-access.yaml create mode 100644 CODEOWNERS diff --git a/.github/workflows/Documentation.yaml b/.github/workflows/Documentation.yaml index 0febb6c5..aa54391c 100644 --- a/.github/workflows/Documentation.yaml +++ b/.github/workflows/Documentation.yaml @@ -5,6 +5,8 @@ on: push: paths: - "oci/*/documentation.y*ml" + branches: + - main workflow_dispatch: inputs: oci-image-name: @@ -27,9 +29,19 @@ on: type: string jobs: + # TODO add access-check here exceeds workflow max call depth + # access-check: + # uses: ./.github/workflows/_Validate-access.yaml + # with: + # admin-only: true + # image-path: "oci/${{ github.event.inputs.oci-image-name }}" + # secrets: inherit + + validate-documentation-request: runs-on: ubuntu-22.04 name: Validate documentation request + # needs: [access-check] outputs: oci-img-path: ${{ steps.validate-image.outputs.img-path }} oci-img-name: ${{ steps.validate-image.outputs.img-name }} diff --git a/.github/workflows/Image.yaml b/.github/workflows/Image.yaml index 79bd6ed9..097bb8db 100644 --- a/.github/workflows/Image.yaml +++ b/.github/workflows/Image.yaml @@ -113,10 +113,19 @@ jobs: ./src/image/prepare_single_image_build_matrix.py \ --oci-path ${{ steps.validate-image.outputs.img-path }} \ - --revision-data-dir ${{ env.DATA_DIR }} \ + --revision-data-dir ${{ env.DATA_DIR }} - run-build: + access-check: needs: [prepare-build] + uses: ./.github/workflows/_Validate-access.yaml + # The if statement is useless since this workflow is listed in the needs of run-build + with: + admin-only: true + image-path: ${{ needs.prepare-build.outputs.oci-img-path }} + secrets: inherit + + run-build: + needs: [access-check, prepare-build] strategy: fail-fast: true matrix: ${{ fromJSON(needs.prepare-build.outputs.build-matrix) }} diff --git a/.github/workflows/Release.yaml b/.github/workflows/Release.yaml index 5a99718c..c6918159 100644 --- a/.github/workflows/Release.yaml +++ b/.github/workflows/Release.yaml @@ -28,9 +28,17 @@ on: type: string jobs: + access-check: + uses: ./.github/workflows/_Validate-access.yaml + with: + admin-only: true + image-path: "oci/${{ github.event.inputs.oci-image-name }}" + secrets: inherit + validate-push-release-request: runs-on: ubuntu-22.04 name: Validate push release request + needs: [access-check] outputs: oci-image-name: ${{ steps.get-image-name.outputs.img-name }} steps: diff --git a/.github/workflows/Tests.yaml b/.github/workflows/Tests.yaml index e2a3fce0..394d79bf 100644 --- a/.github/workflows/Tests.yaml +++ b/.github/workflows/Tests.yaml @@ -66,9 +66,17 @@ env: DIVE_IMAGE: 'wagoodman/dive:v0.12' jobs: + access-check: + uses: ./.github/workflows/_Validate-access.yaml + with: + admin-only: true + image-path: "${{ github.event.inputs.oci-image-path }}" + secrets: inherit + fetch-oci-image: runs-on: ubuntu-22.04 name: Fetch OCI image for testing + needs: [access-check] outputs: test-cache-key: ${{ steps.cache.outputs.key }} steps: diff --git a/.github/workflows/_Test-OCI-Factory.yaml b/.github/workflows/_Test-OCI-Factory.yaml index 87f601a4..34c56fe8 100644 --- a/.github/workflows/_Test-OCI-Factory.yaml +++ b/.github/workflows/_Test-OCI-Factory.yaml @@ -16,8 +16,16 @@ on: - "!src/cli-client/**" jobs: + access-check: + uses: ./.github/workflows/_Validate-access.yaml + with: + admin-only: true + image-path: "oci/mock-rock" + secrets: inherit + test-workflows: name: Trigger internal tests for mock-rock + needs: [access-check] uses: ./.github/workflows/Image.yaml with: oci-image-name: "mock-rock" diff --git a/.github/workflows/_Validate-access.yaml b/.github/workflows/_Validate-access.yaml new file mode 100644 index 00000000..bb510fa7 --- /dev/null +++ b/.github/workflows/_Validate-access.yaml @@ -0,0 +1,54 @@ +name: Validate user access + +# This callable workflow checks if the workflow is triggered by +# a code owner or an image maintainer by testing the github.actor +# variable against the CODEOWNERS file and the contacts.yaml file +# under oci/* path + +on: + workflow_call: + inputs: + admin-only: + description: 'The protected workflow should only be triggered as a code owner or an image maintainer' + required: true + default: false + type: boolean + image-path: + description: 'The path to the image to be built' + required: true + type: string + +jobs: + validate-access: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Check if the workflow is triggered by an admin user + env: + GH_TOKEN: ${{ secrets.ROCKSBOT_TOKEN }} + run: | + echo "github.actor: ${{ github.actor }}" + echo "admin-only: ${{ inputs.admin-only }}" + if [[ ${{ inputs.admin-only }} == true ]]; then + echo "Expanding team mentions in the CODEOWNERS file" + teams=$(grep -oE '@[[:alnum:]_.-]+\/[[:alnum:]_.-]+' ${{ github.workspace }}/CODEOWNERS | sort | uniq) + + for team in $teams; do + org=$(echo $team | cut -d'/' -f1 | sed 's/@//') + team_name=$(echo $team | cut -d'/' -f2) + members=$(gh api "/orgs/$org/teams/$team_name/members" | jq -r '.[].login') + replacement=$(echo "$members" | xargs -I {} echo -n "@{} " | awk '{$1=$1};1') + sed -i "s|$team|$replacement|g" ${{ github.workspace }}/CODEOWNERS + done + + if grep -wq "@${{ github.actor }}" ${{ github.workspace }}/CODEOWNERS; then + echo "The workflow is triggered by ${{ github.actor }} as the code owner" + elif cat ${{ github.workspace }}/${{ inputs.image-path }}/contacts.yaml | yq ".maintainers" | grep "\- " | grep -wq "${{ github.actor }}"; then + echo "The workflow is triggered by ${{ github.actor }} as a maintainer of the image ${{ inputs.image-path }}" + else + echo "The workflow is triggered by a user neither as a code owner nor a maintainer of the image ${{ inputs.image-path }}" + exit 1 + fi + else + echo "The workflow is not restricted to non-code-owner or non-maintainer users" + fi diff --git a/CODEOWNERS b/CODEOWNERS new file mode 100644 index 00000000..0afe0e53 --- /dev/null +++ b/CODEOWNERS @@ -0,0 +1 @@ +* @canonical/rocks From 0051543f36e5f22102897586c6550d402b3ffd72 Mon Sep 17 00:00:00 2001 From: zhijie-yang Date: Wed, 7 Aug 2024 14:45:07 +0000 Subject: [PATCH 02/34] ci: automatically update oci/mock-rock/_releases.json, from https://github.com/canonical/oci-factory/actions/runs/10286163891 --- oci/mock-rock/_releases.json | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/oci/mock-rock/_releases.json b/oci/mock-rock/_releases.json index cfcfff8d..84fca748 100644 --- a/oci/mock-rock/_releases.json +++ b/oci/mock-rock/_releases.json @@ -13,13 +13,13 @@ }, "1.0-22.04": { "candidate": { - "target": "397" + "target": "400" }, "beta": { - "target": "397" + "target": "400" }, "edge": { - "target": "397" + "target": "400" }, "end-of-life": "2025-05-01T00:00:00Z" }, @@ -35,34 +35,34 @@ "1.1-22.04": { "end-of-life": "2025-05-01T00:00:00Z", "candidate": { - "target": "398" + "target": "401" }, "beta": { - "target": "398" + "target": "401" }, "edge": { - "target": "398" + "target": "401" } }, "1-22.04": { "end-of-life": "2025-05-01T00:00:00Z", "candidate": { - "target": "398" + "target": "401" }, "beta": { - "target": "398" + "target": "401" }, "edge": { - "target": "398" + "target": "401" } }, "1.2-22.04": { "end-of-life": "2025-05-01T00:00:00Z", "beta": { - "target": "399" + "target": "402" }, "edge": { "target": "1.2-22.04_beta" } } -} \ No newline at end of file +} From 2a09f582557563f68ad668c6e6eaae3ca72b9560 Mon Sep 17 00:00:00 2001 From: Zhijie Yang Date: Wed, 7 Aug 2024 17:04:54 +0200 Subject: [PATCH 03/34] chore(ci): update comments and retrigger wf --- .github/workflows/_Validate-access.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/_Validate-access.yaml b/.github/workflows/_Validate-access.yaml index bb510fa7..e721f60b 100644 --- a/.github/workflows/_Validate-access.yaml +++ b/.github/workflows/_Validate-access.yaml @@ -3,7 +3,7 @@ name: Validate user access # This callable workflow checks if the workflow is triggered by # a code owner or an image maintainer by testing the github.actor # variable against the CODEOWNERS file and the contacts.yaml file -# under oci/* path +# under the oci/* directory on: workflow_call: From 906339a38c0488e26d5f045ca7a6dee0c10215cd Mon Sep 17 00:00:00 2001 From: zhijie-yang Date: Wed, 7 Aug 2024 15:33:09 +0000 Subject: [PATCH 04/34] ci: automatically update oci/mock-rock/_releases.json, from https://github.com/canonical/oci-factory/actions/runs/10286861493 --- oci/mock-rock/_releases.json | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/oci/mock-rock/_releases.json b/oci/mock-rock/_releases.json index 84fca748..78b44de6 100644 --- a/oci/mock-rock/_releases.json +++ b/oci/mock-rock/_releases.json @@ -13,13 +13,13 @@ }, "1.0-22.04": { "candidate": { - "target": "400" + "target": "409" }, "beta": { - "target": "400" + "target": "409" }, "edge": { - "target": "400" + "target": "409" }, "end-of-life": "2025-05-01T00:00:00Z" }, @@ -35,34 +35,34 @@ "1.1-22.04": { "end-of-life": "2025-05-01T00:00:00Z", "candidate": { - "target": "401" + "target": "410" }, "beta": { - "target": "401" + "target": "410" }, "edge": { - "target": "401" + "target": "410" } }, "1-22.04": { "end-of-life": "2025-05-01T00:00:00Z", "candidate": { - "target": "401" + "target": "410" }, "beta": { - "target": "401" + "target": "410" }, "edge": { - "target": "401" + "target": "410" } }, "1.2-22.04": { "end-of-life": "2025-05-01T00:00:00Z", "beta": { - "target": "402" + "target": "411" }, "edge": { "target": "1.2-22.04_beta" } } -} +} \ No newline at end of file From 56e8647b0852314ce61df41a1ef6fd2cb56c3b04 Mon Sep 17 00:00:00 2001 From: Zhijie Yang Date: Thu, 8 Aug 2024 11:54:02 +0200 Subject: [PATCH 05/34] feat(ci): use custom action to validate access --- .github/actions/validate-access/action.yaml | 53 ++++++++++++++++++++ .github/workflows/Documentation.yaml | 17 +++---- .github/workflows/Image.yaml | 19 ++++---- .github/workflows/Release.yaml | 16 +++--- .github/workflows/Tests.yaml | 16 ++++-- .github/workflows/_Test-OCI-Factory.yaml | 14 ++++-- .github/workflows/_Validate-access.yaml | 54 --------------------- 7 files changed, 98 insertions(+), 91 deletions(-) create mode 100644 .github/actions/validate-access/action.yaml delete mode 100644 .github/workflows/_Validate-access.yaml diff --git a/.github/actions/validate-access/action.yaml b/.github/actions/validate-access/action.yaml new file mode 100644 index 00000000..e85d15c9 --- /dev/null +++ b/.github/actions/validate-access/action.yaml @@ -0,0 +1,53 @@ +name: Validate Access +description: 'Check if the workflow is triggered by an admin user' + +# This callable workflow checks if the workflow is triggered by +# a code owner or an image maintainer by testing the github.actor +# variable against the CODEOWNERS file and the contacts.yaml file +# under oci/* path + +inputs: + admin-only: + description: 'The protected workflow should only be triggered as a code owner or an image maintainer' + required: true + default: 'false' + image-path: + description: 'The path to the image to be built' + required: true + github-token: + description: 'The GH_TOKEN for the GitHub CLI' + required: true + +runs: + using: "composite" + steps: + - name: Check if the workflow is triggered by an admin user + shell: bash + env: + GH_TOKEN: ${{ inputs.github-token }} + run: | + echo "github.actor: ${{ github.actor }}" + echo "admin-only: ${{ inputs.admin-only }}" + if [[ ${{ inputs.admin-only }} == true ]]; then + echo "Expanding team mentions in the CODEOWNERS file" + teams=$(grep -oE '@[[:alnum:]_.-]+\/[[:alnum:]_.-]+' ${{ github.workspace }}/CODEOWNERS | sort | uniq) + + for team in $teams; do + org=$(echo $team | cut -d'/' -f1 | sed 's/@//') + team_name=$(echo $team | cut -d'/' -f2) + members=$(gh api "/orgs/$org/teams/$team_name/members" | jq -r '.[].login') + replacement=$(echo "$members" | xargs -I {} echo -n "@{} " | awk '{$1=$1};1') + sed -i "s|$team|$replacement|g" ${{ github.workspace }}/CODEOWNERS + done + + if grep -wq "@${{ github.actor }}" ${{ github.workspace }}/CODEOWNERS; then + echo "The workflow is triggered by ${{ github.actor }} as the code owner" + elif cat ${{ github.workspace }}/${{ inputs.image-path }}/contacts.yaml | yq ".maintainers" | grep "\- " | grep -wq "${{ github.actor }}"; then + echo "The workflow is triggered by ${{ github.actor }} as a maintainer of the image ${{ inputs.image-path }}" + else + echo "The workflow is triggered by a user neither as a code owner nor a maintainer of the image ${{ inputs.image-path }}" + exit 1 + fi + else + echo "The workflow is not restricted to non-code-owner or non-maintainer users" + fi diff --git a/.github/workflows/Documentation.yaml b/.github/workflows/Documentation.yaml index aa54391c..99c934c9 100644 --- a/.github/workflows/Documentation.yaml +++ b/.github/workflows/Documentation.yaml @@ -29,15 +29,6 @@ on: type: string jobs: - # TODO add access-check here exceeds workflow max call depth - # access-check: - # uses: ./.github/workflows/_Validate-access.yaml - # with: - # admin-only: true - # image-path: "oci/${{ github.event.inputs.oci-image-name }}" - # secrets: inherit - - validate-documentation-request: runs-on: ubuntu-22.04 name: Validate documentation request @@ -52,6 +43,14 @@ jobs: - uses: actions/checkout@v4 + - name: Validate access to triggered image + uses: ./.github/actions/validate-access + if: github.event_name != 'workflow_call' + with: + admin-only: true + image-path: "oci/${{ inputs.oci-image-name }}" + github-token: ${{ secrets.ROCKSBOT_TOKEN }} + - name: Infer images to document uses: tj-actions/changed-files@v35 id: changed-files diff --git a/.github/workflows/Image.yaml b/.github/workflows/Image.yaml index 097bb8db..86add765 100644 --- a/.github/workflows/Image.yaml +++ b/.github/workflows/Image.yaml @@ -94,6 +94,14 @@ jobs: echo "img-name=$(basename ${img_path})" >> "$GITHUB_OUTPUT" echo "img-path=${img_path}" >> "$GITHUB_OUTPUT" + - name: Validate access to triggered image + uses: ./.github/actions/validate-access + if: github.event_name != 'workflow_call' + with: + admin-only: true + image-path: ${{ steps.validate-image.outputs.img-path }} + github-token: ${{ secrets.ROCKSBOT_TOKEN }} + - name: Use custom image trigger if: ${{ inputs.b64-image-trigger != '' }} run: echo ${{ inputs.b64-image-trigger }} | base64 -d > ${{ steps.validate-image.outputs.img-path }}/image.yaml @@ -115,17 +123,8 @@ jobs: --oci-path ${{ steps.validate-image.outputs.img-path }} \ --revision-data-dir ${{ env.DATA_DIR }} - access-check: - needs: [prepare-build] - uses: ./.github/workflows/_Validate-access.yaml - # The if statement is useless since this workflow is listed in the needs of run-build - with: - admin-only: true - image-path: ${{ needs.prepare-build.outputs.oci-img-path }} - secrets: inherit - run-build: - needs: [access-check, prepare-build] + needs: [prepare-build] strategy: fail-fast: true matrix: ${{ fromJSON(needs.prepare-build.outputs.build-matrix) }} diff --git a/.github/workflows/Release.yaml b/.github/workflows/Release.yaml index c6918159..5be5d9d1 100644 --- a/.github/workflows/Release.yaml +++ b/.github/workflows/Release.yaml @@ -28,17 +28,9 @@ on: type: string jobs: - access-check: - uses: ./.github/workflows/_Validate-access.yaml - with: - admin-only: true - image-path: "oci/${{ github.event.inputs.oci-image-name }}" - secrets: inherit - validate-push-release-request: runs-on: ubuntu-22.04 name: Validate push release request - needs: [access-check] outputs: oci-image-name: ${{ steps.get-image-name.outputs.img-name }} steps: @@ -47,6 +39,14 @@ jobs: - uses: actions/checkout@v4 + - name: Validate access to triggered image + uses: ./.github/actions/validate-access + if: github.event_name != 'workflow_call' + with: + admin-only: true + image-path: "oci/${{ inputs.oci-image-name }}" + github-token: ${{ secrets.ROCKSBOT_TOKEN }} + - name: Infer number of image triggers uses: tj-actions/changed-files@v35 id: changed-files diff --git a/.github/workflows/Tests.yaml b/.github/workflows/Tests.yaml index 394d79bf..43041ba2 100644 --- a/.github/workflows/Tests.yaml +++ b/.github/workflows/Tests.yaml @@ -67,11 +67,17 @@ env: jobs: access-check: - uses: ./.github/workflows/_Validate-access.yaml - with: - admin-only: true - image-path: "${{ github.event.inputs.oci-image-path }}" - secrets: inherit + runs-on: ubuntu-22.04 + steps: + - uses: actions/checkout@v4 + if: github.event_name != 'workflow_call' + - name: Validate access to triggered image + uses: ./.github/actions/validate-access + if: github.event_name != 'workflow_call' + with: + admin-only: true + image-path: ${{ inputs.oci-image-path }} + github-token: ${{ secrets.ROCKSBOT_TOKEN }} fetch-oci-image: runs-on: ubuntu-22.04 diff --git a/.github/workflows/_Test-OCI-Factory.yaml b/.github/workflows/_Test-OCI-Factory.yaml index 34c56fe8..02b8f8fb 100644 --- a/.github/workflows/_Test-OCI-Factory.yaml +++ b/.github/workflows/_Test-OCI-Factory.yaml @@ -17,11 +17,15 @@ on: jobs: access-check: - uses: ./.github/workflows/_Validate-access.yaml - with: - admin-only: true - image-path: "oci/mock-rock" - secrets: inherit + name: Validate access to mock-rock + runs-on: ubuntu-22.04 + steps: + - uses: actions/checkout@v4 + - uses: ./.github/actions/validate-access + with: + admin-only: true + image-path: "oci/mock-rock" + github-token: ${{ secrets.ROCKSBOT_TOKEN }} test-workflows: name: Trigger internal tests for mock-rock diff --git a/.github/workflows/_Validate-access.yaml b/.github/workflows/_Validate-access.yaml deleted file mode 100644 index e721f60b..00000000 --- a/.github/workflows/_Validate-access.yaml +++ /dev/null @@ -1,54 +0,0 @@ -name: Validate user access - -# This callable workflow checks if the workflow is triggered by -# a code owner or an image maintainer by testing the github.actor -# variable against the CODEOWNERS file and the contacts.yaml file -# under the oci/* directory - -on: - workflow_call: - inputs: - admin-only: - description: 'The protected workflow should only be triggered as a code owner or an image maintainer' - required: true - default: false - type: boolean - image-path: - description: 'The path to the image to be built' - required: true - type: string - -jobs: - validate-access: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - name: Check if the workflow is triggered by an admin user - env: - GH_TOKEN: ${{ secrets.ROCKSBOT_TOKEN }} - run: | - echo "github.actor: ${{ github.actor }}" - echo "admin-only: ${{ inputs.admin-only }}" - if [[ ${{ inputs.admin-only }} == true ]]; then - echo "Expanding team mentions in the CODEOWNERS file" - teams=$(grep -oE '@[[:alnum:]_.-]+\/[[:alnum:]_.-]+' ${{ github.workspace }}/CODEOWNERS | sort | uniq) - - for team in $teams; do - org=$(echo $team | cut -d'/' -f1 | sed 's/@//') - team_name=$(echo $team | cut -d'/' -f2) - members=$(gh api "/orgs/$org/teams/$team_name/members" | jq -r '.[].login') - replacement=$(echo "$members" | xargs -I {} echo -n "@{} " | awk '{$1=$1};1') - sed -i "s|$team|$replacement|g" ${{ github.workspace }}/CODEOWNERS - done - - if grep -wq "@${{ github.actor }}" ${{ github.workspace }}/CODEOWNERS; then - echo "The workflow is triggered by ${{ github.actor }} as the code owner" - elif cat ${{ github.workspace }}/${{ inputs.image-path }}/contacts.yaml | yq ".maintainers" | grep "\- " | grep -wq "${{ github.actor }}"; then - echo "The workflow is triggered by ${{ github.actor }} as a maintainer of the image ${{ inputs.image-path }}" - else - echo "The workflow is triggered by a user neither as a code owner nor a maintainer of the image ${{ inputs.image-path }}" - exit 1 - fi - else - echo "The workflow is not restricted to non-code-owner or non-maintainer users" - fi From 0163833bf541570fe2d271d02eb980c99573f641 Mon Sep 17 00:00:00 2001 From: zhijie-yang Date: Thu, 8 Aug 2024 10:41:27 +0000 Subject: [PATCH 06/34] ci: automatically update oci/mock-rock/_releases.json, from https://github.com/canonical/oci-factory/actions/runs/10299930758 --- oci/mock-rock/_releases.json | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/oci/mock-rock/_releases.json b/oci/mock-rock/_releases.json index 78b44de6..b7ebc44f 100644 --- a/oci/mock-rock/_releases.json +++ b/oci/mock-rock/_releases.json @@ -13,13 +13,13 @@ }, "1.0-22.04": { "candidate": { - "target": "409" + "target": "412" }, "beta": { - "target": "409" + "target": "412" }, "edge": { - "target": "409" + "target": "412" }, "end-of-life": "2025-05-01T00:00:00Z" }, @@ -35,31 +35,31 @@ "1.1-22.04": { "end-of-life": "2025-05-01T00:00:00Z", "candidate": { - "target": "410" + "target": "413" }, "beta": { - "target": "410" + "target": "413" }, "edge": { - "target": "410" + "target": "413" } }, "1-22.04": { "end-of-life": "2025-05-01T00:00:00Z", "candidate": { - "target": "410" + "target": "413" }, "beta": { - "target": "410" + "target": "413" }, "edge": { - "target": "410" + "target": "413" } }, "1.2-22.04": { "end-of-life": "2025-05-01T00:00:00Z", "beta": { - "target": "411" + "target": "414" }, "edge": { "target": "1.2-22.04_beta" From 3ce593b5bd2da6c4fde3a6eca7710b54791d2156 Mon Sep 17 00:00:00 2001 From: Zhijie Yang Date: Thu, 8 Aug 2024 13:15:57 +0200 Subject: [PATCH 07/34] fix: force grep return 0 to avoid pipefail --- .github/actions/validate-access/action.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/validate-access/action.yaml b/.github/actions/validate-access/action.yaml index e85d15c9..15614e8b 100644 --- a/.github/actions/validate-access/action.yaml +++ b/.github/actions/validate-access/action.yaml @@ -30,7 +30,7 @@ runs: echo "admin-only: ${{ inputs.admin-only }}" if [[ ${{ inputs.admin-only }} == true ]]; then echo "Expanding team mentions in the CODEOWNERS file" - teams=$(grep -oE '@[[:alnum:]_.-]+\/[[:alnum:]_.-]+' ${{ github.workspace }}/CODEOWNERS | sort | uniq) + teams=$(grep -oE '@[[:alnum:]_.-]+\/[[:alnum:]_.-]+' ${{ github.workspace }}/CODEOWNERS || true | sort | uniq) for team in $teams; do org=$(echo $team | cut -d'/' -f1 | sed 's/@//') From 35d8bc37ee930cbb015824f6e1be7ede417f6a81 Mon Sep 17 00:00:00 2001 From: Zhijie Yang Date: Thu, 8 Aug 2024 13:31:24 +0200 Subject: [PATCH 08/34] ci: add .github/actions to _test --- .github/workflows/_Test-OCI-Factory.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/_Test-OCI-Factory.yaml b/.github/workflows/_Test-OCI-Factory.yaml index 02b8f8fb..c283a989 100644 --- a/.github/workflows/_Test-OCI-Factory.yaml +++ b/.github/workflows/_Test-OCI-Factory.yaml @@ -4,6 +4,7 @@ on: push: paths: - ".github/workflows/*" + - ".github/actions/*" - "!.github/workflows/CLA-Check.yaml" - "!.github/workflows/PR-Validator.yaml" - "!.github/workflows/_Auto-updates.yaml" From 7c889f79659db1aff4043b60681e6fc368ac0b89 Mon Sep 17 00:00:00 2001 From: zhijie-yang Date: Thu, 8 Aug 2024 11:55:40 +0000 Subject: [PATCH 09/34] ci: automatically update oci/mock-rock/_releases.json, from https://github.com/canonical/oci-factory/actions/runs/10301256506 --- oci/mock-rock/_releases.json | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/oci/mock-rock/_releases.json b/oci/mock-rock/_releases.json index b7ebc44f..d95acd35 100644 --- a/oci/mock-rock/_releases.json +++ b/oci/mock-rock/_releases.json @@ -13,13 +13,13 @@ }, "1.0-22.04": { "candidate": { - "target": "412" + "target": "415" }, "beta": { - "target": "412" + "target": "415" }, "edge": { - "target": "412" + "target": "415" }, "end-of-life": "2025-05-01T00:00:00Z" }, @@ -35,31 +35,31 @@ "1.1-22.04": { "end-of-life": "2025-05-01T00:00:00Z", "candidate": { - "target": "413" + "target": "416" }, "beta": { - "target": "413" + "target": "416" }, "edge": { - "target": "413" + "target": "416" } }, "1-22.04": { "end-of-life": "2025-05-01T00:00:00Z", "candidate": { - "target": "413" + "target": "416" }, "beta": { - "target": "413" + "target": "416" }, "edge": { - "target": "413" + "target": "416" } }, "1.2-22.04": { "end-of-life": "2025-05-01T00:00:00Z", "beta": { - "target": "414" + "target": "417" }, "edge": { "target": "1.2-22.04_beta" From 8049c7011235eec1f6f3e44d899ea033428bb0da Mon Sep 17 00:00:00 2001 From: Zhijie Yang Date: Thu, 8 Aug 2024 13:59:08 +0200 Subject: [PATCH 10/34] TEST: SHOULD FAIL: remove zhijie-yang from CODEOWNERS --- CODEOWNERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CODEOWNERS b/CODEOWNERS index 0afe0e53..c61d74ad 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1 +1 @@ -* @canonical/rocks +* @cjdc From dc804d189514cba5f2565013ffff883528558b20 Mon Sep 17 00:00:00 2001 From: Zhijie Yang Date: Thu, 8 Aug 2024 14:04:32 +0200 Subject: [PATCH 11/34] TEST: SHOULD PASS: add zhijie-yang as mock-rock maintainer --- oci/mock-rock/contacts.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/oci/mock-rock/contacts.yaml b/oci/mock-rock/contacts.yaml index a8c48c00..020122eb 100644 --- a/oci/mock-rock/contacts.yaml +++ b/oci/mock-rock/contacts.yaml @@ -8,4 +8,7 @@ notify: # These are channel IDs and not names. # opt, type: List[str] mattermost-channels: - - fbdezwkcxpfofpysjore1wpfoc \ No newline at end of file + - fbdezwkcxpfofpysjore1wpfoc + +maintainers: + - zhijie-yang From 0cc5c766c783614a73c546f40ebab0c6f25e924f Mon Sep 17 00:00:00 2001 From: Zhijie Yang Date: Thu, 8 Aug 2024 14:09:35 +0200 Subject: [PATCH 12/34] Revert tests: SHOULD PASS Revert "TEST: SHOULD FAIL: remove zhijie-yang from CODEOWNERS" This reverts commit 8049c7011235eec1f6f3e44d899ea033428bb0da. Revert "TEST: SHOULD PASS: add zhijie-yang as mock-rock maintainer" This reverts commit dc804d189514cba5f2565013ffff883528558b20. --- CODEOWNERS | 2 +- oci/mock-rock/contacts.yaml | 5 +---- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/CODEOWNERS b/CODEOWNERS index c61d74ad..0afe0e53 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1 +1 @@ -* @cjdc +* @canonical/rocks diff --git a/oci/mock-rock/contacts.yaml b/oci/mock-rock/contacts.yaml index 020122eb..a8c48c00 100644 --- a/oci/mock-rock/contacts.yaml +++ b/oci/mock-rock/contacts.yaml @@ -8,7 +8,4 @@ notify: # These are channel IDs and not names. # opt, type: List[str] mattermost-channels: - - fbdezwkcxpfofpysjore1wpfoc - -maintainers: - - zhijie-yang + - fbdezwkcxpfofpysjore1wpfoc \ No newline at end of file From f885a37652e76f317f0374782576f4625fe92ca2 Mon Sep 17 00:00:00 2001 From: zhijie-yang Date: Thu, 8 Aug 2024 13:04:52 +0000 Subject: [PATCH 13/34] ci: automatically update oci/mock-rock/_releases.json, from https://github.com/canonical/oci-factory/actions/runs/10301820520 --- oci/mock-rock/_releases.json | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/oci/mock-rock/_releases.json b/oci/mock-rock/_releases.json index d95acd35..bd38286e 100644 --- a/oci/mock-rock/_releases.json +++ b/oci/mock-rock/_releases.json @@ -13,13 +13,13 @@ }, "1.0-22.04": { "candidate": { - "target": "415" + "target": "418" }, "beta": { - "target": "415" + "target": "418" }, "edge": { - "target": "415" + "target": "418" }, "end-of-life": "2025-05-01T00:00:00Z" }, @@ -35,31 +35,31 @@ "1.1-22.04": { "end-of-life": "2025-05-01T00:00:00Z", "candidate": { - "target": "416" + "target": "419" }, "beta": { - "target": "416" + "target": "419" }, "edge": { - "target": "416" + "target": "419" } }, "1-22.04": { "end-of-life": "2025-05-01T00:00:00Z", "candidate": { - "target": "416" + "target": "419" }, "beta": { - "target": "416" + "target": "419" }, "edge": { - "target": "416" + "target": "419" } }, "1.2-22.04": { "end-of-life": "2025-05-01T00:00:00Z", "beta": { - "target": "417" + "target": "420" }, "edge": { "target": "1.2-22.04_beta" From ef5291153bd80c3e1385ef8a7a85484cfb507f17 Mon Sep 17 00:00:00 2001 From: Zhijie Yang Date: Fri, 9 Aug 2024 12:10:27 +0200 Subject: [PATCH 14/34] feat(ci): update access control action condition --- .github/workflows/Documentation.yaml | 6 +++++- .github/workflows/Image.yaml | 6 +++++- .github/workflows/Release.yaml | 6 +++++- .github/workflows/Tests.yaml | 8 ++++++-- 4 files changed, 21 insertions(+), 5 deletions(-) diff --git a/.github/workflows/Documentation.yaml b/.github/workflows/Documentation.yaml index 99c934c9..38833d8a 100644 --- a/.github/workflows/Documentation.yaml +++ b/.github/workflows/Documentation.yaml @@ -27,6 +27,10 @@ on: description: 'Commit SHA containing the updated _releases.json' required: true type: string + is-workflow_call: + description: 'Flag to indicate if this is a workflow call' + type: boolean + default: true jobs: validate-documentation-request: @@ -45,7 +49,7 @@ jobs: - name: Validate access to triggered image uses: ./.github/actions/validate-access - if: github.event_name != 'workflow_call' + if: ${{ !inputs.is-workflow_call }} with: admin-only: true image-path: "oci/${{ inputs.oci-image-name }}" diff --git a/.github/workflows/Image.yaml b/.github/workflows/Image.yaml index 86add765..dd4a86a9 100644 --- a/.github/workflows/Image.yaml +++ b/.github/workflows/Image.yaml @@ -40,6 +40,10 @@ on: required: true type: boolean default: false + is-workflow_call: + description: 'Flag to indicate if this is a workflow call' + type: boolean + default: true env: VULNERABILITY_REPORT_SUFFIX: ".vulnerability-report.json" @@ -96,7 +100,7 @@ jobs: - name: Validate access to triggered image uses: ./.github/actions/validate-access - if: github.event_name != 'workflow_call' + if: ${{ !inputs.is-workflow_call }} with: admin-only: true image-path: ${{ steps.validate-image.outputs.img-path }} diff --git a/.github/workflows/Release.yaml b/.github/workflows/Release.yaml index 5be5d9d1..14069119 100644 --- a/.github/workflows/Release.yaml +++ b/.github/workflows/Release.yaml @@ -26,6 +26,10 @@ on: description: 'Cache key (to fetch image trigger from cache)' required: false type: string + is-workflow_call: + description: 'Flag to indicate if this is a workflow call' + type: boolean + default: true jobs: validate-push-release-request: @@ -41,7 +45,7 @@ jobs: - name: Validate access to triggered image uses: ./.github/actions/validate-access - if: github.event_name != 'workflow_call' + if: ${{ !inputs.is-workflow_call }} with: admin-only: true image-path: "oci/${{ inputs.oci-image-name }}" diff --git a/.github/workflows/Tests.yaml b/.github/workflows/Tests.yaml index 43041ba2..364e84d1 100644 --- a/.github/workflows/Tests.yaml +++ b/.github/workflows/Tests.yaml @@ -26,6 +26,10 @@ on: required: false type: string default: '.vulnerability-report.json' + is-workflow_call: + description: 'Flag to indicate if this is a workflow call' + type: boolean + default: true workflow_dispatch: inputs: oci-image-name: @@ -70,10 +74,10 @@ jobs: runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 - if: github.event_name != 'workflow_call' + if: ${{ !inputs.is-workflow_call }} - name: Validate access to triggered image uses: ./.github/actions/validate-access - if: github.event_name != 'workflow_call' + if: ${{ !inputs.is-workflow_call }} with: admin-only: true image-path: ${{ inputs.oci-image-path }} From cc9c627a271e3b371278dd92b402db6416fa62cc Mon Sep 17 00:00:00 2001 From: zhijie-yang Date: Fri, 9 Aug 2024 10:35:35 +0000 Subject: [PATCH 15/34] ci: automatically update oci/mock-rock/_releases.json, from https://github.com/canonical/oci-factory/actions/runs/10317508570 --- oci/mock-rock/_releases.json | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/oci/mock-rock/_releases.json b/oci/mock-rock/_releases.json index bd38286e..476fd668 100644 --- a/oci/mock-rock/_releases.json +++ b/oci/mock-rock/_releases.json @@ -13,13 +13,13 @@ }, "1.0-22.04": { "candidate": { - "target": "418" + "target": "421" }, "beta": { - "target": "418" + "target": "421" }, "edge": { - "target": "418" + "target": "421" }, "end-of-life": "2025-05-01T00:00:00Z" }, @@ -35,31 +35,31 @@ "1.1-22.04": { "end-of-life": "2025-05-01T00:00:00Z", "candidate": { - "target": "419" + "target": "422" }, "beta": { - "target": "419" + "target": "422" }, "edge": { - "target": "419" + "target": "422" } }, "1-22.04": { "end-of-life": "2025-05-01T00:00:00Z", "candidate": { - "target": "419" + "target": "422" }, "beta": { - "target": "419" + "target": "422" }, "edge": { - "target": "419" + "target": "422" } }, "1.2-22.04": { "end-of-life": "2025-05-01T00:00:00Z", "beta": { - "target": "420" + "target": "423" }, "edge": { "target": "1.2-22.04_beta" From bb687ad051e3d4f90cb5f7748901d3102599f1bb Mon Sep 17 00:00:00 2001 From: Zhijie Yang Date: Tue, 13 Aug 2024 16:38:58 +0200 Subject: [PATCH 16/34] feat(ci): move action out as shell script --- .github/actions/validate-access/action.yaml | 27 +--------------- .../validate-access/validate-access.sh | 32 +++++++++++++++++++ 2 files changed, 33 insertions(+), 26 deletions(-) create mode 100755 .github/actions/validate-access/validate-access.sh diff --git a/.github/actions/validate-access/action.yaml b/.github/actions/validate-access/action.yaml index 15614e8b..8c0d801d 100644 --- a/.github/actions/validate-access/action.yaml +++ b/.github/actions/validate-access/action.yaml @@ -25,29 +25,4 @@ runs: shell: bash env: GH_TOKEN: ${{ inputs.github-token }} - run: | - echo "github.actor: ${{ github.actor }}" - echo "admin-only: ${{ inputs.admin-only }}" - if [[ ${{ inputs.admin-only }} == true ]]; then - echo "Expanding team mentions in the CODEOWNERS file" - teams=$(grep -oE '@[[:alnum:]_.-]+\/[[:alnum:]_.-]+' ${{ github.workspace }}/CODEOWNERS || true | sort | uniq) - - for team in $teams; do - org=$(echo $team | cut -d'/' -f1 | sed 's/@//') - team_name=$(echo $team | cut -d'/' -f2) - members=$(gh api "/orgs/$org/teams/$team_name/members" | jq -r '.[].login') - replacement=$(echo "$members" | xargs -I {} echo -n "@{} " | awk '{$1=$1};1') - sed -i "s|$team|$replacement|g" ${{ github.workspace }}/CODEOWNERS - done - - if grep -wq "@${{ github.actor }}" ${{ github.workspace }}/CODEOWNERS; then - echo "The workflow is triggered by ${{ github.actor }} as the code owner" - elif cat ${{ github.workspace }}/${{ inputs.image-path }}/contacts.yaml | yq ".maintainers" | grep "\- " | grep -wq "${{ github.actor }}"; then - echo "The workflow is triggered by ${{ github.actor }} as a maintainer of the image ${{ inputs.image-path }}" - else - echo "The workflow is triggered by a user neither as a code owner nor a maintainer of the image ${{ inputs.image-path }}" - exit 1 - fi - else - echo "The workflow is not restricted to non-code-owner or non-maintainer users" - fi + run: ./.github/actions/validate-access/validate-access.sh ${{ github.actor }} ${{ inputs.admin-only }} ${{ github.workspace }} ${{ inputs.image-path }} diff --git a/.github/actions/validate-access/validate-access.sh b/.github/actions/validate-access/validate-access.sh new file mode 100755 index 00000000..6a4d093a --- /dev/null +++ b/.github/actions/validate-access/validate-access.sh @@ -0,0 +1,32 @@ +#!/bin/bash -e + +actor=$1 +admin_only=$2 +workspace=$3 +image_path=$4 + +echo "github.actor: ${actor}" +echo "admin-only: ${admin_only}" +if [[ ${admin_only} == true ]]; then + echo "Expanding team mentions in the CODEOWNERS file" + teams=$(grep -oE '@[[:alnum:]_.-]+\/[[:alnum:]_.-]+' ${workspace}/CODEOWNERS || true | sort | uniq) + + for team in ${teams}; do + org=$(echo ${team} | cut -d'/' -f1 | sed 's/@//') + team_name=$(echo ${team} | cut -d'/' -f2) + members=$(gh api "/orgs/${org}/teams/${team_name}/members" | jq -r '.[].login') + replacement=$(echo "${members}" | xargs -I {} echo -n "@{} " | awk '{$1=$1};1') + sed -i "s|${team}|${replacement}|g" ${workspace}/CODEOWNERS + done + + if grep -wq "@${actor}" ${workspace}/CODEOWNERS; then + echo "The workflow is triggered by ${actor} as the code owner" + elif cat ${workspace}/${image_path}/contacts.yaml | yq ".maintainers" | grep "\- " | grep -wq "${actor}"; then + echo "The workflow is triggered by ${actor} as a maintainer of the image ${image_path}" + else + echo "The workflow is triggered by a user neither as a code owner nor a maintainer of the image ${image_path}" + exit 1 + fi +else + echo "The workflow is not restricted to non-code-owner or non-maintainer users" +fi From 295b95f821ca92a35f2c68a7b0993141e9aabb78 Mon Sep 17 00:00:00 2001 From: Zhijie Yang Date: Wed, 14 Aug 2024 14:34:55 +0200 Subject: [PATCH 17/34] test(ci): add tests for validate-access action --- .../validate-access/test-validate-access.bats | 46 +++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100755 .github/actions/validate-access/test-validate-access.bats diff --git a/.github/actions/validate-access/test-validate-access.bats b/.github/actions/validate-access/test-validate-access.bats new file mode 100755 index 00000000..e47b348b --- /dev/null +++ b/.github/actions/validate-access/test-validate-access.bats @@ -0,0 +1,46 @@ +#!/usr/bin/env bats + +SOURCE_DIR=$(dirname -- "${BASH_SOURCE[0]}") + +setup() { + workdir=$(mktemp -d) + mkdir -p $workdir/img + echo -n "* @code-owner" > $workdir/CODEOWNERS + echo -e "maintainers:\n - maintainer" > $workdir/img/contacts.yaml +} + +@test "blocks non-code-owner-non-maintainer user" { + { + output=$(${BATS_TEST_DIRNAME}/validate-access.sh "random" "true" $workdir "img" 2>&1) + exit_status=$? + } || true + [[ $exit_status -eq 1 ]] + [[ $(echo "${output}"| tail -n 1) = "The workflow is triggered by a user neither as a code owner nor a maintainer of the image img" ]] +} + +@test "allows code owner" { + output=$(${BATS_TEST_DIRNAME}/validate-access.sh "code-owner" "true" $workdir "img" 2>&1) + [[ $(echo "${output}"| tail -n 1) = "The workflow is triggered by code-owner as the code owner" ]] +} + +@test "allows image maintainer" { + output=$(${BATS_TEST_DIRNAME}/validate-access.sh "maintainer" "true" $workdir "img") + [[ $(echo "${output}"| tail -n 1) = "The workflow is triggered by maintainer as a maintainer of the image img" ]] +} + +@test "allows non-code-owner-non-maintainer user" { + output=$(${BATS_TEST_DIRNAME}/validate-access.sh "random" "false" $workdir "img") + [[ $(echo "${output}"| tail -n 1) = "The workflow is not restricted to non-code-owner or non-maintainer users" ]] +} + +@test "user as both code-owner and maintainer is triggered as code owner" { + echo -n " @maintainer" >> $workdir/CODEOWNERS + output=$(${BATS_TEST_DIRNAME}/validate-access.sh "maintainer" "true" $workdir "img") + [[ $(echo "${output}"| tail -n 1) = "The workflow is triggered by maintainer as the code owner" ]] +} + +@test "teams are expanded to team members" { + echo -n "@canonical/rocks" >> $workdir/CODEOWNERS + output=$(${BATS_TEST_DIRNAME}/validate-access.sh "ROCKsBot" "true" $workdir "img") + [[ $(echo "${output}"| tail -n 1) = "The workflow is triggered by ROCKsBot as the code owner" ]] +} From a2e47a7ec8499cd5081d1e2051d32c88466a77f2 Mon Sep 17 00:00:00 2001 From: Zhijie Yang Date: Wed, 14 Aug 2024 14:51:08 +0200 Subject: [PATCH 18/34] chore: update _test workflow trigger path --- .github/workflows/_Test-OCI-Factory.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/_Test-OCI-Factory.yaml b/.github/workflows/_Test-OCI-Factory.yaml index c283a989..ba20ece0 100644 --- a/.github/workflows/_Test-OCI-Factory.yaml +++ b/.github/workflows/_Test-OCI-Factory.yaml @@ -4,7 +4,7 @@ on: push: paths: - ".github/workflows/*" - - ".github/actions/*" + - ".github/actions/**" - "!.github/workflows/CLA-Check.yaml" - "!.github/workflows/PR-Validator.yaml" - "!.github/workflows/_Auto-updates.yaml" From 306278248b5ff814200986cd8d3bcdfc2665d4ea Mon Sep 17 00:00:00 2001 From: zhijie-yang Date: Wed, 14 Aug 2024 13:22:59 +0000 Subject: [PATCH 19/34] ci: automatically update oci/mock-rock/_releases.json, from https://github.com/canonical/oci-factory/actions/runs/10387911018 --- oci/mock-rock/_releases.json | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/oci/mock-rock/_releases.json b/oci/mock-rock/_releases.json index 476fd668..e226d599 100644 --- a/oci/mock-rock/_releases.json +++ b/oci/mock-rock/_releases.json @@ -13,13 +13,13 @@ }, "1.0-22.04": { "candidate": { - "target": "421" + "target": "427" }, "beta": { - "target": "421" + "target": "427" }, "edge": { - "target": "421" + "target": "427" }, "end-of-life": "2025-05-01T00:00:00Z" }, @@ -35,31 +35,31 @@ "1.1-22.04": { "end-of-life": "2025-05-01T00:00:00Z", "candidate": { - "target": "422" + "target": "428" }, "beta": { - "target": "422" + "target": "428" }, "edge": { - "target": "422" + "target": "428" } }, "1-22.04": { "end-of-life": "2025-05-01T00:00:00Z", "candidate": { - "target": "422" + "target": "428" }, "beta": { - "target": "422" + "target": "428" }, "edge": { - "target": "422" + "target": "428" } }, "1.2-22.04": { "end-of-life": "2025-05-01T00:00:00Z", "beta": { - "target": "423" + "target": "429" }, "edge": { "target": "1.2-22.04_beta" From 1233b66fb99b7801cf78137653667c385aae7032 Mon Sep 17 00:00:00 2001 From: Zhijie Yang Date: Tue, 20 Aug 2024 18:21:33 +0200 Subject: [PATCH 20/34] chore: change to code reviews --- .../{validate-access => validate-actor}/action.yaml | 6 +++--- .../test-validate-actor.bats} | 12 ++++++------ .../validate-actor.sh} | 0 .github/workflows/Documentation.yaml | 3 +-- .github/workflows/Image.yaml | 2 +- .github/workflows/Release.yaml | 2 +- .github/workflows/Tests.yaml | 2 +- .github/workflows/_Test-OCI-Factory.yaml | 2 +- 8 files changed, 14 insertions(+), 15 deletions(-) rename .github/actions/{validate-access => validate-actor}/action.yaml (73%) rename .github/actions/{validate-access/test-validate-access.bats => validate-actor/test-validate-actor.bats} (72%) rename .github/actions/{validate-access/validate-access.sh => validate-actor/validate-actor.sh} (100%) diff --git a/.github/actions/validate-access/action.yaml b/.github/actions/validate-actor/action.yaml similarity index 73% rename from .github/actions/validate-access/action.yaml rename to .github/actions/validate-actor/action.yaml index 8c0d801d..7aed9807 100644 --- a/.github/actions/validate-access/action.yaml +++ b/.github/actions/validate-actor/action.yaml @@ -15,7 +15,7 @@ inputs: description: 'The path to the image to be built' required: true github-token: - description: 'The GH_TOKEN for the GitHub CLI' + description: 'The GITHUB_TOKEN for the GitHub CLI' required: true runs: @@ -24,5 +24,5 @@ runs: - name: Check if the workflow is triggered by an admin user shell: bash env: - GH_TOKEN: ${{ inputs.github-token }} - run: ./.github/actions/validate-access/validate-access.sh ${{ github.actor }} ${{ inputs.admin-only }} ${{ github.workspace }} ${{ inputs.image-path }} + GITHUB_TOKEN: ${{ inputs.github-token }} + run: ./.github/actions/validate-actor/validate-actor.sh ${{ github.actor }} ${{ inputs.admin-only }} ${{ github.workspace }} ${{ inputs.image-path }} diff --git a/.github/actions/validate-access/test-validate-access.bats b/.github/actions/validate-actor/test-validate-actor.bats similarity index 72% rename from .github/actions/validate-access/test-validate-access.bats rename to .github/actions/validate-actor/test-validate-actor.bats index e47b348b..d7595609 100755 --- a/.github/actions/validate-access/test-validate-access.bats +++ b/.github/actions/validate-actor/test-validate-actor.bats @@ -11,7 +11,7 @@ setup() { @test "blocks non-code-owner-non-maintainer user" { { - output=$(${BATS_TEST_DIRNAME}/validate-access.sh "random" "true" $workdir "img" 2>&1) + output=$(${BATS_TEST_DIRNAME}/validate-actor.sh "random" "true" $workdir "img" 2>&1) exit_status=$? } || true [[ $exit_status -eq 1 ]] @@ -19,28 +19,28 @@ setup() { } @test "allows code owner" { - output=$(${BATS_TEST_DIRNAME}/validate-access.sh "code-owner" "true" $workdir "img" 2>&1) + output=$(${BATS_TEST_DIRNAME}/validate-actor.sh "code-owner" "true" $workdir "img" 2>&1) [[ $(echo "${output}"| tail -n 1) = "The workflow is triggered by code-owner as the code owner" ]] } @test "allows image maintainer" { - output=$(${BATS_TEST_DIRNAME}/validate-access.sh "maintainer" "true" $workdir "img") + output=$(${BATS_TEST_DIRNAME}/validate-actor.sh "maintainer" "true" $workdir "img") [[ $(echo "${output}"| tail -n 1) = "The workflow is triggered by maintainer as a maintainer of the image img" ]] } @test "allows non-code-owner-non-maintainer user" { - output=$(${BATS_TEST_DIRNAME}/validate-access.sh "random" "false" $workdir "img") + output=$(${BATS_TEST_DIRNAME}/validate-actor.sh "random" "false" $workdir "img") [[ $(echo "${output}"| tail -n 1) = "The workflow is not restricted to non-code-owner or non-maintainer users" ]] } @test "user as both code-owner and maintainer is triggered as code owner" { echo -n " @maintainer" >> $workdir/CODEOWNERS - output=$(${BATS_TEST_DIRNAME}/validate-access.sh "maintainer" "true" $workdir "img") + output=$(${BATS_TEST_DIRNAME}/validate-actor.sh "maintainer" "true" $workdir "img") [[ $(echo "${output}"| tail -n 1) = "The workflow is triggered by maintainer as the code owner" ]] } @test "teams are expanded to team members" { echo -n "@canonical/rocks" >> $workdir/CODEOWNERS - output=$(${BATS_TEST_DIRNAME}/validate-access.sh "ROCKsBot" "true" $workdir "img") + output=$(${BATS_TEST_DIRNAME}/validate-actor.sh "ROCKsBot" "true" $workdir "img") [[ $(echo "${output}"| tail -n 1) = "The workflow is triggered by ROCKsBot as the code owner" ]] } diff --git a/.github/actions/validate-access/validate-access.sh b/.github/actions/validate-actor/validate-actor.sh similarity index 100% rename from .github/actions/validate-access/validate-access.sh rename to .github/actions/validate-actor/validate-actor.sh diff --git a/.github/workflows/Documentation.yaml b/.github/workflows/Documentation.yaml index 38833d8a..39780cbe 100644 --- a/.github/workflows/Documentation.yaml +++ b/.github/workflows/Documentation.yaml @@ -36,7 +36,6 @@ jobs: validate-documentation-request: runs-on: ubuntu-22.04 name: Validate documentation request - # needs: [access-check] outputs: oci-img-path: ${{ steps.validate-image.outputs.img-path }} oci-img-name: ${{ steps.validate-image.outputs.img-name }} @@ -48,7 +47,7 @@ jobs: - uses: actions/checkout@v4 - name: Validate access to triggered image - uses: ./.github/actions/validate-access + uses: ./.github/actions/validate-actor if: ${{ !inputs.is-workflow_call }} with: admin-only: true diff --git a/.github/workflows/Image.yaml b/.github/workflows/Image.yaml index dd4a86a9..da27f755 100644 --- a/.github/workflows/Image.yaml +++ b/.github/workflows/Image.yaml @@ -99,7 +99,7 @@ jobs: echo "img-path=${img_path}" >> "$GITHUB_OUTPUT" - name: Validate access to triggered image - uses: ./.github/actions/validate-access + uses: ./.github/actions/validate-actor if: ${{ !inputs.is-workflow_call }} with: admin-only: true diff --git a/.github/workflows/Release.yaml b/.github/workflows/Release.yaml index 14069119..dd1ecf81 100644 --- a/.github/workflows/Release.yaml +++ b/.github/workflows/Release.yaml @@ -44,7 +44,7 @@ jobs: - uses: actions/checkout@v4 - name: Validate access to triggered image - uses: ./.github/actions/validate-access + uses: ./.github/actions/validate-actor if: ${{ !inputs.is-workflow_call }} with: admin-only: true diff --git a/.github/workflows/Tests.yaml b/.github/workflows/Tests.yaml index 364e84d1..df9b1b80 100644 --- a/.github/workflows/Tests.yaml +++ b/.github/workflows/Tests.yaml @@ -76,7 +76,7 @@ jobs: - uses: actions/checkout@v4 if: ${{ !inputs.is-workflow_call }} - name: Validate access to triggered image - uses: ./.github/actions/validate-access + uses: ./.github/actions/validate-actor if: ${{ !inputs.is-workflow_call }} with: admin-only: true diff --git a/.github/workflows/_Test-OCI-Factory.yaml b/.github/workflows/_Test-OCI-Factory.yaml index ba20ece0..6f362de9 100644 --- a/.github/workflows/_Test-OCI-Factory.yaml +++ b/.github/workflows/_Test-OCI-Factory.yaml @@ -22,7 +22,7 @@ jobs: runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 - - uses: ./.github/actions/validate-access + - uses: ./.github/actions/validate-actor with: admin-only: true image-path: "oci/mock-rock" From b5493b14fba6120c1cb470aa14e8c3777bd5acd8 Mon Sep 17 00:00:00 2001 From: zhijie-yang Date: Tue, 20 Aug 2024 19:38:41 +0000 Subject: [PATCH 21/34] ci: automatically update oci/mock-rock/_releases.json, from https://github.com/canonical/oci-factory/actions/runs/10475388993 --- oci/mock-rock/_releases.json | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/oci/mock-rock/_releases.json b/oci/mock-rock/_releases.json index e226d599..b5f7a79e 100644 --- a/oci/mock-rock/_releases.json +++ b/oci/mock-rock/_releases.json @@ -13,13 +13,13 @@ }, "1.0-22.04": { "candidate": { - "target": "427" + "target": "430" }, "beta": { - "target": "427" + "target": "430" }, "edge": { - "target": "427" + "target": "430" }, "end-of-life": "2025-05-01T00:00:00Z" }, @@ -35,31 +35,31 @@ "1.1-22.04": { "end-of-life": "2025-05-01T00:00:00Z", "candidate": { - "target": "428" + "target": "431" }, "beta": { - "target": "428" + "target": "431" }, "edge": { - "target": "428" + "target": "431" } }, "1-22.04": { "end-of-life": "2025-05-01T00:00:00Z", "candidate": { - "target": "428" + "target": "431" }, "beta": { - "target": "428" + "target": "431" }, "edge": { - "target": "428" + "target": "431" } }, "1.2-22.04": { "end-of-life": "2025-05-01T00:00:00Z", "beta": { - "target": "429" + "target": "432" }, "edge": { "target": "1.2-22.04_beta" From 351cf4d74eaa09cc94dd6209c973200af16cbc81 Mon Sep 17 00:00:00 2001 From: Zhijie Yang Date: Wed, 21 Aug 2024 18:28:33 +0200 Subject: [PATCH 22/34] feat: add repository as condition --- .github/workflows/Announcements.yaml | 9 ++++++++- .github/workflows/Build-Rock.yaml | 9 +++++++++ .github/workflows/Documentation.yaml | 6 +----- .github/workflows/Image.yaml | 6 +----- .github/workflows/Release.yaml | 6 +----- .github/workflows/Tests.yaml | 9 ++------- .github/workflows/Vulnerability-Scan.yaml | 8 ++++++++ 7 files changed, 30 insertions(+), 23 deletions(-) diff --git a/.github/workflows/Announcements.yaml b/.github/workflows/Announcements.yaml index 09999dcc..c379700a 100644 --- a/.github/workflows/Announcements.yaml +++ b/.github/workflows/Announcements.yaml @@ -33,6 +33,14 @@ jobs: fi done + - name: Validate access to triggered image + uses: ./.github/actions/validate-actor + if: ${{ github.repository == 'canonical/oci-factory' }} + with: + admin-only: true + image-path: "oci/${{ steps.get-image-name.outputs.img-name }}" + github-token: ${{ secrets.ROCKSBOT_TOKEN }} + - name: Get contacts for ${{ steps.get-image-name.outputs.img-name }} id: get-contacts working-directory: oci/${{ steps.get-image-name.outputs.img-name }} @@ -104,4 +112,3 @@ jobs: do MM_CHANNEL_ID="${channel}" ./src/notifications/send_to_mattermost.sh done - diff --git a/.github/workflows/Build-Rock.yaml b/.github/workflows/Build-Rock.yaml index 495c8650..ea59a31c 100644 --- a/.github/workflows/Build-Rock.yaml +++ b/.github/workflows/Build-Rock.yaml @@ -50,6 +50,15 @@ jobs: run: | git clone ${{ inputs.rock-repo }} . - run: git checkout ${{ inputs.rock-repo-commit }} + + - name: Validate access to triggered image + uses: ./.github/actions/validate-actor + if: ${{ github.repository == 'canonical/oci-factory' }} + with: + admin-only: true + image-path: ${{ inputs.oci-factory-path }} + github-token: ${{ secrets.ROCKSBOT_TOKEN }} + - run: sudo snap install yq --channel=v4/stable - name: Validate image naming and base working-directory: ${{ inputs.rockfile-directory }} diff --git a/.github/workflows/Documentation.yaml b/.github/workflows/Documentation.yaml index 39780cbe..adadc226 100644 --- a/.github/workflows/Documentation.yaml +++ b/.github/workflows/Documentation.yaml @@ -27,10 +27,6 @@ on: description: 'Commit SHA containing the updated _releases.json' required: true type: string - is-workflow_call: - description: 'Flag to indicate if this is a workflow call' - type: boolean - default: true jobs: validate-documentation-request: @@ -48,7 +44,7 @@ jobs: - name: Validate access to triggered image uses: ./.github/actions/validate-actor - if: ${{ !inputs.is-workflow_call }} + if: ${{ github.repository == 'canonical/oci-factory' }} with: admin-only: true image-path: "oci/${{ inputs.oci-image-name }}" diff --git a/.github/workflows/Image.yaml b/.github/workflows/Image.yaml index da27f755..6008f8ec 100644 --- a/.github/workflows/Image.yaml +++ b/.github/workflows/Image.yaml @@ -40,10 +40,6 @@ on: required: true type: boolean default: false - is-workflow_call: - description: 'Flag to indicate if this is a workflow call' - type: boolean - default: true env: VULNERABILITY_REPORT_SUFFIX: ".vulnerability-report.json" @@ -100,7 +96,7 @@ jobs: - name: Validate access to triggered image uses: ./.github/actions/validate-actor - if: ${{ !inputs.is-workflow_call }} + if: ${{ github.repository == 'canonical/oci-factory' }} with: admin-only: true image-path: ${{ steps.validate-image.outputs.img-path }} diff --git a/.github/workflows/Release.yaml b/.github/workflows/Release.yaml index dd1ecf81..0cebbe75 100644 --- a/.github/workflows/Release.yaml +++ b/.github/workflows/Release.yaml @@ -26,10 +26,6 @@ on: description: 'Cache key (to fetch image trigger from cache)' required: false type: string - is-workflow_call: - description: 'Flag to indicate if this is a workflow call' - type: boolean - default: true jobs: validate-push-release-request: @@ -45,7 +41,7 @@ jobs: - name: Validate access to triggered image uses: ./.github/actions/validate-actor - if: ${{ !inputs.is-workflow_call }} + if: ${{ github.repository == 'canonical/oci-factory' }} with: admin-only: true image-path: "oci/${{ inputs.oci-image-name }}" diff --git a/.github/workflows/Tests.yaml b/.github/workflows/Tests.yaml index df9b1b80..d71a3f0d 100644 --- a/.github/workflows/Tests.yaml +++ b/.github/workflows/Tests.yaml @@ -26,10 +26,6 @@ on: required: false type: string default: '.vulnerability-report.json' - is-workflow_call: - description: 'Flag to indicate if this is a workflow call' - type: boolean - default: true workflow_dispatch: inputs: oci-image-name: @@ -73,11 +69,10 @@ jobs: access-check: runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 - if: ${{ !inputs.is-workflow_call }} + - uses: actions/checkout@v4 - name: Validate access to triggered image uses: ./.github/actions/validate-actor - if: ${{ !inputs.is-workflow_call }} + if: ${{ github.repository == 'canonical/oci-factory' }} with: admin-only: true image-path: ${{ inputs.oci-image-path }} diff --git a/.github/workflows/Vulnerability-Scan.yaml b/.github/workflows/Vulnerability-Scan.yaml index fb94c993..c9eba77f 100644 --- a/.github/workflows/Vulnerability-Scan.yaml +++ b/.github/workflows/Vulnerability-Scan.yaml @@ -43,6 +43,14 @@ jobs: steps: - uses: actions/checkout@v4 + - name: Validate access to triggered image + uses: ./.github/actions/validate-actor + if: ${{ github.repository == 'canonical/oci-factory' }} + with: + admin-only: true + image-path: ${{ inputs.oci-image-path }} + github-token: ${{ secrets.ROCKSBOT_TOKEN }} + - id: vulnerability-report run: | full_name="${{ inputs.oci-image-name }}${{ inputs.vulnerability-report-suffix }}" From 0df4aa2dbe5ee87138560b9cfceb0cc542f018ab Mon Sep 17 00:00:00 2001 From: Zhijie Yang Date: Wed, 21 Aug 2024 18:34:12 +0200 Subject: [PATCH 23/34] fix: validate for build rock --- .github/workflows/Build-Rock.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/Build-Rock.yaml b/.github/workflows/Build-Rock.yaml index ea59a31c..c2d46ea7 100644 --- a/.github/workflows/Build-Rock.yaml +++ b/.github/workflows/Build-Rock.yaml @@ -49,7 +49,6 @@ jobs: if: ${{ steps.clone-image-repo.outcome == 'failure' }} run: | git clone ${{ inputs.rock-repo }} . - - run: git checkout ${{ inputs.rock-repo-commit }} - name: Validate access to triggered image uses: ./.github/actions/validate-actor @@ -59,6 +58,8 @@ jobs: image-path: ${{ inputs.oci-factory-path }} github-token: ${{ secrets.ROCKSBOT_TOKEN }} + - run: git checkout ${{ inputs.rock-repo-commit }} + - run: sudo snap install yq --channel=v4/stable - name: Validate image naming and base working-directory: ${{ inputs.rockfile-directory }} From a5bb19854bb6423f3790d390839cd0a7597435b4 Mon Sep 17 00:00:00 2001 From: Zhijie Yang Date: Wed, 21 Aug 2024 18:38:19 +0200 Subject: [PATCH 24/34] fix: preserve original CODEOWNER --- .../actions/validate-actor/validate-actor.sh | 21 +++++++++++-------- .github/workflows/Build-Rock.yaml | 2 +- 2 files changed, 13 insertions(+), 10 deletions(-) diff --git a/.github/actions/validate-actor/validate-actor.sh b/.github/actions/validate-actor/validate-actor.sh index 6a4d093a..d0b49efa 100755 --- a/.github/actions/validate-actor/validate-actor.sh +++ b/.github/actions/validate-actor/validate-actor.sh @@ -9,24 +9,27 @@ echo "github.actor: ${actor}" echo "admin-only: ${admin_only}" if [[ ${admin_only} == true ]]; then echo "Expanding team mentions in the CODEOWNERS file" + cp ${workspace}/CODEOWNERS ${workspace}/CODEOWNERS.bak teams=$(grep -oE '@[[:alnum:]_.-]+\/[[:alnum:]_.-]+' ${workspace}/CODEOWNERS || true | sort | uniq) for team in ${teams}; do - org=$(echo ${team} | cut -d'/' -f1 | sed 's/@//') - team_name=$(echo ${team} | cut -d'/' -f2) - members=$(gh api "/orgs/${org}/teams/${team_name}/members" | jq -r '.[].login') - replacement=$(echo "${members}" | xargs -I {} echo -n "@{} " | awk '{$1=$1};1') - sed -i "s|${team}|${replacement}|g" ${workspace}/CODEOWNERS + org=$(echo ${team} | cut -d'/' -f1 | sed 's/@//') + team_name=$(echo ${team} | cut -d'/' -f2) + members=$(gh api "/orgs/${org}/teams/${team_name}/members" | jq -r '.[].login') + replacement=$(echo "${members}" | xargs -I {} echo -n "@{} " | awk '{$1=$1};1') + sed -i "s|${team}|${replacement}|g" ${workspace}/CODEOWNERS done if grep -wq "@${actor}" ${workspace}/CODEOWNERS; then - echo "The workflow is triggered by ${actor} as the code owner" + echo "The workflow is triggered by ${actor} as the code owner" elif cat ${workspace}/${image_path}/contacts.yaml | yq ".maintainers" | grep "\- " | grep -wq "${actor}"; then - echo "The workflow is triggered by ${actor} as a maintainer of the image ${image_path}" + echo "The workflow is triggered by ${actor} as a maintainer of the image ${image_path}" else - echo "The workflow is triggered by a user neither as a code owner nor a maintainer of the image ${image_path}" - exit 1 + echo "The workflow is triggered by a user neither as a code owner nor a maintainer of the image ${image_path}" + exit 1 fi else echo "The workflow is not restricted to non-code-owner or non-maintainer users" fi + +mv ${workspace}/CODEOWNERS.bak ${workspace}/CODEOWNERS diff --git a/.github/workflows/Build-Rock.yaml b/.github/workflows/Build-Rock.yaml index c2d46ea7..b53d4086 100644 --- a/.github/workflows/Build-Rock.yaml +++ b/.github/workflows/Build-Rock.yaml @@ -58,7 +58,7 @@ jobs: image-path: ${{ inputs.oci-factory-path }} github-token: ${{ secrets.ROCKSBOT_TOKEN }} - - run: git checkout ${{ inputs.rock-repo-commit }} + - run: git checkout ${{ inputs.rock-repo-commit }} - run: sudo snap install yq --channel=v4/stable - name: Validate image naming and base From a6f1f39cdcd35a76c8ff28c8900cfc1512ce2bba Mon Sep 17 00:00:00 2001 From: zhijie-yang Date: Wed, 21 Aug 2024 16:55:37 +0000 Subject: [PATCH 25/34] ci: automatically update oci/mock-rock/_releases.json, from https://github.com/canonical/oci-factory/actions/runs/10493882625 --- oci/mock-rock/_releases.json | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/oci/mock-rock/_releases.json b/oci/mock-rock/_releases.json index b5f7a79e..5cf3480a 100644 --- a/oci/mock-rock/_releases.json +++ b/oci/mock-rock/_releases.json @@ -13,13 +13,13 @@ }, "1.0-22.04": { "candidate": { - "target": "430" + "target": "433" }, "beta": { - "target": "430" + "target": "433" }, "edge": { - "target": "430" + "target": "433" }, "end-of-life": "2025-05-01T00:00:00Z" }, @@ -35,31 +35,31 @@ "1.1-22.04": { "end-of-life": "2025-05-01T00:00:00Z", "candidate": { - "target": "431" + "target": "434" }, "beta": { - "target": "431" + "target": "434" }, "edge": { - "target": "431" + "target": "434" } }, "1-22.04": { "end-of-life": "2025-05-01T00:00:00Z", "candidate": { - "target": "431" + "target": "434" }, "beta": { - "target": "431" + "target": "434" }, "edge": { - "target": "431" + "target": "434" } }, "1.2-22.04": { "end-of-life": "2025-05-01T00:00:00Z", "beta": { - "target": "432" + "target": "435" }, "edge": { "target": "1.2-22.04_beta" From df28bae4429b1cbeecad7c91649d5c4106593d4c Mon Sep 17 00:00:00 2001 From: Zhijie Yang Date: Tue, 10 Sep 2024 17:13:29 +0200 Subject: [PATCH 26/34] feat: add bats test --- .../actions/validate-actor/validate-actor.sh | 7 ++++--- .github/workflows/_Test-OCI-Factory.yaml | 20 +++++++++++++++++++ 2 files changed, 24 insertions(+), 3 deletions(-) diff --git a/.github/actions/validate-actor/validate-actor.sh b/.github/actions/validate-actor/validate-actor.sh index d0b49efa..da2401b4 100755 --- a/.github/actions/validate-actor/validate-actor.sh +++ b/.github/actions/validate-actor/validate-actor.sh @@ -8,6 +8,7 @@ image_path=$4 echo "github.actor: ${actor}" echo "admin-only: ${admin_only}" if [[ ${admin_only} == true ]]; then + exit_status=0 echo "Expanding team mentions in the CODEOWNERS file" cp ${workspace}/CODEOWNERS ${workspace}/CODEOWNERS.bak teams=$(grep -oE '@[[:alnum:]_.-]+\/[[:alnum:]_.-]+' ${workspace}/CODEOWNERS || true | sort | uniq) @@ -26,10 +27,10 @@ if [[ ${admin_only} == true ]]; then echo "The workflow is triggered by ${actor} as a maintainer of the image ${image_path}" else echo "The workflow is triggered by a user neither as a code owner nor a maintainer of the image ${image_path}" - exit 1 + exit_status=1 fi + mv ${workspace}/CODEOWNERS.bak ${workspace}/CODEOWNERS + exit ${exit_status} else echo "The workflow is not restricted to non-code-owner or non-maintainer users" fi - -mv ${workspace}/CODEOWNERS.bak ${workspace}/CODEOWNERS diff --git a/.github/workflows/_Test-OCI-Factory.yaml b/.github/workflows/_Test-OCI-Factory.yaml index b415b57b..6ca47ce4 100644 --- a/.github/workflows/_Test-OCI-Factory.yaml +++ b/.github/workflows/_Test-OCI-Factory.yaml @@ -75,6 +75,26 @@ jobs: path: ${{ env.PYTEST_RESULT_PATH }} if-no-files-found: error + bats-test: + # Trigger bash unit tests across the repository + name: bats + runs-on: ubuntu-22.04 + steps: + + # Job Setup + - uses: actions/checkout@v4 + with: + fetch-depth: 1 + + - name: Install bats + run: | + sudo apt-get update + sudo apt-get install -y bats + + - name: Run bats + run: | + find ${{ github.workspace }} -name 'test-*.bats' | xargs bats + test-workflows: name: Trigger internal tests for mock-rock needs: [access-check] From 2a45d7f4aa684968f9c9c9b2c88add76ca74c440 Mon Sep 17 00:00:00 2001 From: zhijie-yang Date: Tue, 10 Sep 2024 15:36:15 +0000 Subject: [PATCH 27/34] ci: automatically update oci/mock-rock/_releases.json, from https://github.com/canonical/oci-factory/actions/runs/10795657297 --- oci/mock-rock/_releases.json | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/oci/mock-rock/_releases.json b/oci/mock-rock/_releases.json index b8cb2068..0a968990 100644 --- a/oci/mock-rock/_releases.json +++ b/oci/mock-rock/_releases.json @@ -13,13 +13,13 @@ }, "1.0-22.04": { "candidate": { - "target": "478" + "target": "521" }, "beta": { - "target": "478" + "target": "521" }, "edge": { - "target": "478" + "target": "521" }, "end-of-life": "2025-05-01T00:00:00Z" }, @@ -35,34 +35,34 @@ "1.1-22.04": { "end-of-life": "2025-05-01T00:00:00Z", "candidate": { - "target": "479" + "target": "522" }, "beta": { - "target": "479" + "target": "522" }, "edge": { - "target": "479" + "target": "522" } }, "1-22.04": { "end-of-life": "2025-05-01T00:00:00Z", "candidate": { - "target": "479" + "target": "522" }, "beta": { - "target": "479" + "target": "522" }, "edge": { - "target": "479" + "target": "522" } }, "1.2-22.04": { "end-of-life": "2025-05-01T00:00:00Z", "beta": { - "target": "480" + "target": "523" }, "edge": { "target": "1.2-22.04_beta" } } -} +} \ No newline at end of file From 1bf39e1207048b3ee73fb47b52eb1b2f1221cfa0 Mon Sep 17 00:00:00 2001 From: Zhijie Yang Date: Tue, 10 Sep 2024 17:39:44 +0200 Subject: [PATCH 28/34] fix: pass token to bats test --- .github/workflows/_Test-OCI-Factory.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/_Test-OCI-Factory.yaml b/.github/workflows/_Test-OCI-Factory.yaml index 6ca47ce4..25e1efb9 100644 --- a/.github/workflows/_Test-OCI-Factory.yaml +++ b/.github/workflows/_Test-OCI-Factory.yaml @@ -92,6 +92,8 @@ jobs: sudo apt-get install -y bats - name: Run bats + env: + GITHUB_TOKEN: ${{ secrets.ROCKSBOT_TOKEN }} run: | find ${{ github.workspace }} -name 'test-*.bats' | xargs bats From dba17b397dba90f931ab5dec81f10e6cb14a2903 Mon Sep 17 00:00:00 2001 From: zhijie-yang Date: Tue, 10 Sep 2024 15:50:50 +0000 Subject: [PATCH 29/34] ci: automatically update oci/mock-rock/_releases.json, from https://github.com/canonical/oci-factory/actions/runs/10795930496 --- oci/mock-rock/_releases.json | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/oci/mock-rock/_releases.json b/oci/mock-rock/_releases.json index 0a968990..acbe3d7f 100644 --- a/oci/mock-rock/_releases.json +++ b/oci/mock-rock/_releases.json @@ -13,13 +13,13 @@ }, "1.0-22.04": { "candidate": { - "target": "521" + "target": "524" }, "beta": { - "target": "521" + "target": "524" }, "edge": { - "target": "521" + "target": "524" }, "end-of-life": "2025-05-01T00:00:00Z" }, @@ -35,31 +35,31 @@ "1.1-22.04": { "end-of-life": "2025-05-01T00:00:00Z", "candidate": { - "target": "522" + "target": "525" }, "beta": { - "target": "522" + "target": "525" }, "edge": { - "target": "522" + "target": "525" } }, "1-22.04": { "end-of-life": "2025-05-01T00:00:00Z", "candidate": { - "target": "522" + "target": "525" }, "beta": { - "target": "522" + "target": "525" }, "edge": { - "target": "522" + "target": "525" } }, "1.2-22.04": { "end-of-life": "2025-05-01T00:00:00Z", "beta": { - "target": "523" + "target": "526" }, "edge": { "target": "1.2-22.04_beta" From af929aca468ef4526cc23a942493cd1e0e8a2c00 Mon Sep 17 00:00:00 2001 From: Zhijie Yang Date: Thu, 12 Sep 2024 11:59:59 +0200 Subject: [PATCH 30/34] feat: use cancel to explicit cancel the run when actor is not permitted --- .github/actions/validate-actor/action.yaml | 10 ++++++++++ .github/workflows/Documentation.yaml | 2 +- .github/workflows/Image.yaml | 2 +- .github/workflows/Vulnerability-Scan.yaml | 8 ++++---- 4 files changed, 16 insertions(+), 6 deletions(-) diff --git a/.github/actions/validate-actor/action.yaml b/.github/actions/validate-actor/action.yaml index 7aed9807..dda8ea34 100644 --- a/.github/actions/validate-actor/action.yaml +++ b/.github/actions/validate-actor/action.yaml @@ -22,7 +22,17 @@ runs: using: "composite" steps: - name: Check if the workflow is triggered by an admin user + id: check-if-permitted shell: bash env: GITHUB_TOKEN: ${{ inputs.github-token }} run: ./.github/actions/validate-actor/validate-actor.sh ${{ github.actor }} ${{ inputs.admin-only }} ${{ github.workspace }} ${{ inputs.image-path }} + + - name: Cancel the remaining workflow if the actor is not permitted + if: ${{ !cancelled() && steps.check-if-permitted.outcome == 'failure' }} + shell: bash + env: + GITHUB_TOKEN: ${{ github.token }} + run: | + echo "The workflow is not triggered by a permitted user. Cancelling the workflow." + gh run cancel ${{ github.run_id }} diff --git a/.github/workflows/Documentation.yaml b/.github/workflows/Documentation.yaml index c5417899..a1aa61ec 100644 --- a/.github/workflows/Documentation.yaml +++ b/.github/workflows/Documentation.yaml @@ -159,7 +159,7 @@ jobs: runs-on: ubuntu-22.04 name: Notify on failure needs: [validate-documentation-request, do-documentation] - if: ${{ always() && contains(needs.*.result, 'failure') && github.event_name != 'workflow_dispatch' }} + if: ${{ !cancelled() && contains(needs.*.result, 'failure') && github.event_name != 'workflow_dispatch' }} steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/Image.yaml b/.github/workflows/Image.yaml index f25b1c35..d0853551 100644 --- a/.github/workflows/Image.yaml +++ b/.github/workflows/Image.yaml @@ -576,7 +576,7 @@ jobs: runs-on: ubuntu-22.04 name: Notify needs: [prepare-build, run-build, upload, prepare-releases, generate-provenance] - if: ${{ always() && contains(needs.*.result, 'failure') && github.event_name != 'pull_request' }} + if: ${{ !cancelled() && contains(needs.*.result, 'failure') && github.event_name != 'pull_request' }} steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/Vulnerability-Scan.yaml b/.github/workflows/Vulnerability-Scan.yaml index 8f85e2a7..1a055759 100644 --- a/.github/workflows/Vulnerability-Scan.yaml +++ b/.github/workflows/Vulnerability-Scan.yaml @@ -112,7 +112,7 @@ jobs: image-ref: '${{ steps.to-docker-daemon.outputs.name }}' - name: Process report - if: ${{ always() }} + if: ${{ !cancelled() }} id: check-report run: | report="${{ steps.vulnerability-report.outputs.name }}" @@ -142,13 +142,13 @@ jobs: done - uses: actions/cache/save@v4 - if: ${{ always() }} + if: ${{ !cancelled() }} with: path: ${{ steps.vulnerability-report.outputs.name }} key: ${{ github.run_id }}-${{ steps.vulnerability-report.outputs.name }} - uses: actions/upload-artifact@v4 - if: ${{ always() }} + if: ${{ !cancelled() }} with: name: ${{ steps.vulnerability-report.outputs.name }} path: ${{ steps.vulnerability-report.outputs.name }} @@ -161,7 +161,7 @@ jobs: name: Notify on failure needs: - test-vulnerabilities - if: ${{ always() && needs.test-vulnerabilities.outputs.notify == 'true' }} + if: ${{ !cancelled() && needs.test-vulnerabilities.outputs.notify == 'true' }} steps: - uses: actions/checkout@v4 From f9992610c59823db41ab5651c5bf9ceff114cf04 Mon Sep 17 00:00:00 2001 From: Zhijie Yang Date: Thu, 12 Sep 2024 12:06:00 +0200 Subject: [PATCH 31/34] TEST: SHOULD CANCEL: remove zhijie-yang from CODEOWNERS --- CODEOWNERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CODEOWNERS b/CODEOWNERS index 0afe0e53..c61d74ad 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1 +1 @@ -* @canonical/rocks +* @cjdc From defb7515cc4f45fbc833894e9cdcd9f63e81bda3 Mon Sep 17 00:00:00 2001 From: zhijie-yang Date: Thu, 12 Sep 2024 10:10:53 +0000 Subject: [PATCH 32/34] ci: automatically update oci/mock-rock/_releases.json, from https://github.com/canonical/oci-factory/actions/runs/10828557574 --- oci/mock-rock/_releases.json | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/oci/mock-rock/_releases.json b/oci/mock-rock/_releases.json index acbe3d7f..f1987709 100644 --- a/oci/mock-rock/_releases.json +++ b/oci/mock-rock/_releases.json @@ -13,13 +13,13 @@ }, "1.0-22.04": { "candidate": { - "target": "524" + "target": "527" }, "beta": { - "target": "524" + "target": "527" }, "edge": { - "target": "524" + "target": "527" }, "end-of-life": "2025-05-01T00:00:00Z" }, @@ -35,31 +35,31 @@ "1.1-22.04": { "end-of-life": "2025-05-01T00:00:00Z", "candidate": { - "target": "525" + "target": "528" }, "beta": { - "target": "525" + "target": "528" }, "edge": { - "target": "525" + "target": "528" } }, "1-22.04": { "end-of-life": "2025-05-01T00:00:00Z", "candidate": { - "target": "525" + "target": "528" }, "beta": { - "target": "525" + "target": "528" }, "edge": { - "target": "525" + "target": "528" } }, "1.2-22.04": { "end-of-life": "2025-05-01T00:00:00Z", "beta": { - "target": "526" + "target": "529" }, "edge": { "target": "1.2-22.04_beta" From 953262abaebf1e81d2c27c8ef0a73d4178da549d Mon Sep 17 00:00:00 2001 From: Zhijie Yang Date: Thu, 12 Sep 2024 12:09:43 +0200 Subject: [PATCH 33/34] Revert test: SHOULD PASS This reverts commit f9992610c59823db41ab5651c5bf9ceff114cf04. --- CODEOWNERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CODEOWNERS b/CODEOWNERS index c61d74ad..0afe0e53 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1 +1 @@ -* @cjdc +* @canonical/rocks From 7f05d9b37daa4a238f67d635cf565abc54b748d1 Mon Sep 17 00:00:00 2001 From: zhijie-yang Date: Thu, 12 Sep 2024 10:30:55 +0000 Subject: [PATCH 34/34] ci: automatically update oci/mock-rock/_releases.json, from https://github.com/canonical/oci-factory/actions/runs/10828858187 --- oci/mock-rock/_releases.json | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/oci/mock-rock/_releases.json b/oci/mock-rock/_releases.json index f1987709..252e5782 100644 --- a/oci/mock-rock/_releases.json +++ b/oci/mock-rock/_releases.json @@ -13,13 +13,13 @@ }, "1.0-22.04": { "candidate": { - "target": "527" + "target": "530" }, "beta": { - "target": "527" + "target": "530" }, "edge": { - "target": "527" + "target": "530" }, "end-of-life": "2025-05-01T00:00:00Z" }, @@ -35,31 +35,31 @@ "1.1-22.04": { "end-of-life": "2025-05-01T00:00:00Z", "candidate": { - "target": "528" + "target": "531" }, "beta": { - "target": "528" + "target": "531" }, "edge": { - "target": "528" + "target": "531" } }, "1-22.04": { "end-of-life": "2025-05-01T00:00:00Z", "candidate": { - "target": "528" + "target": "531" }, "beta": { - "target": "528" + "target": "531" }, "edge": { - "target": "528" + "target": "531" } }, "1.2-22.04": { "end-of-life": "2025-05-01T00:00:00Z", "beta": { - "target": "529" + "target": "532" }, "edge": { "target": "1.2-22.04_beta"