From e20f3beb8e0a0200278a801add9175d18fb8da04 Mon Sep 17 00:00:00 2001 From: Suhong Qin Date: Mon, 28 Aug 2023 11:56:41 -0700 Subject: [PATCH] test cleanup --- .github/workflows/cleanup.yml | 180 ++++++++++++++++++++++++++-------- 1 file changed, 139 insertions(+), 41 deletions(-) diff --git a/.github/workflows/cleanup.yml b/.github/workflows/cleanup.yml index a95bd95..477b969 100644 --- a/.github/workflows/cleanup.yml +++ b/.github/workflows/cleanup.yml @@ -12,16 +12,20 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Reusable workflow that handles CLI request cleanup. +# Reusable workflow that handles AOD request cleanup. name: 'aod-cleanup' -# Support below trigger: -# pull_request: -# types: 'closed' -# paths: 'tool.yaml' on: workflow_call: inputs: + workload_identity_provider: + description: 'The full identifier of the Workload Identity Provider, including the project number, pool name, and provider name.' + type: 'string' + required: true + service_account: + description: 'Email address or unique identifier of the Google Cloud service account for which to generate credentials.' + type: 'string' + required: true aod_cli_version: description: 'The version of AOD CLI.' type: 'string' @@ -30,49 +34,53 @@ on: go_version: description: 'The version of Golang.' type: 'string' - default: '1.20' + default: '1.21' required: false + env: + IAM_ERROR_FILENAME: '/tmp/iam_error.txt' + IAM_OUT_FILENAME: '/tmp/iam_output.txt' TOOL_ERROR_FILENAME: '/tmp/tool_error.txt' + TOOL_OUT_FILENAME: '/tmp/tool_output.txt' jobs: # Check the current status of this pull request with respect to code review. - review_status: - runs-on: 'ubuntu-latest' - permissions: - pull-requests: 'read' - outputs: - REVIEW_DECISION: '${{ steps.get_review_decision.outputs.REVIEW_DECISION }}' - steps: - - id: 'get_review_decision' - env: - # Set the GH_TOKEN environment variable to use GitHub CLI in a GitHub Actions workflow. - # See ref: https://docs.github.com/en/actions/using-workflows/using-github-cli-in-workflows - GH_TOKEN: '${{ github.token }}' - run: | - repo=${{ github.repository }} - reviewDecision="$(gh api graphql -F owner=${{ github.repository_owner }} -F name=${repo##*/} -F pr_number=${{ github.event.pull_request.number }} -f query=' - query($name: String!, $owner: String!, $pr_number: Int!) { - repository(owner: $owner, name: $name) { - pullRequest(number: $pr_number) { - reviewDecision - } - } - } - ' --jq '.data.repository.pullRequest.reviewDecision')" + # review_status: + # runs-on: 'ubuntu-latest' + # permissions: + # pull-requests: 'read' + # outputs: + # REVIEW_DECISION: '${{ steps.get_review_decision.outputs.REVIEW_DECISION }}' + # steps: + # - id: 'get_review_decision' + # env: + # # Set the GH_TOKEN environment variable to use GitHub CLI in a GitHub Actions workflow. + # # See ref: https://docs.github.com/en/actions/using-workflows/using-github-cli-in-workflows + # GH_TOKEN: '${{ github.token }}' + # run: | + # repo=${{ github.repository }} + # reviewDecision="$(gh api graphql -F owner=${{ github.repository_owner }} -F name=${repo##*/} -F pr_number=${{ github.event.pull_request.number }} -f query=' + # query($name: String!, $owner: String!, $pr_number: Int!) { + # repository(owner: $owner, name: $name) { + # pullRequest(number: $pr_number) { + # reviewDecision + # } + # } + # } + # ' --jq '.data.repository.pullRequest.reviewDecision')" - echo REVIEW_DECISION=$reviewDecision >> $GITHUB_OUTPUT + # echo REVIEW_DECISION=$reviewDecision >> $GITHUB_OUTPUT # Only run Tool request cleanup when the pull request is approved. cleanup: - needs: 'review_status' - if: '${{ needs.review_status.outputs.REVIEW_DECISION == ''APPROVED'' }}' + # needs: 'review_status' + # if: '${{ needs.review_status.outputs.REVIEW_DECISION == ''APPROVED'' }}' runs-on: 'ubuntu-latest' permissions: contents: 'read' id-token: 'write' pull-requests: 'write' - name: 'Handle Tool Request Cleanup' + name: 'Handle AOD Request Cleanup' steps: - name: 'Checkout Triggering Branch' uses: 'actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab' # ratchet:actions/checkout@v3 @@ -82,15 +90,38 @@ jobs: uses: 'actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568' # ratchet:actions/setup-go@v3 with: go-version: '${{ inputs.go_version }}' + - name: 'Authenticate to Google Cloud' + uses: 'google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033' # ratchet:google-github-actions/auth@v1 + with: + workload_identity_provider: '${{ inputs.workload_identity_provider }}' + service_account: '${{ inputs.service_account }}' + token_format: 'access_token' + # Install gcloud, `setup-gcloud` automatically picks up authentication from `auth`. + - name: 'Set up Cloud SDK for tool request' + if: '${{ hashFiles(''tool.yaml'') != '''' }}' + uses: 'google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b' # ratchet:google-github-actions/setup-gcloud@v1 - name: 'Install AOD CLI' run: 'go install github.com/abcxyz/access-on-demand/cmd/aod@${{ inputs.aod_cli_version }}' - - name: 'Handle cleanup' + - name: 'Handle tool cleanup' + if: '${{ hashFiles(''tool.yaml'') != '''' }}' id: 'cleanup_tool' env: - FILE_PATH: '${{ github.workspace }}/tool.yaml' + TOOL_FILE_PATH: '${{ github.workspace }}/tool.yaml' + run: | + touch ${{ env.TOOL_ERROR_FILENAME }} ${{ env.TOOL_OUT_FILENAME }} + aod tool cleanup -path ${{ env.TOOL_FILE_PATH }} \ + 2> ${{ env.TOOL_ERROR_FILENAME }} \ + > ${{ env.TOOL_OUT_FILENAME }} + - name: 'Handle IAM cleanup' + if: '${{ hashFiles(''iam.yaml'') != '''' }}' + id: 'cleanup_iam' + env: + IAM_FILE_PATH: '${{ github.workspace }}/iam.yaml' run: | - touch ${{ env.TOOL_ERROR_FILENAME }} - aod tool cleanup -path ${{ env.FILE_PATH }} 2> ${{ env.TOOL_ERROR_FILENAME }} + touch ${{ env.IAM_ERROR_FILENAME }} ${{ env.IAM_OUT_FILENAME }} + aod iam cleanup -path ${{ env.IAM_FILE_PATH }} \ + 2> ${{ env.IAM_ERROR_FILENAME }} \ + > ${{ env.IAM_OUT_FILENAME }} - name: 'Tool Request Cleanup Comment' if: '${{ always() }}' uses: 'actions/github-script@98814c53be79b1d30f795b907e553d8679345975' # ratchet:actions/github-script@v6 @@ -104,7 +135,7 @@ jobs: switch (outcome) { case 'success': req = fs.readFileSync( - `tool.yaml`, + `${{ env.TOOL_OUT_FILENAME }}`, { encoding: "utf8" } ); @@ -112,7 +143,7 @@ jobs:
Details - Executed "cleanup" commands in the request below. + Executed "cleanup" commands in the request below, or skipped if "cleanup" commands not found. \`\`\` ${req} @@ -121,7 +152,7 @@ jobs: break; case 'failure': req = fs.readFileSync( - `tool.yaml`, + `${{ env.TOOL_OUT_FILENAME }}`, { encoding: "utf8" } ); const error = fs.readFileSync( @@ -146,7 +177,74 @@ jobs: break; // step cancelled/skipped, should not happen if the triggering event is correct. default: - // Do nothing. + body = `**\`Access on Demand\`** - 🟦 **\`Tool\`** request not found, skip cleanup.` + break; + } + + if (typeof body !== "undefined") { + await github.rest.issues.createComment({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: ${{ github.event.pull_request.number }}, + body: body, + }); + } + - name: 'IAM Request Cleanup Comment' + if: '${{ always() }}' + uses: 'actions/github-script@98814c53be79b1d30f795b907e553d8679345975' # ratchet:actions/github-script@v6 + with: + github-token: '${{ github.token }}' + retries: '3' + script: |+ + var body, req; + const fs = require("fs"); + const outcome = '${{ steps.cleanup_iam.outcome }}'; + switch (outcome) { + case 'success': + req = fs.readFileSync( + `${{ env.IAM_OUT_FILENAME }}`, + { encoding: "utf8" } + ); + + body = `**\`Access on Demand\`** - 🟩 **\`IAM\`** request cleanup succeeded. + +
+ Details + Removed bindings in the request below. + + \`\`\` + ${req} + \`\`\` +
`; + break; + case 'failure': + req = fs.readFileSync( + `${{ env.IAM_OUT_FILENAME }}`, + { encoding: "utf8" } + ); + const error = fs.readFileSync( + `${{ env.IAM_ERROR_FILENAME }}`, + { encoding: "utf8" } + ); + body = `**\`Access on Demand\`** - 🟥 **\`IAM\`** request cleanup failed. + +
+ Details + Failed to cleanup IAM polices of the resources in the request below. + + \`\`\` + ${req} + \`\`\` + + Error: + \`\`\` + ${error} + \`\`\` +
`; + break; + // step cancelled/skipped. + default: + body = `**\`Access on Demand\`** - 🟦 **\`IAM\`** request not found, skip cleanup.` break; }