Add workflows for PR validation tasks and labeling (cloudera-labs#84)

wmudge · web-flow · commit c1a444c2b29e · 2023-01-31T20:55:22.000Z
Signed-off-by: Webster Mudge &lt;wmudge@cloudera.com&gt;
diff --git a/.github/workflows/label_pr.yml b/.github/workflows/label_pr.yml
@@ -0,0 +1,54 @@
+---
+# See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+
+name: Label validated Pull Request
+
+on:
+  workflow_run:
+    workflows: ["Validate Pull Request"]
+    types:
+      - completed
+
+jobs:
+  label:
+    permissions:
+      contents: read
+      pull-requests: write
+    runs-on: ubuntu-latest
+    if: >
+      github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.conclusion == 'success'
+    steps:
+      - name: Download the PR number artifact
+        uses: actions/github-script@v6
+        with:
+          script: |
+            let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               run_id: context.payload.workflow_run.id,
+            });
+            let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => {
+              return artifact.name == "pr_number"
+            })[0];
+            let download = await github.rest.actions.downloadArtifact({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               artifact_id: matchArtifact.id,
+               archive_format: 'zip',
+            });
+            let fs = require('fs');
+            fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/pr_number.zip`, Buffer.from(download.data));
+
+      - name: 'Unzip artifact'
+        run: unzip pr_number.zip
+
+      - name: Read the PR number
+        id: read
+        run: echo "pr_number=$(cat pr_number)" >> $GITHUB_OUTPUT
+
+      - name: Label the PR
+        uses: actions-ecosystem/action-add-labels@v1
+        with:
+          labels: validated
+          number: ${{ steps.read.outputs.pr_number }}
diff --git a/.github/workflows/reset_pr.yml b/.github/workflows/reset_pr.yml
@@ -0,0 +1,26 @@
+---
+
+name: Reset Pull Request validation label
+
+on:
+  pull_request_target:
+    types:
+      - reopened
+      - synchronize
+      - ready_for_review
+    branches:
+      - 'release/**'
+      - 'devel'
+      - 'devel-pvc-base'
+
+jobs:
+  reset:
+    permissions:
+      contents: read
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Reset the PR label
+        uses: actions-ecosystem/action-remove-labels@v1
+        with:
+          labels: validated
diff --git a/.github/workflows/validate_pr.yml b/.github/workflows/validate_pr.yml
@@ -0,0 +1,70 @@
+---
+
+name: Validate Pull Request
+
+on:
+  pull_request:
+    branches:
+      - 'release/**'
+      - 'devel'
+      - 'devel-pvc-base'
+    
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Setup Python and caching
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.9'
+          cache: 'pip'
+      
+      - name: Set up Ansible collections
+        run: |
+          sudo update-alternatives --install /usr/bin/python python $(which python3) 1
+          pip install ansible-core==2.12 ansible-builder pycodestyle voluptuous pylint pyyaml ansible-lint
+          ansible-galaxy collection install -r builder/requirements.yml -p /usr/share/ansible/collections
+          #ansible-galaxy role install -r builder/requirements.yml -p /usr/share/ansible/roles
+
+      - name: Report Ansible version, collections, and roles
+        run: |
+          ansible --version
+          ansible-galaxy collection list
+          #ansible-galaxy role list
+      
+      - name: Set up Ansible collection dependencies
+        run: |
+          ansible-builder introspect \
+            --write-pip final_python.txt --write-bindep final_bindep.txt \
+            /usr/share/ansible/collections
+          pip install -r final_python.txt
+          sudo apt-get -y install $(cat final_bindep.txt)
+      
+      - name: Report installed Python dependencies
+        run: pip freeze
+      
+      - name: Validate collection
+        run: |
+          pushd /usr/share/ansible/collections/ansible_collections/cloudera/cloud
+          #ansible-lint
+          #ansible-test sanity --test pep8
+          #ansible-test sanity --test validate-modules
+          #ansible-test units --requirements --color yes --redact
+          popd
+
+      # See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+      - name: Save PR number
+        env:
+          PR_NUMBER: ${{ github.event.number }}
+        run: |
+          mkdir -p ./pr
+          echo $PR_NUMBER > ./pr/pr_number
+      
+      - name: Upload the PR number
+        uses: actions/upload-artifact@v3
+        with:
+          name: pr_number
+          path: pr/
diff --git a/builder/requirements.yml b/builder/requirements.yml
@@ -0,0 +1,5 @@
+---
+
+collections:
+  - source: .
+    type: dir
