Skip to content

Implement secret in log #9771

Implement secret in log

Implement secret in log #9771

name: accept-pull-request
on:
issue_comment:
types:
- created
concurrency: accept-pull-request-${{ github.event.issue.number }}
jobs:
accept-pull-request:
if: ${{ github.event.issue.pull_request && (github.event.comment.body == '/accept' || github.event.comment.body == '/accept --force' || github.event.comment.body == '/rebase') }}
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
GITHUB_TOKEN: ${{ secrets.HURL_BOT_TOKEN }}
OWNER: ${{ github.repository_owner }}
REPO: ${{ github.event.repository.name }}
PR_NUMBER: ${{ github.event.issue.number }}
COMMENT_USER_LOGIN: ${{ github.event.comment.user.login }}
PR_COMMENT: ${{ github.event.comment.body }}
outputs:
base_ref: ${{ steps.init-all-internal-env-vars.outputs.base_ref }}
new_version_master_snapshot_version: ${{ steps.check-github-release.outputs.new_version_master_snapshot_version }}
is_a_github_release_pr: ${{ steps.check-github-release.outputs.is_a_github_release_pr }}
name: accept-pull-request
runs-on: ubuntu-latest
steps:
- name: Check user permission
run: |
comment_user_permission=$(gh api repos/"${OWNER}"/"${REPO}"/collaborators/"${COMMENT_USER_LOGIN}"/permission -q .permission)
if [ "${comment_user_permission}" = "admin" ] ; then
echo " - βœ… You have the ${comment_user_permission} permission then you are allowed to merge pull request nΒ°${PR_NUMBER}"
else
comment="❌ Sorry \`${COMMENT_USER_LOGIN}\`, you are not allowed to merge this pull request because you do not have admin permission (actual permission=${comment_user_permission})."
echo " - ${comment}"
gh pr comment "${PR_NUMBER}" --body "${comment}"
exit 1
fi
- name: Init all internal env vars
id: init-all-internal-env-vars
env:
TITLE: ${{ github.event.issue.title }}
run: |
pr_detail_file="pr_detail.json"
gh api repos/"${OWNER}"/"${REPO}"/pulls/"${PR_NUMBER}" > "${pr_detail_file}"
jq . "${pr_detail_file}"
echo "github.event.issue.title: $TITLE"
HEAD_REPO_FULL_NAME=$(jq -rc .head.repo.full_name ${pr_detail_file})
BASE_REPO_FULL_NAME=$(jq -rc .base.repo.full_name ${pr_detail_file})
if [ "${HEAD_REPO_FULL_NAME}" = "${BASE_REPO_FULL_NAME}" ] ; then
HEAD_TYPE=origin
else
HEAD_TYPE=fork
fi
echo "HEAD_REPO_FULL_NAME=${HEAD_REPO_FULL_NAME}" | tee -a "${GITHUB_ENV}"
echo "BASE_REPO_FULL_NAME=${BASE_REPO_FULL_NAME}" | tee -a "${GITHUB_ENV}"
echo "HEAD_TYPE=${HEAD_TYPE}" | tee -a "${GITHUB_ENV}"
echo "HEAD_REF=$(jq -rc .head.ref ${pr_detail_file})" | tee -a "${GITHUB_ENV}"
echo "BASE_REF=$(jq -rc .base.ref ${pr_detail_file})" | tee -a "${GITHUB_ENV}"
echo "PR_STATE=$(jq -rc .state ${pr_detail_file})" | tee -a "${GITHUB_ENV}"
echo "PR_DRAFT=$(jq -rc .draft ${pr_detail_file})" | tee -a "${GITHUB_ENV}"
echo "PR_MERGEABLE=$(jq -rc .mergeable ${pr_detail_file})" | tee -a "${GITHUB_ENV}"
echo "REMAINING_COMMITS_FILE=remaining_commits.txt" | tee -a "${GITHUB_ENV}"
echo "NEW_COMMITS_FILE=new_commits.txt" | tee -a "${GITHUB_ENV}"
echo "base_ref=$(jq -rc .base.ref ${pr_detail_file})" | tee -a "${GITHUB_OUTPUT}"
- name: Checkout repository
uses: actions/[email protected]
with:
ref: ${{ env.BASE_REF }}
token: ${{ secrets.HURL_BOT_TOKEN }}
fetch-depth: 0
- name: Notify user
run: |
if [[ "${PR_COMMENT}" == "/accept" ]] ; then
order="/accept"
elif [[ "${PR_COMMENT}" == "/accept --force" ]] ; then
order="/accept --force"
elif [[ "${PR_COMMENT}" == "/rebase" ]] ; then
order="/rebase"
fi
comment="πŸ•— [${order}](${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}) is running, please wait for completion."
gh pr comment "${PR_NUMBER}" --body "${comment}"
echo "ORDER=${order}" | tee -a "${GITHUB_ENV}"
- name: Init git bot context
uses: crazy-max/[email protected]
with:
gpg_private_key: ${{ secrets.HURL_BOT_GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.HURL_BOT_GPG_PRIVATE_KEY_PASSPHRASE }}
git_committer_name: ${{ secrets.HURL_BOT_USER }}
git_committer_email: ${{ secrets.HURL_BOT_EMAIL }}
git_user_signingkey: true
git_commit_gpgsign: true
- name: Add fork source branch
if: env.HEAD_TYPE == 'fork'
run: |
git remote add fork https://${{ secrets.HURL_BOT_USER }}:${{ secrets.HURL_BOT_TOKEN }}@github.com/${{ env.HEAD_REPO_FULL_NAME}}
git remote --verbose
git fetch --all
git remote -v
git fetch fork
git branch -va
- name: Check if PR source branch is not master
if: env.HEAD_REF == 'master'
run: |
comment="❌ Can not ${{ env.ORDER }} this pull request because your working branch is master, please create a new branch as requested in [CONTRIBUTING.md](https://github.com/Orange-OpenSource/hurl/blob/master/CONTRIBUTING.md)."
echo " - ${comment}"
gh pr comment "${PR_NUMBER}" --body "${comment}"
exit 1
- name: Check if pull request state is open
run: |
if [ "${{ env.PR_STATE }}" = "open" ] ; then
echo " - βœ… Pull request is ${{ env.PR_STATE }}."
else
comment="❌ Can not ${{ env.ORDER }} this pull request because it is not open (actual state=${{ env.PR_STATE }})."
echo " - ${comment}"
gh pr comment "${PR_NUMBER}" --body "${comment}"
exit 1
fi
- name: Check if pull request is ready
if: ${{ github.event.comment.body == '/accept' || github.event.comment.body == '/accept --force' }}
run: |
if [ "${{ env.PR_DRAFT }}" = "false" ] ; then
echo " - βœ… Pull request draft state is ${{ env.PR_DRAFT }}."
else
comment="❌ Can not ${{ env.ORDER }} this pull request because it is still in draft."
echo " - ${comment}"
gh pr comment "${PR_NUMBER}" --body "${comment}"
exit 1
fi
- name: Check if pull request is mergeable
if: ${{ github.event.comment.body == '/accept' || github.event.comment.body == '/accept --force' }}
run: |
if [ "${{ env.PR_MERGEABLE }}" = "true" ] ; then
echo " - βœ… Pull request mergeable state is ${{ env.PR_MERGEABLE }}."
else
comment="❌ Pull request is not mergeable, please check unresolved discussions and pull request messages."
echo " - ${comment}"
gh pr comment "${PR_NUMBER}" --body "${comment}"
exit 1
fi
- name: Check GitHub release
if: ${{ github.event.comment.body == '/accept' || github.event.comment.body == '/accept --force' }}
id: check-github-release
run: |
if [ $(echo ${{ env.HEAD_REF }} | grep -Ec '^release/') -eq 0 ] ; then
echo " - βœ… Pull request is not about a pending GitHub release."
else
echo "is_a_github_release_pr=true" | tee -a "${GITHUB_OUTPUT}"
tag_version="$(echo ${{ env.HEAD_REF }} | cut --delimiter '/' --field 2)"
major=$(echo "${tag_version}" | cut --delimiter "." --field 1)
minor=$(echo "${tag_version}" | cut --delimiter "." --field 2)
new_minor="$((minor + 1))"
echo "major=${major}, minor=${minor}, new_minor=${new_minor}"
new_version_master_snapshot_version="${major}.${new_minor}.0-SNAPSHOT"
echo "new_version_master_snapshot_version=${new_version_master_snapshot_version}" | tee -a "${GITHUB_OUTPUT}"
gh_result=$(gh api repos/"${OWNER}"/"${REPO}"/releases/tags/"${tag_version}" | tr ":" "=" | tr -d '"' | tr -d " ")
echo "gh_result=${gh_result}"
if [ $(echo "${gh_result}" | grep -Ec "message=NotFound|prerelease=true") -eq 0 ] ; then
comment="βœ… GitHub release ${tag_version} is published."
echo " - ${comment}"
else
comment="πŸ‘β€πŸ—¨ GitHub release ${tag_version} is still in draft/prerelease. Please don't forget to publish it after merging this release PR."
echo " - ${comment}"
gh pr comment "${PR_NUMBER}" --body "${comment}"
fi
fi
- name: Check if source branch is rebased from target branch
if: ${{ github.event.comment.body == '/accept' || github.event.comment.body == '/accept --force' || github.event.comment.body == '/rebase' }}
run: |
git log --oneline --cherry ${{ env.HEAD_TYPE }}/${{ env.HEAD_REF }}...origin/${{ env.BASE_REF }} > "${{ env.REMAINING_COMMITS_FILE }}" && exit_code=0 || exit_code=1
if [ ${exit_code} -eq 1 ] ; then
comment="❌ Rebase check fails. Please refer to ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID} logs."
echo " - ${comment}"
gh pr comment "${PR_NUMBER}" --body "${comment}"
exit 1
fi
diff_count=$(grep -c ^+ ${{ env.REMAINING_COMMITS_FILE }} || true)
if [ ${diff_count} -eq 0 ] ; then
comment="πŸ‘Œ No needs to auto rebase, \`${{ env.HEAD_REPO_FULL_NAME}}/${{ env.HEAD_REF }}\` is already rebased from \`${{ env.BASE_REPO_FULL_NAME}}/${{ env.BASE_REF }}\`."
echo "${comment}"
if [ "${{ env.ORDER }}" == "/rebase" ] ; then
gh pr comment "${PR_NUMBER}" --body "${comment}"
fi
else
git fetch --all
git switch ${{ env.HEAD_REF }}
git pull
git rebase origin/${{ env.BASE_REF }} && exit_code=0 || exit_code=1
git log --oneline -n 20
if [ ${exit_code} -eq 1 ] ; then
comment="❌ Auto rebase from \`${{ env.BASE_REPO_FULL_NAME}}/${{ env.BASE_REF }}\` fails due to conflicts. Sorry but you have to manage this manually. Please refer to ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID} logs."
echo " - ${comment}"
gh pr comment "${PR_NUMBER}" --body "${comment}"
exit 1
fi
if [ ${{ env.HEAD_TYPE }} == "fork" ] ; then
git push fork ${{ env.HEAD_REF }} --force && exit_code=0 || exit_code=1
else
git push --force && exit_code=0 || exit_code=1
fi
if [ ${exit_code} -eq 0 ] ; then
comment="πŸ”¨ Auto rebase from \`${{ env.BASE_REPO_FULL_NAME}}/${{ env.BASE_REF }}\` succeeds, \`${{ env.HEAD_REPO_FULL_NAME}}/${{ env.HEAD_REF }}\` now embeds these commits:<br>$(echo ; sed "s/+/ -/g" ${{ env.REMAINING_COMMITS_FILE }})"
echo " - ${comment}"
gh pr comment "${PR_NUMBER}" --body "${comment}"
if [ "${{ env.ORDER }}" == "/accept" ] || [ "${{ env.ORDER }}" == "/accept --force" ] ; then
comment="πŸ•— [${{ env.ORDER }}](${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}) is still running, please wait for completion."
gh pr comment "${PR_NUMBER}" --body "${comment}"
sleep 15
fi
else
comment="❌ Auto rebase from \`${{ env.BASE_REPO_FULL_NAME}}/${{ env.BASE_REF }}\` fails on `git push --force`. Please refer to ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID} logs."
echo " - ${comment}"
gh pr comment "${PR_NUMBER}" --body "${comment}"
fi
git switch ${{ env.BASE_REF }}
fi
- name: Check if pull request checks are successful
if: ${{ github.event.comment.body == '/accept' }}
run: |
gh pr checks "${PR_NUMBER}" --watch --interval 30 && exit_code=0 || exit_code=$?
if [ "${exit_code}" -eq 0 ] ; then
echo " - βœ… Pull request checks are successful."
else
comment="❌ Some checks are still failing, please fix them before trying to merge this pull request."
echo " - ${comment}"
gh pr comment "${PR_NUMBER}" --body "${comment}"
exit 1
fi
- name: Check if source branch is rebased from target branch
if: ${{ github.event.comment.body == '/accept' || github.event.comment.body == '/accept --force' }}
run: |
git pull
git log --oneline --cherry ${{ env.HEAD_TYPE }}/${{ env.HEAD_REF }}...origin/${{ env.BASE_REF }} > "${{ env.REMAINING_COMMITS_FILE }}" && exit_code=0 || exit_code=1
if [ ${exit_code} -eq 1 ] ; then
comment="❌ Rebase check fails. Please refer to ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID} logs."
echo " - ${comment}"
gh pr comment "${PR_NUMBER}" --body "${comment}"
exit 1
fi
diff_count=$(grep -c ^+ ${{ env.REMAINING_COMMITS_FILE }} || true)
if [ ${diff_count} -eq 0 ] ; then
echo " - βœ… ${{ env.HEAD_REPO_FULL_NAME}}/${{ env.HEAD_REF }} is already rebased from ${{ env.BASE_REPO_FULL_NAME}}/${{ env.BASE_REF }}."
else
comment="❌ New commits have been pushed to \`${{ env.BASE_REPO_FULL_NAME}}/${{ env.BASE_REF }}\` since you accept this PR. You can rebase it by yourself or simply re-accept this PR to execute an auto rebase.<br>Pending commits:<br>$(echo ; sed "s/+/-/g" ${{ env.REMAINING_COMMITS_FILE }})"
echo " - ${comment}"
gh pr comment "${PR_NUMBER}" --body "${comment}"
exit 1
fi
- name: Get new commits list
if: ${{ github.event.comment.body == '/accept' || github.event.comment.body == '/accept --force' }}
run: |
git log --oneline --cherry origin/${{ env.BASE_REF }}...${{ env.HEAD_TYPE }}/${{ env.HEAD_REF }} | tee ${{ env.NEW_COMMITS_FILE }}
- name: Merge fast forward head ref to base ref
if: ${{ github.event.comment.body == '/accept' || github.event.comment.body == '/accept --force' }}
run: |
git merge ${{ env.HEAD_TYPE }}/${{ env.HEAD_REF }} --ff-only && exit_code=0 || exit_code=1
if [ ${exit_code} -eq 0 ] ; then
echo " - βœ… Merge fast forward succeeds."
else
comment="❌ Merge fast forward fails. Please refer to ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID} logs."
echo " - ${comment}"
gh pr comment "${PR_NUMBER}" --body "${comment}"
exit 1
fi
git push && exit_code=0 || exit_code=1
if [ ${exit_code} -eq 0 ] ; then
echo " - βœ… Push merge fast forward succeeds."
else
comment="❌ Push merge fast forward fails. Please refer to ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID} logs."
echo " - ${comment}"
gh pr comment "${PR_NUMBER}" --body "${comment}"
exit 1
fi
- name: Final comment
if: ${{ github.event.comment.body == '/accept' || github.event.comment.body == '/accept --force' }}
run: |
if [[ "${PR_COMMENT}" =~ "--force" ]] ; then
comment="βœ… Pull request merged with fast forward by \`${COMMENT_USER_LOGIN}\` without waiting for checks."
else
comment="βœ… Pull request merged with fast forward by \`${COMMENT_USER_LOGIN}\`."
fi
gh pr comment "${PR_NUMBER}" --body "${comment}.<br><br>\# List of commits merged from \`${{ env.HEAD_REPO_FULL_NAME}}/${{ env.HEAD_REF }}\` branch into \`${{ env.BASE_REPO_FULL_NAME}}/${{ env.BASE_REF }}\` branch:<br>$(echo ; sed 's/+/-/g' ${{ env.NEW_COMMITS_FILE }})"