ci: enhance the security of gh workflows #857
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: documentation | |
on: | |
workflow_dispatch: | |
pull_request: | |
types: | |
- opened | |
- edited | |
permissions: | |
contents: read | |
jobs: | |
check_pr_for_docs: | |
if: github.repository == 'JanssenProject/jans' && startsWith(github.head_ref, 'dependabot/') != true | |
env: | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
runs-on: ubuntu-latest | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 | |
with: | |
egress-policy: audit | |
- name: Checkout code | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
fetch-depth: 0 | |
- name: Install latest GH | |
continue-on-error: true | |
run: | | |
VERSION=`curl "https://api.github.com/repos/cli/cli/releases/latest" | grep '"tag_name"' | sed -E 's/.*"([^"]+)".*/\1/' | cut -c2-` | |
echo $VERSION | |
curl -sSL https://github.com/cli/cli/releases/download/v${VERSION}/gh_${VERSION}_linux_amd64.tar.gz -o gh_${VERSION}_linux_amd64.tar.gz | |
tar xvf gh_${VERSION}_linux_amd64.tar.gz | |
sudo cp gh_${VERSION}_linux_amd64/bin/gh /usr/local/bin/ | |
gh version | |
- name: Check commit message | |
continue-on-error: false | |
id: check_message | |
run: | | |
PULL_NUMBER=${{ github.event.pull_request.number }} | |
echo "Parsing commits from PR $PULL_NUMBER" | |
MESSAGE=$(gh pr view "$PULL_NUMBER" --json commits | jq -r '.commits[].messageHeadline' | grep "^docs" || echo "") | |
echo "$MESSAGE" | |
if [[ -z "$MESSAGE" ]]; then | |
echo "conventional commit starting with docs: does not exist. Checking if user confirmed no impact on docs in PR body" | |
pr_body=$(gh pr view https://github.com/${{ github.repository }}/pull/"$PULL_NUMBER" --json body -q '.body') | |
if [[ $pr_body == *"- [x] **I confirm that there is no impact on the docs due to the code changes in this PR.**"* ]]; then | |
echo "Checklist item is filled in PR body. Author confirmed no impact." | |
exit 0 | |
else | |
echo "Author did not check the item that states: **I confirm that there is no impact on the docs due to the code changes in this PR.**" | |
exit 1 | |
fi | |
fi | |
exit 0 | |
docs: | |
if: github.repository == 'JanssenProject/jans' && github.event_name == 'pull_request' && contains(github.event.pull_request.changed_files, 'docs/') | |
runs-on: ubuntu-latest | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 | |
with: | |
egress-policy: audit | |
- name: Checkout code | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
fetch-depth: 0 | |
- name: Set up Python 3.10 | |
uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 | |
with: | |
python-version: "3.10" | |
- name: Auto-merge inhouse doc prs | |
run: | | |
sudo apt-get update | |
sudo apt-get install jq | |
echo "${{ secrets.MOAUTO_WORKFLOW_TOKEN }}" | gh auth login --with-token | |
pull_number=$(jq --raw-output .pull_request.number "$GITHUB_EVENT_PATH") | |
NUMBER_OF_FOLDERS_CHANGED=$( gh pr view $pull_number --json files --jq '.files.[].path' | cut -d/ -f1 | sort -u | wc -l) | |
echo "The number of folders that changed are $NUMBER_OF_FOLDERS_CHANGED" | |
IS_USER_ORG_MEMBER=$(gh api -H "Accept: application/vnd.github.v3+json" --hostname github.com /orgs/${{ github.repository_owner }}/members?per_page=100 | jq .[].login | grep ${{ github.actor }}) | |
echo "checking if ${{ github.actor }} belongs to the ${{ github.repository_owner }}. Found $IS_USER_ORG_MEMBER." | |
PULL_NUMBER=$(jq --raw-output .pull_request.number "$GITHUB_EVENT_PATH") | |
#The number of folders changed should be 1. Otherwise the contributor has touched other folders besides /docs. | |
if [[ $NUMBER_OF_FOLDERS_CHANGED == "1" ]] && [[ ! -z "$IS_USER_ORG_MEMBER" ]]; then | |
echo "Approving PR $PULL_NUMBER" | |
gh pr review --approve $PULL_NUMBER | |
echo "Merging PR $PULL_NUMBER" | |
gh pr merge --squash --auto $PULL_NUMBER | |
echo "" | |
else | |
echo "Bot will not merge this as it does not meet the requirements." | |
echo "Either the developer has merged with doc changes code changes or an external contributor has requested doc changes." | |
fi | |
check_pr: | |
if: github.repository == 'JanssenProject/jans' && github.event_name == 'pull_request' && contains(github.event.pull_request.changed_files, 'docs/') | |
env: | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
runs-on: ubuntu-latest | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 | |
with: | |
egress-policy: audit | |
- name: Checkout code | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
fetch-depth: 0 | |
- name: Install latest GH | |
continue-on-error: true | |
run: | | |
VERSION=`curl "https://api.github.com/repos/cli/cli/releases/latest" | grep '"tag_name"' | sed -E 's/.*"([^"]+)".*/\1/' | cut -c2-` | |
echo $VERSION | |
curl -sSL https://github.com/cli/cli/releases/download/v${VERSION}/gh_${VERSION}_linux_amd64.tar.gz -o gh_${VERSION}_linux_amd64.tar.gz | |
tar xvf gh_${VERSION}_linux_amd64.tar.gz | |
sudo cp gh_${VERSION}_linux_amd64/bin/gh /usr/local/bin/ | |
gh version | |
- name: Check commit message | |
continue-on-error: true | |
id: check_message | |
run: | | |
PULL_NUMBER=$(echo "$GITHUB_REF" | awk -F / '{print $3}') | |
echo "Parsing commits from PR $PULL_NUMBER" | |
MESSAGE=$(gh pr view "$PULL_NUMBER" --json commits | jq '.' | grep "messageHeadline" | cut -d: -f2- | grep "^docs" || echo "") | |
echo "$MESSAGE" | |
if [[ -z "$MESSAGE" ]]; then | |
echo "conventional commit starting with docs: does not exist" | |
exit 1 | |
else | |
echo "conventional commit exists starting with docs:" | |
exit 0 | |
fi | |
- name: Verify Changed files | |
if: steps.check_message.outcome != 'success' | |
id: check_files | |
run: | | |
pull_number=$(jq --raw-output .pull_request.number "$GITHUB_EVENT_PATH") | |
CHANGES=$(gh pr view $pull_number --json files --jq '.files.[].path' | cut -d/ -f1 | grep '^docs' | sort -u ) | |
if [ -n "$CHANGES" ]; then | |
echo "File changes exist" | |
exit 0 | |
else | |
echo "No file changes" | |
exit 1 | |
fi | |
lint_docs: | |
if: github.repository == 'JanssenProject/jans' && github.event_name == 'pull_request' && contains(github.event.pull_request.changed_files, 'docs/') | |
env: | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
runs-on: ubuntu-latest | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 | |
with: | |
egress-policy: audit | |
- name: Checkout code | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
fetch-depth: 0 | |
- name: Markdown linter | |
continue-on-error: true | |
run: | | |
sudo apt-get install rubygems -y | |
sudo gem install mdl | |
mdl --style automation/markdown/.mdl_style.rb docs/ | |