From f503c5d38456a99ab3864ddd065ffb9743cccefa Mon Sep 17 00:00:00 2001 From: Robert Schumacher Date: Mon, 26 Jul 2021 14:26:28 -0700 Subject: [vcpkg-ci] Add GitHub Actions precheck and reporting (#19115) --- .github/workflows/trustedPR.yml | 58 +++++++++++++++++++++++ .github/workflows/untrustedPR.yml | 98 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 156 insertions(+) create mode 100644 .github/workflows/trustedPR.yml create mode 100644 .github/workflows/untrustedPR.yml diff --git a/.github/workflows/trustedPR.yml b/.github/workflows/trustedPR.yml new file mode 100644 index 000000000..d45bfeb11 --- /dev/null +++ b/.github/workflows/trustedPR.yml @@ -0,0 +1,58 @@ +# Modelled after https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ + +name: Post PR Suggestions + +on: + workflow_run: + workflows: ["PR Suggestions"] + types: + - completed + +jobs: + comment: + runs-on: ubuntu-latest + if: > + ${{ github.event.workflow_run.event == 'pull_request' && + github.event.workflow_run.conclusion == 'success' }} + + steps: + - name: 'Download artifact' + uses: actions/github-script@v3.1.0 + with: + script: | + var artifacts = await github.actions.listWorkflowRunArtifacts({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: ${{github.event.workflow_run.id }}, + }); + var matchArtifact = artifacts.data.artifacts.filter((artifact) => { + return artifact.name == "pr" + })[0]; + var download = await github.actions.downloadArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: matchArtifact.id, + archive_format: 'zip', + }); + var fs = require('fs'); + fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(download.data)); + - run: unzip pr.zip + + - uses: actions/github-script@v4 + with: + script: | + const { promises: fs } = require('fs') + const event = (await fs.readFile('event', 'utf8')).trim() + const body = (await fs.readFile('body', 'utf8')).trim() + const issue_number = Number(await fs.readFile('./NR')); + + var req = { + owner: context.repo.owner, + pull_number: issue_number, + repo: context.repo.repo, + event: event + }; + if (body !== "") { + req.body = body; + } + await github.pulls.createReview(req); diff --git a/.github/workflows/untrustedPR.yml b/.github/workflows/untrustedPR.yml new file mode 100644 index 000000000..77e7df1eb --- /dev/null +++ b/.github/workflows/untrustedPR.yml @@ -0,0 +1,98 @@ +# Modelled after https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ + +# These "checks" are also performed as part of our critical-path azure-pipelines review, +# however here they are better able to post back to the original PR +name: PR Suggestions + +on: + pull_request: + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + with: + # fetch-depth 2 ensures we capture both parents of the merge commit + fetch-depth: 2 + + - uses: actions/cache@v2 + id: cache + with: + path: | + ./vcpkg + key: ${{ runner.os }}-${{ hashFiles('scripts/bootstrap*') }} + + - name: bootstrap + if: steps.cache.outputs.cache-hit != 'true' + run: ./bootstrap-vcpkg.sh + + - name: Save PR number + run: | + mkdir -p ./pr + echo ${{ github.event.number }} > ./pr/NR + + - name: Formatting + run: | + git config user.email github-actions + git config user.name github-actions@github.com + + ./vcpkg format-manifest ports/*/vcpkg.json + git diff > .github-pr.format-manifest + git add -u + git commit -m "tmp" --allow-empty + # HEAD^^ refers to the "main" commit that was merged into + git checkout HEAD^^ -- versions + git restore --staged versions + ./vcpkg x-add-version --all --skip-formatting-check > .github-pr.x-add-version.out + git diff > .github-pr.x-add-version.diff + git reset HEAD~ --mixed + + - uses: actions/github-script@v4 + with: + script: | + const { promises: fs } = require('fs') + const add_version = (await fs.readFile('.github-pr.x-add-version.diff', 'utf8')).trim() + const add_version_out = (await fs.readFile('.github-pr.x-add-version.out', 'utf8')).trim() + const format = (await fs.readFile('.github-pr.format-manifest', 'utf8')).trim() + + var output = '' + if (format !== "") { + output += "
All manifest files must be formatted\n\n" + output += "`./vcpkg format-manifest ports/*/vcpkg.json`\n" + output += "
Diff\n\n" + output += "```diff\n" + format + "\n```\n" + output += "
\n\n" + } + if (add_version_out !== "") { + output += "
PRs must add only one version and must not modify any published versions\n\n" + output += "When making any changes to a library, the version or port-version in `vcpkg.json` or `CONTROL` must be modified.\n" + output += "```\n" + add_version_out + "\n```\n
\n" + } + if (add_version !== "") { + output += "
After committing all other changes, the version database must be updated\n\n" + output += "```sh\n" + output += "git add -u && git commit\n" + output += "git checkout ${{ github.event.pull_request.base.sha }} -- versions\n" + output += "./vcpkg x-add-version --all\n" + output += "```\n" + output += "
Diff\n\n" + output += "```diff\n" + add_version + "\n```\n" + output += "
\n\n" + } + + if (output === "") { + await fs.writeFile("pr/event", "APPROVE") + } else { + output = "_This is a new experimental fast check for PR issues. Please let us know if this bot is helpful!_\n\n" + output + await fs.writeFile("pr/event", "REQUEST_CHANGES") + } + await fs.writeFile("pr/body", output) + + console.log(output); + + - uses: actions/upload-artifact@v2 + with: + name: pr + path: pr/ -- cgit v1.2.3