mirror of https://github.com/grafana/grafana
CI: Update patch check event to use `workflow_call` (#105478)
* add pr-patch-check-event workflow_call * remove unneded permission * sender -> sender_login * Add my branch as a target for testing * fix branch name * use pull_request event * fix repo in list * maybe repositories not prefixedby org? * fix permissions * remove my branch * Missing @ * Add missing CODEOWNER entry * call workflow from my branch and add oidc debugger * add my branch to list for testing * remove my branch; use workflow from main; remove oidc debug * retrigger CIpull/105584/head
Kevin Minehart
8 months ago
committed by
GitHub
parent
feaaf96269
commit
d0637bba5b
@ -1,60 +1,27 @@ |
||||
name: Dispatch check for patch conflicts |
||||
on: |
||||
push: |
||||
branches-ignore: |
||||
pull_request: |
||||
types: |
||||
- opened |
||||
- reopened |
||||
- synchronize |
||||
branches: |
||||
- "main" |
||||
- "release-*.*.*" |
||||
tags-ignore: |
||||
- "*" |
||||
- "release-*" |
||||
|
||||
permissions: {} |
||||
permissions: |
||||
id-token: write |
||||
contents: read |
||||
|
||||
# Since this is run on a pull request, we want to apply the patches intended for the |
||||
# target branch onto the source branch, to verify compatibility before merging. |
||||
jobs: |
||||
dispatch-job: |
||||
permissions: |
||||
id-token: write |
||||
contents: read |
||||
actions: write |
||||
env: |
||||
REPO: ${{ github.repository }} |
||||
SENDER: ${{ github.event.sender.login }} |
||||
SHA: ${{ github.sha }} |
||||
runs-on: ubuntu-latest |
||||
if: github.repository == 'grafana/grafana' |
||||
steps: |
||||
- name: "Get vault secrets" |
||||
id: vault-secrets |
||||
uses: grafana/shared-workflows/actions/get-vault-secrets@main |
||||
with: |
||||
# Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault |
||||
repo_secrets: | |
||||
GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY |
||||
- name: "Generate token" |
||||
id: generate_token |
||||
uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a |
||||
with: |
||||
# App needs Actions: Read/Write for the grafana/security-patch-actions repo |
||||
app_id: ${{ vars.DELIVERY_BOT_APP_ID }} |
||||
private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }} |
||||
- name: "Dispatch job" |
||||
uses: actions/github-script@v7 |
||||
with: |
||||
github-token: ${{ steps.generate_token.outputs.token }} |
||||
script: | |
||||
const {REPO, SENDER, SHA} = process.env; |
||||
|
||||
await github.rest.actions.createWorkflowDispatch({ |
||||
owner: 'grafana', |
||||
repo: 'security-patch-actions', |
||||
workflow_id: 'test-patches-event.yml', |
||||
ref: 'main', |
||||
inputs: { |
||||
src_repo: REPO, |
||||
src_ref: 'main', |
||||
src_merge_sha: SHA, |
||||
src_pr_commit_sha: SHA, |
||||
patch_repo: REPO + '-security-patches', |
||||
patch_ref: 'main', |
||||
triggering_github_handle: SENDER |
||||
} |
||||
}) |
||||
uses: grafana/grafana/.github/workflows/pr-patch-check.yml@main |
||||
with: |
||||
head_ref: ${{ github.head_ref }} |
||||
base_ref: ${{ github.base_ref }} |
||||
repo: ${{ github.repository }} |
||||
sender_login: ${{ github.event.sender.login }} |
||||
sha: ${{ github.sha }} |
||||
pr_commit_sha: ${{ github.event.pull_request.head.sha }} |
||||
|
||||
@ -0,0 +1,78 @@ |
||||
name: Dispatch check for patch conflicts |
||||
on: |
||||
workflow_call: |
||||
inputs: |
||||
head_ref: |
||||
type: string |
||||
required: true |
||||
base_ref: |
||||
type: string |
||||
required: true |
||||
repo: |
||||
type: string |
||||
required: true |
||||
sender_login: |
||||
type: string |
||||
required: true |
||||
sha: |
||||
type: string |
||||
required: true |
||||
pr_commit_sha: |
||||
type: string |
||||
required: true |
||||
|
||||
permissions: |
||||
id-token: write |
||||
contents: read |
||||
|
||||
# Since this is run on a pull request, we want to apply the patches intended for the |
||||
# target branch onto the source branch, to verify compatibility before merging. |
||||
jobs: |
||||
dispatch-job: |
||||
env: |
||||
HEAD_REF: ${{ inputs.head_ref }} |
||||
BASE_REF: ${{ github.base_ref }} |
||||
REPO: ${{ inputs.repo }} |
||||
SENDER: ${{ inputs.sender_login }} |
||||
SHA: ${{ inputs.sha }} |
||||
PR_COMMIT_SHA: ${{ inputs.pr_commit_sha }} |
||||
runs-on: ubuntu-latest |
||||
steps: |
||||
- name: "Get vault secrets" |
||||
id: vault-secrets |
||||
uses: grafana/shared-workflows/actions/get-vault-secrets@main |
||||
with: |
||||
# Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault |
||||
repo_secrets: | |
||||
GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY |
||||
- name: "Generate token" |
||||
id: generate_token |
||||
uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a |
||||
with: |
||||
# App needs Actions: Read/Write for the grafana/security-patch-actions repo |
||||
app_id: ${{ vars.DELIVERY_BOT_APP_ID }} |
||||
private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }} |
||||
permissions: "{\"actions\": \"write\", \"workflows\": \"write\"}" |
||||
repositories: "[\"security-patch-actions\"]" |
||||
- name: "Dispatch job" |
||||
uses: actions/github-script@v7 |
||||
with: |
||||
github-token: ${{ steps.generate_token.outputs.token }} |
||||
script: | |
||||
const {HEAD_REF, BASE_REF, REPO, SENDER, SHA, PR_COMMIT_SHA} = process.env; |
||||
|
||||
await github.rest.actions.createWorkflowDispatch({ |
||||
owner: 'grafana', |
||||
repo: 'security-patch-actions', |
||||
workflow_id: 'test-patches-event.yml', |
||||
ref: 'main', |
||||
inputs: { |
||||
src_repo: REPO, |
||||
src_ref: HEAD_REF, |
||||
src_merge_sha: SHA, |
||||
src_pr_commit_sha: PR_COMMIT_SHA, |
||||
patch_repo: REPO + '-security-patches', |
||||
patch_ref: BASE_REF, |
||||
triggering_github_handle: SENDER |
||||
} |
||||
}) |
||||
Loading…
Reference in new issue