-
Notifications
You must be signed in to change notification settings - Fork 20
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'main' into ROCKS-973/allow-expired-eol-values
- Loading branch information
Showing
13 changed files
with
237 additions
and
17 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
name: Validate Access | ||
description: 'Check if the workflow is triggered by an admin user' | ||
|
||
# This callable workflow checks if the workflow is triggered by | ||
# a code owner or an image maintainer by testing the github.actor | ||
# variable against the CODEOWNERS file and the contacts.yaml file | ||
# under oci/* path | ||
|
||
inputs: | ||
admin-only: | ||
description: 'The protected workflow should only be triggered as a code owner or an image maintainer' | ||
required: true | ||
default: 'false' | ||
image-path: | ||
description: 'The path to the image to be built' | ||
required: true | ||
github-token: | ||
description: 'The GITHUB_TOKEN for the GitHub CLI' | ||
required: true | ||
|
||
runs: | ||
using: "composite" | ||
steps: | ||
- name: Check if the workflow is triggered by an admin user | ||
id: check-if-permitted | ||
shell: bash | ||
env: | ||
GITHUB_TOKEN: ${{ inputs.github-token }} | ||
run: ./.github/actions/validate-actor/validate-actor.sh ${{ github.actor }} ${{ inputs.admin-only }} ${{ github.workspace }} ${{ inputs.image-path }} | ||
|
||
- name: Cancel the remaining workflow if the actor is not permitted | ||
if: ${{ !cancelled() && steps.check-if-permitted.outcome == 'failure' }} | ||
shell: bash | ||
env: | ||
GITHUB_TOKEN: ${{ github.token }} | ||
run: | | ||
echo "The workflow is not triggered by a permitted user. Cancelling the workflow." | ||
gh run cancel ${{ github.run_id }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
#!/usr/bin/env bats | ||
|
||
SOURCE_DIR=$(dirname -- "${BASH_SOURCE[0]}") | ||
|
||
setup() { | ||
workdir=$(mktemp -d) | ||
mkdir -p $workdir/img | ||
echo -n "* @code-owner" > $workdir/CODEOWNERS | ||
echo -e "maintainers:\n - maintainer" > $workdir/img/contacts.yaml | ||
} | ||
|
||
@test "blocks non-code-owner-non-maintainer user" { | ||
{ | ||
output=$(${BATS_TEST_DIRNAME}/validate-actor.sh "random" "true" $workdir "img" 2>&1) | ||
exit_status=$? | ||
} || true | ||
[[ $exit_status -eq 1 ]] | ||
[[ $(echo "${output}"| tail -n 1) = "The workflow is triggered by a user neither as a code owner nor a maintainer of the image img" ]] | ||
} | ||
|
||
@test "allows code owner" { | ||
output=$(${BATS_TEST_DIRNAME}/validate-actor.sh "code-owner" "true" $workdir "img" 2>&1) | ||
[[ $(echo "${output}"| tail -n 1) = "The workflow is triggered by code-owner as the code owner" ]] | ||
} | ||
|
||
@test "allows image maintainer" { | ||
output=$(${BATS_TEST_DIRNAME}/validate-actor.sh "maintainer" "true" $workdir "img") | ||
[[ $(echo "${output}"| tail -n 1) = "The workflow is triggered by maintainer as a maintainer of the image img" ]] | ||
} | ||
|
||
@test "allows non-code-owner-non-maintainer user" { | ||
output=$(${BATS_TEST_DIRNAME}/validate-actor.sh "random" "false" $workdir "img") | ||
[[ $(echo "${output}"| tail -n 1) = "The workflow is not restricted to non-code-owner or non-maintainer users" ]] | ||
} | ||
|
||
@test "user as both code-owner and maintainer is triggered as code owner" { | ||
echo -n " @maintainer" >> $workdir/CODEOWNERS | ||
output=$(${BATS_TEST_DIRNAME}/validate-actor.sh "maintainer" "true" $workdir "img") | ||
[[ $(echo "${output}"| tail -n 1) = "The workflow is triggered by maintainer as the code owner" ]] | ||
} | ||
|
||
@test "teams are expanded to team members" { | ||
echo -n "@canonical/rocks" >> $workdir/CODEOWNERS | ||
output=$(${BATS_TEST_DIRNAME}/validate-actor.sh "ROCKsBot" "true" $workdir "img") | ||
[[ $(echo "${output}"| tail -n 1) = "The workflow is triggered by ROCKsBot as the code owner" ]] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
#!/bin/bash -e | ||
|
||
actor=$1 | ||
admin_only=$2 | ||
workspace=$3 | ||
image_path=$4 | ||
|
||
echo "github.actor: ${actor}" | ||
echo "admin-only: ${admin_only}" | ||
if [[ ${admin_only} == true ]]; then | ||
exit_status=0 | ||
echo "Expanding team mentions in the CODEOWNERS file" | ||
cp ${workspace}/CODEOWNERS ${workspace}/CODEOWNERS.bak | ||
teams=$(grep -oE '@[[:alnum:]_.-]+\/[[:alnum:]_.-]+' ${workspace}/CODEOWNERS || true | sort | uniq) | ||
|
||
for team in ${teams}; do | ||
org=$(echo ${team} | cut -d'/' -f1 | sed 's/@//') | ||
team_name=$(echo ${team} | cut -d'/' -f2) | ||
members=$(gh api "/orgs/${org}/teams/${team_name}/members" | jq -r '.[].login') | ||
replacement=$(echo "${members}" | xargs -I {} echo -n "@{} " | awk '{$1=$1};1') | ||
sed -i "s|${team}|${replacement}|g" ${workspace}/CODEOWNERS | ||
done | ||
|
||
if grep -wq "@${actor}" ${workspace}/CODEOWNERS; then | ||
echo "The workflow is triggered by ${actor} as the code owner" | ||
elif cat ${workspace}/${image_path}/contacts.yaml | yq ".maintainers" | grep "\- " | grep -wq "${actor}"; then | ||
echo "The workflow is triggered by ${actor} as a maintainer of the image ${image_path}" | ||
else | ||
echo "The workflow is triggered by a user neither as a code owner nor a maintainer of the image ${image_path}" | ||
exit_status=1 | ||
fi | ||
mv ${workspace}/CODEOWNERS.bak ${workspace}/CODEOWNERS | ||
exit ${exit_status} | ||
else | ||
echo "The workflow is not restricted to non-code-owner or non-maintainer users" | ||
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Validating CODEOWNERS rules …
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
* @canonical/rocks |
Oops, something went wrong.