|
| 1 | +name: "Pin: Downstream: 2nd party" |
| 2 | + |
| 3 | +# TODO 3rd party will be based off ActivityPub |
| 4 | +# - References |
| 5 | +# - RFCv5.1: IETF SCITT: Use Case: Attestations of alignment to S2C2F and org Overlays: https://github.com/ietf-scitt/use-cases/blob/a832905e3c428fd54b1c08d4851801383eac91a6/openssf_metrics.md#use-case-attestations-of-alignment-to-s2c2f-and-org-overlays |
| 6 | + |
| 7 | +on: |
| 8 | + pull_request: |
| 9 | + types: |
| 10 | + - opened |
| 11 | + - synchronize |
| 12 | + - reopened |
| 13 | + branches: |
| 14 | + - main |
| 15 | + # TODO |
| 16 | + # push: |
| 17 | + # branches: |
| 18 | + # - main |
| 19 | + |
| 20 | +jobs: |
| 21 | + manifest: |
| 22 | + runs-on: ubuntu-latest |
| 23 | + outputs: |
| 24 | + length: ${{ steps.create-manifest-instance.outputs.length }} |
| 25 | + manifest: ${{ steps.create-manifest-instance.outputs.github_actions_manifest }} |
| 26 | + steps: |
| 27 | + - name: Set up Python |
| 28 | + uses: actions/setup-python@v4 |
| 29 | + with: |
| 30 | + python-version: "3.11" |
| 31 | + - uses: actions/checkout@v3 |
| 32 | + - name: Build manifest from plugins.json |
| 33 | + id: create-manifest-instance |
| 34 | + env: |
| 35 | + PLUGINS_JSON: "dffml/plugins.json" |
| 36 | + SCHEMA: "TODO-dffml-2ndparty-pin" |
| 37 | + JSON_INDENT: " " |
| 38 | + shell: python -u {0} |
| 39 | + run: | |
| 40 | + import os |
| 41 | + import json |
| 42 | +
|
| 43 | + plugins = json.loads(pathlib.Path(os.environ["PLUGINS_JSON"]).read_text()) |
| 44 | + manifest = plugins["plugins"]["parties"]["2nd"] |
| 45 | +
|
| 46 | + github_actions_manifest = { |
| 47 | + "include": manifest, |
| 48 | + } |
| 49 | + json_ld_manifest = { |
| 50 | + "@context": { |
| 51 | + "@vocab": os.environ["SCHEMA"], |
| 52 | + }, |
| 53 | + **github_actions_manifest, |
| 54 | + } |
| 55 | + print(json.dumps(json_ld_manifest, sort_keys=True, indent=os.environ.get("JSON_INDENT", None))) |
| 56 | +
|
| 57 | + if "GITHUB_OUTPUT" in os.environ: |
| 58 | + with open(os.environ["GITHUB_OUTPUT"], "a") as fileobj: |
| 59 | + fileobj.write(f'length={len(manifest)}\n') |
| 60 | + fileobj.write(f"manifest={json.dumps(manifest, sort_keys=True)}\n") |
| 61 | + fileobj.write(f'github_actions_manifest={json.dumps(github_actions_manifest, sort_keys=True)}\n') |
| 62 | + fileobj.write(f'json_ld_manifest={json.dumps(json_ld_manifest, sort_keys=True)}\n') |
| 63 | +
|
| 64 | + |
| 65 | + pin_downstream_pep_440: |
| 66 | + name: "Pin downstream to latest commit" |
| 67 | + runs-on: ubuntu-latest |
| 68 | + env: |
| 69 | + PIN_PULL_REQUEST_EMAIL: '[email protected]' |
| 70 | + PIN_PULL_REQUEST_NAME: 'Alice Alchemy' |
| 71 | + GH_ACCESS_TOKEN: ${{ secrets.PIN_DOWNSTREAM_2ND_PARTY_GH_ACCESS_TOKEN }} |
| 72 | + PIN_TO_COMMIT: ${{ github.event.after || github.event.pull_request.head.sha }} |
| 73 | + BUMP_DEP: "dffml @ https://github.com/intel/dffml/archive/" |
| 74 | + needs: |
| 75 | + - manifest |
| 76 | + strategy: |
| 77 | + fail-fast: false |
| 78 | + max-parallel: 100 |
| 79 | + matrix: ${{ fromJSON(needs.manifest.outputs.manifest) }} |
| 80 | + steps: |
| 81 | + - name: Checkout |
| 82 | + env: |
| 83 | + # TODO Pull requests on pull requests, probably from renovate/dependabot |
| 84 | + # https://github.com/intel/dffml/pull/1061#pullrequestreview-1281885921 |
| 85 | + TARGET_REPO_URL: ${{ matrix.source_url }} |
| 86 | + TARGET_BRANCH: ${{ matrix.branch }} |
| 87 | + TARGET_COMMIT: ${{ matrix.branch }} |
| 88 | + run: | |
| 89 | + set -x |
| 90 | + git init |
| 91 | + git remote add origin "${TARGET_REPO_URL}" |
| 92 | + git fetch origin "${TARGET_BRANCH}" --depth 1 |
| 93 | + git fetch origin "${TARGET_COMMIT}" --depth 1 |
| 94 | + git reset --hard "${TARGET_COMMIT}" |
| 95 | + - name: Find repo local dependent files |
| 96 | + id: repo-local-downstream |
| 97 | + run: | |
| 98 | + set -x |
| 99 | + get_files() { |
| 100 | + git grep "${BUMP_DEP}" | sed -e 's/:.*//g' | sort | uniq |
| 101 | + } |
| 102 | + echo files_length=$(get_files | wc -l) >> $GITHUB_OUTPUT |
| 103 | + echo files=$(get_files | jq -R | jq -s -c) >> $GITHUB_OUTPUT |
| 104 | + - name: Update pinning of upstream within downstream |
| 105 | + if: ${{ fromJSON(steps.repo-local-downstream.outputs.files_length) > 0 }} |
| 106 | + id: create-pull-request |
| 107 | + env: |
| 108 | + NEW_HASH: ${{ env.PIN_TO_COMMIT }} |
| 109 | + COMMIT_MESSAGE: "setup: Pin ${{ env.UPSTREAM_PACKAGE_NAME }} to ${{ env.PIN_TO_COMMIT }}\n${{ github.event.pull_request.html_url }}\n${{ github.server_url }}/${{ github.repository }}/commit/${{ env.PIN_TO_COMMIT }}\n${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" |
| 110 | + NEW_BRANCH_WITH_PIN: "pin/pep_440/${{ github.repository }}/${{ env.PIN_TO_COMMIT }}" |
| 111 | + FILES: ${{ toJSON(steps.repo-local-downstream.outputs.files) }} |
| 112 | + BASE: ${{ matrix.branch }} |
| 113 | + run: | |
| 114 | + set -x |
| 115 | + # https://github.com/dffml/dffml-model-transformers/blob/898af4a51d9b5d70d58ce80ba2c508f3afa82400/setup.cfg#L6 |
| 116 | + sed -i -r -e "s#${BUMP_DEP}[A-Fa-f0-9]{40}#${BUMP_DEP}${NEW_HASH}#g" $(echo "${FILES}" | jq -r '.[]') |
| 117 | + git checkout -b "${NEW_BRANCH_WITH_PIN}" |
| 118 | + git config user.email "${PIN_PULL_REQUEST_EMAIL}" |
| 119 | + git config user.name "${PIN_PULL_REQUEST_NAME}" |
| 120 | + git commit -sam "${COMMIT_MESSAGE}" |
| 121 | + echo "${GH_ACCESS_TOKEN}" | gh auth login --with-token |
| 122 | + git push -u origin -f "${NEW_BRANCH_WITH_PIN}" |
| 123 | + gh pr create --base "${BASE}" --head "${NEW_BRANCH_WITH_PIN}" --title "${COMMIT_MESSAGE}" --body "" | tee pull-request-url |
| 124 | + PULL_REQUEST_URL="$(cat pull-request-url)" |
| 125 | + if [[ "x${PULL_REQUEST_URL}" == "x" ]]; then |
| 126 | + echo "No pull request URL" 1>&2 |
| 127 | + exit 1 |
| 128 | + fi |
| 129 | + echo "url=${PULL_REQUEST_URL}" | tee -a $GITHUB_OUTPUT |
0 commit comments