Skip to content

Commit

Permalink
test cleanup
Browse files Browse the repository at this point in the history
  • Loading branch information
@sqin2019
sqin2019 committed Aug 28, 2023
1 parent 6536464 commit e20f3be
Showing 1 changed file with 139 additions and 41 deletions.
180 changes: 139 additions & 41 deletions .github/workflows/cleanup.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,16 +12,20 @@
# See the License for the specific language governing permissions and
# limitations under the License.

# Reusable workflow that handles CLI request cleanup.
# Reusable workflow that handles AOD request cleanup.
name: 'aod-cleanup'

# Support below trigger:
# pull_request:
# types: 'closed'
# paths: 'tool.yaml'
on:
workflow_call:
inputs:
workload_identity_provider:
description: 'The full identifier of the Workload Identity Provider, including the project number, pool name, and provider name.'
type: 'string'
required: true
service_account:
description: 'Email address or unique identifier of the Google Cloud service account for which to generate credentials.'
type: 'string'
required: true
aod_cli_version:
description: 'The version of AOD CLI.'
type: 'string'
Expand All @@ -30,49 +34,53 @@ on:
go_version:
description: 'The version of Golang.'
type: 'string'
default: '1.20'
default: '1.21'
required: false

env:
IAM_ERROR_FILENAME: '/tmp/iam_error.txt'
IAM_OUT_FILENAME: '/tmp/iam_output.txt'
TOOL_ERROR_FILENAME: '/tmp/tool_error.txt'
TOOL_OUT_FILENAME: '/tmp/tool_output.txt'

jobs:
# Check the current status of this pull request with respect to code review.
review_status:
runs-on: 'ubuntu-latest'
permissions:
pull-requests: 'read'
outputs:
REVIEW_DECISION: '${{ steps.get_review_decision.outputs.REVIEW_DECISION }}'
steps:
- id: 'get_review_decision'
env:
# Set the GH_TOKEN environment variable to use GitHub CLI in a GitHub Actions workflow.
# See ref: https://docs.github.com/en/actions/using-workflows/using-github-cli-in-workflows
GH_TOKEN: '${{ github.token }}'
run: |
repo=${{ github.repository }}
reviewDecision="$(gh api graphql -F owner=${{ github.repository_owner }} -F name=${repo##*/} -F pr_number=${{ github.event.pull_request.number }} -f query='
query($name: String!, $owner: String!, $pr_number: Int!) {
repository(owner: $owner, name: $name) {
pullRequest(number: $pr_number) {
reviewDecision
}
}
}
' --jq '.data.repository.pullRequest.reviewDecision')"
# review_status:
# runs-on: 'ubuntu-latest'
# permissions:
# pull-requests: 'read'
# outputs:
# REVIEW_DECISION: '${{ steps.get_review_decision.outputs.REVIEW_DECISION }}'
# steps:
# - id: 'get_review_decision'
# env:
# # Set the GH_TOKEN environment variable to use GitHub CLI in a GitHub Actions workflow.
# # See ref: https://docs.github.com/en/actions/using-workflows/using-github-cli-in-workflows
# GH_TOKEN: '${{ github.token }}'
# run: |
# repo=${{ github.repository }}
# reviewDecision="$(gh api graphql -F owner=${{ github.repository_owner }} -F name=${repo##*/} -F pr_number=${{ github.event.pull_request.number }} -f query='
# query($name: String!, $owner: String!, $pr_number: Int!) {
# repository(owner: $owner, name: $name) {
# pullRequest(number: $pr_number) {
# reviewDecision
# }
# }
# }
# ' --jq '.data.repository.pullRequest.reviewDecision')"

echo REVIEW_DECISION=$reviewDecision >> $GITHUB_OUTPUT
# echo REVIEW_DECISION=$reviewDecision >> $GITHUB_OUTPUT

# Only run Tool request cleanup when the pull request is approved.
cleanup:
needs: 'review_status'
if: '${{ needs.review_status.outputs.REVIEW_DECISION == ''APPROVED'' }}'
# needs: 'review_status'
# if: '${{ needs.review_status.outputs.REVIEW_DECISION == ''APPROVED'' }}'
runs-on: 'ubuntu-latest'
permissions:
contents: 'read'
id-token: 'write'
pull-requests: 'write'
name: 'Handle Tool Request Cleanup'
name: 'Handle AOD Request Cleanup'
steps:
- name: 'Checkout Triggering Branch'
uses: 'actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab' # ratchet:actions/checkout@v3
Expand All @@ -82,15 +90,38 @@ jobs:
uses: 'actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568' # ratchet:actions/setup-go@v3
with:
go-version: '${{ inputs.go_version }}'
- name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033' # ratchet:google-github-actions/auth@v1
with:
workload_identity_provider: '${{ inputs.workload_identity_provider }}'
service_account: '${{ inputs.service_account }}'
token_format: 'access_token'
# Install gcloud, `setup-gcloud` automatically picks up authentication from `auth`.
- name: 'Set up Cloud SDK for tool request'
if: '${{ hashFiles(''tool.yaml'') != '''' }}'
uses: 'google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b' # ratchet:google-github-actions/setup-gcloud@v1
- name: 'Install AOD CLI'
run: 'go install github.com/abcxyz/access-on-demand/cmd/aod@${{ inputs.aod_cli_version }}'
- name: 'Handle cleanup'
- name: 'Handle tool cleanup'
if: '${{ hashFiles(''tool.yaml'') != '''' }}'
id: 'cleanup_tool'
env:
FILE_PATH: '${{ github.workspace }}/tool.yaml'
TOOL_FILE_PATH: '${{ github.workspace }}/tool.yaml'
run: |
touch ${{ env.TOOL_ERROR_FILENAME }} ${{ env.TOOL_OUT_FILENAME }}
aod tool cleanup -path ${{ env.TOOL_FILE_PATH }} \
2> ${{ env.TOOL_ERROR_FILENAME }} \
> ${{ env.TOOL_OUT_FILENAME }}
- name: 'Handle IAM cleanup'
if: '${{ hashFiles(''iam.yaml'') != '''' }}'
id: 'cleanup_iam'
env:
IAM_FILE_PATH: '${{ github.workspace }}/iam.yaml'
run: |
touch ${{ env.TOOL_ERROR_FILENAME }}
aod tool cleanup -path ${{ env.FILE_PATH }} 2> ${{ env.TOOL_ERROR_FILENAME }}
touch ${{ env.IAM_ERROR_FILENAME }} ${{ env.IAM_OUT_FILENAME }}
aod iam cleanup -path ${{ env.IAM_FILE_PATH }} \
2> ${{ env.IAM_ERROR_FILENAME }} \
> ${{ env.IAM_OUT_FILENAME }}
- name: 'Tool Request Cleanup Comment'
if: '${{ always() }}'
uses: 'actions/github-script@98814c53be79b1d30f795b907e553d8679345975' # ratchet:actions/github-script@v6
Expand All @@ -104,15 +135,15 @@ jobs:
switch (outcome) {
case 'success':
req = fs.readFileSync(
`tool.yaml`,
`${{ env.TOOL_OUT_FILENAME }}`,
{ encoding: "utf8" }
);
body = `**\`Access on Demand\`** - 🟩 **\`Tool\`** request succeeded.
<details>
<summary>Details</summary>
Executed "cleanup" commands in the request below.
Executed "cleanup" commands in the request below, or skipped if "cleanup" commands not found.
\`\`\`
${req}
Expand All @@ -121,7 +152,7 @@ jobs:
break;
case 'failure':
req = fs.readFileSync(
`tool.yaml`,
`${{ env.TOOL_OUT_FILENAME }}`,
{ encoding: "utf8" }
);
const error = fs.readFileSync(
Expand All @@ -146,7 +177,74 @@ jobs:
break;
// step cancelled/skipped, should not happen if the triggering event is correct.
default:
// Do nothing.
body = `**\`Access on Demand\`** - 🟦 **\`Tool\`** request not found, skip cleanup.`
break;
}
if (typeof body !== "undefined") {
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: ${{ github.event.pull_request.number }},
body: body,
});
}
- name: 'IAM Request Cleanup Comment'
if: '${{ always() }}'
uses: 'actions/github-script@98814c53be79b1d30f795b907e553d8679345975' # ratchet:actions/github-script@v6
with:
github-token: '${{ github.token }}'
retries: '3'
script: |+
var body, req;
const fs = require("fs");
const outcome = '${{ steps.cleanup_iam.outcome }}';
switch (outcome) {
case 'success':
req = fs.readFileSync(
`${{ env.IAM_OUT_FILENAME }}`,
{ encoding: "utf8" }
);
body = `**\`Access on Demand\`** - 🟩 **\`IAM\`** request cleanup succeeded.
<details>
<summary>Details</summary>
Removed bindings in the request below.
\`\`\`
${req}
\`\`\`
</details>`;
break;
case 'failure':
req = fs.readFileSync(
`${{ env.IAM_OUT_FILENAME }}`,
{ encoding: "utf8" }
);
const error = fs.readFileSync(
`${{ env.IAM_ERROR_FILENAME }}`,
{ encoding: "utf8" }
);
body = `**\`Access on Demand\`** - 🟥 **\`IAM\`** request cleanup failed.
<details>
<summary>Details</summary>
Failed to cleanup IAM polices of the resources in the request below.
\`\`\`
${req}
\`\`\`
Error:
\`\`\`
${error}
\`\`\`
</details>`;
break;
// step cancelled/skipped.
default:
body = `**\`Access on Demand\`** - 🟦 **\`IAM\`** request not found, skip cleanup.`
break;
}
Expand Down

0 comments on commit e20f3be

Please sign in to comment.