Skip to content

Commit

Permalink
Revert "check author association"
Browse files Browse the repository at this point in the history 
This reverts commit f8c8372.
  • Loading branch information
@sqin2019
sqin2019 committed Aug 24, 2023
1 parent f8c8372 commit d8e9590
Showing 1 changed file with 31 additions and 243 deletions.
274 changes: 31 additions & 243 deletions .github/workflows/handle.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,7 @@
# limitations under the License.

name: 'aod-handle'
# Current workflow requires the triggering event must be pull_request_review as
# it relies on this event to get the approval submit time as IAM permission
# expiration start time.
# Support merge event
on:
workflow_call:
inputs:
Expand All @@ -35,275 +33,65 @@ on:
go_version:
description: 'The version of Golang.'
type: 'string'
default: '1.21'
default: '1.20'
required: false

env:
DEFAULT_DURATION: '2h'
IAM_ERROR_FILENAME: '/tmp/iam_error.txt'
IAM_OUT_FILENAME: '/tmp/iam_output.txt'
TOOL_ERROR_FILENAME: '/tmp/tool_error.txt'
TOOL_OUT_FILENAME: '/tmp/tool_output.txt'

jobs:
review_status:
runs-on: 'ubuntu-latest'
permissions:
pull-requests: 'read'
outputs:
REVIEW_DECISION: '${{ steps.get_review_decision.outputs.REVIEW_DECISION }}'
steps:
- id: 'get_review_decision'
env:
# Set the GH_TOKEN environment variable to use GitHub CLI in a GitHub Actions workflow.
# See ref: https://docs.github.com/en/actions/using-workflows/using-github-cli-in-workflows
GH_TOKEN: '${{ github.token }}'
run: |
repo=${{ github.repository }}
reviewDecision="$(gh api graphql -F owner=${{ github.repository_owner }} -F name=${repo##*/} -F pr_number=${{ github.event.pull_request.number }} -f query='
query($name: String!, $owner: String!, $pr_number: Int!) {
repository(owner: $owner, name: $name) {
pullRequest(number: $pr_number) {
reviewDecision
}
}
}
' --jq '.data.repository.pullRequest.reviewDecision')"
echo REVIEW_DECISION=$reviewDecision >> $GITHUB_OUTPUT
testJob:
runs-on: 'ubuntu-latest'
steps:
- name: Dump GitHub context
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
run: |
echo "$GITHUB_CONTEXT"
handle:
if: '${{ github.event.review.state == ''approved'' && github.event.review.author_association == ''OWNER''}}'
# if: '${{ github.event.review.state == ''approved'' }}'
# Handle on merge
runs-on: 'ubuntu-latest'
permissions:
contents: 'read'
id-token: 'write'
pull-requests: 'write'
name: 'Handle Request'
steps:
- name: 'Checkout Triggering Branch'
uses: 'actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab' # ratchet:actions/checkout@v3
- uses: 'actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab' # ratchet:actions/checkout@v3
with:
ref: '${{ github.event.pull_request.head.ref }}'
# Steps will be skipped starting from here when iam.yaml file does not
# exist in the case of a pull_request_review event.
fetch-depth: 0
- name: 'Get added yaml files'
id: 'added-yaml-files'
uses: 'tj-actions/changed-files@fb20f4d24890fadc539505b1746d260504b213d0' # ratchet:tj-actions/changed-files@v36
with:
files: 'requests/*.{yml,yaml}'
- name: 'Setup Go'
if: '${{ hashFiles(''iam.yaml'', ''tool.yaml'') != '''' }}'
if: '${{ steps.added-yaml-files.outputs.added_files != '''' }}'
uses: 'actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568' # ratchet:actions/setup-go@v3
with:
go-version: '${{ inputs.go_version }}'
- name: 'Authenticate to Google Cloud'
if: '${{ hashFiles(''iam.yaml'', ''tool.yaml'') != '''' }}'
if: '${{ steps.added-yaml-files.outputs.added_files != '''' }}'
uses: 'google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033' # ratchet:google-github-actions/auth@v1
with:
workload_identity_provider: '${{ inputs.workload_identity_provider }}'
service_account: '${{ inputs.service_account }}'
token_format: 'access_token'
# Install gcloud, `setup-gcloud` automatically picks up authentication from `auth`.
- name: 'Set up Cloud SDK'
if: '${{ hashFiles(''tool.yaml'') != '''' }}'
uses: 'google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b' # ratchet:google-github-actions/setup-gcloud@v1
- name: 'Install AOD CLI'
if: '${{ hashFiles(''iam.yaml'', ''tool.yaml'') != '''' }}'
run: 'go install github.com/abcxyz/access-on-demand/cmd/aod@${{ inputs.aod_cli_version }}'
# Duration labels need to be prefixed with "duration-", an example is "duration-2h".
- name: 'Get Duration From Label'
if: '${{ hashFiles(''iam.yaml'') != '''' }}'
run: |
names='${{ toJson(github.event.pull_request.labels.*.name) }}'
for name in $(echo "$names" | jq -r '.[]'); do
if [[ $name == duration-* ]]; then
IFS='-' read -r part1 part2 <<< "$name"
echo "LABELED_DURATION=$part2" >> $GITHUB_ENV
break
fi
done
# Request will not be handled when iam.yaml file is not found.
if: '${{ steps.added-yaml-files.outputs.added_files != '''' }}'
run: 'go install github.com/sqin2019/access-on-demand-fork/cmd/aod@${{ inputs.aod_cli_version }}'
# Request will not be handled when iam.yaml file does not exist in the
# case of a pull_request_review event, instead it prints out a notice.
- name: 'Handle IAM Request'
if: '${{ hashFiles(''iam.yaml'') != '''' }}'
id: 'handle_iam'
if: '${{ steps.added-yaml-files.outputs.added_files != '''' }}'
env:
DURATION: '${{ env.LABELED_DURATION || env.DEFAULT_DURATION }}'
IAM_FILE_PATH: '${{ github.workspace }}/iam.yaml'
START_TIME: '${{ github.event.review.submitted_at }}'
# DURATION: '${{ env.DEFAULT_DURATION }}'
# Assume there is only one file
IAM_FILE_PATH: '${{ steps.added-yaml-files.outputs.added_files }}'
START_TIME: '${{ github.event.head_commit.timestamp }}'
run: |
touch ${{ env.IAM_ERROR_FILENAME }} ${{ env.IAM_OUT_FILENAME }}
aod iam handle \
-path ${{ env.IAM_FILE_PATH }} \
-duration ${{ env.DURATION }} \
-start-time ${{ env.START_TIME }} \
2> ${{ env.IAM_ERROR_FILENAME }} \
> ${{ env.IAM_OUT_FILENAME }}
DURATION=$(awk -F_ '{print $2}' <<< $IAM_FILE_PATH)
aod iam handle -path $IAM_FILE_PATH -duration $DURATION -start-time $START_TIME
# Request will not be handled when tool.yaml file does not exist in the
# case of a pull_request_review event, instead it prints out a notice.
- name: 'Handle Tool Request'
if: '${{ hashFiles(''tool.yaml'') != '''' }}'
id: 'handle_tool'
- name: 'Handle CLI Request'
env:
TOOL_FILE_PATH: '${{ github.workspace }}/tool.yaml'
CLI_FILE_PATH: '${{ github.workspace }}/tool.yaml'
run: |
touch ${{ env.TOOL_ERROR_FILENAME }} ${{ env.TOOL_OUT_FILENAME }}
aod tool do -path ${{ env.TOOL_FILE_PATH }} \
2> ${{ env.TOOL_ERROR_FILENAME }} \
> ${{ env.TOOL_OUT_FILENAME }}
- name: 'IAM Request Comment'
if: '${{ always() && hashFiles(''iam.yaml'') != '''' }}'
uses: 'actions/github-script@98814c53be79b1d30f795b907e553d8679345975' # ratchet:actions/github-script@v6
with:
github-token: '${{ github.token }}'
retries: '3'
script: |+
var body, req;
const fs = require("fs");
const outcome = '${{ steps.handle_iam.outcome }}';
switch (outcome) {
case 'success':
req = fs.readFileSync(
`${{ env.IAM_OUT_FILENAME }}`,
{ encoding: "utf8" }
);
body = `**\`Access on Demand\`** - 🟩 **\`IAM\`** request succeeded.
<details>
<summary>Details</summary>
Added below IAM permissions, and they will be expired in ${{ env.LABELED_DURATION || env.DEFAULT_DURATION }}.
\`\`\`
${req}
\`\`\`
</details>`;
break;
case 'failure':
req = fs.readFileSync(
`${{ env.IAM_OUT_FILENAME }}`,
{ encoding: "utf8" }
);
const error = fs.readFileSync(
`${{ env.IAM_ERROR_FILENAME }}`,
{ encoding: "utf8" }
);
body = `**\`Access on Demand\`** - 🟥 **\`IAM\`** request failed.
<details>
<summary>Details</summary>
Failed to added below IAM permissions.
\`\`\`
${req}
\`\`\`
Error:
\`\`\`
${error}
\`\`\`
</details>`;
break;
// step cancelled.
default:
// Do nothing.
break;
}
if (typeof body !== "undefined") {
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: ${{ github.event.pull_request.number }},
body: body,
});
}
- name: 'Tool Request Comment'
if: '${{ always() && hashFiles(''tool.yaml'') != '''' }}'
uses: 'actions/github-script@98814c53be79b1d30f795b907e553d8679345975' # ratchet:actions/github-script@v6
with:
github-token: '${{ github.token }}'
retries: '3'
script: |+
var body, req;
const fs = require("fs");
const outcome = '${{ steps.handle_tool.outcome }}';
switch (outcome) {
case 'success':
req = fs.readFileSync(
`${{ env.TOOL_OUT_FILENAME }}`,
{ encoding: "utf8" }
);
body = `**\`Access on Demand\`** - 🟩 **\`Tool\`** request succeeded.
<details>
<summary>Details</summary>
Executed "do" commands in the request below.
\`\`\`
${req}
\`\`\`
</details>`;
break;
case 'failure':
req = fs.readFileSync(
`${{ env.TOOL_OUT_FILENAME }}`,
{ encoding: "utf8" }
);
const error = fs.readFileSync(
`${{ env.TOOL_ERROR_FILENAME }}`,
{ encoding: "utf8" }
);
body = `**\`Access on Demand\`** - 🟥 **\`Tool\`** request failed.
<details>
<summary>Details</summary>
Failed to execute "do" commands in the request below.
\`\`\`
${req}
\`\`\`
Error:
\`\`\`
${error}
\`\`\`
</details>`;
break;
// step cancelled.
default:
// Do nothing.
break;
}
if (typeof body !== "undefined") {
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: ${{ github.event.pull_request.number }},
body: body,
});
}
- name: 'Request Not Found Comment'
if: '${{ always() && hashFiles(''iam.yaml'', ''tool.yaml'') == '''' }}'
uses: 'actions/github-script@98814c53be79b1d30f795b907e553d8679345975' # ratchet:actions/github-script@v6
with:
github-token: '${{ github.token }}'
retries: '3'
script: |+
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: ${{ github.event.pull_request.number }},
body: `**\`Access on Demand\`** - 🟦 request not found.
- To require IAM permission on demand, add an **\`iam.yaml\`** file at repo root.
- To run tool commands on demand, add an **\`tool.yaml\`** file at repo root.`,
});
if [ -f "tool.yaml" ]; then
aod tool do -path $CLI_FILE_PATH
else
echo "::notice title=CLI Request Handle::Skip because tool.yaml is not found"
fi

0 comments on commit d8e9590

Please sign in to comment.