From 1d072a93b9865bcd5b7e88dfeacddbb97375ef44 Mon Sep 17 00:00:00 2001 From: Rishav Dhar <19497993+rdhar@users.noreply.github.com> Date: Wed, 15 May 2024 10:30:01 +0100 Subject: [PATCH 01/10] add initial draft with limited tests Signed-off-by: Rishav Dhar <19497993+rdhar@users.noreply.github.com> --- .github/workflows/tf_tests.yaml | 11 ++++++----- action.yml | 12 +++++++++++- scripts/update_check_status.js | 13 +++++++++++++ 3 files changed, 30 insertions(+), 6 deletions(-) create mode 100644 scripts/update_check_status.js diff --git a/.github/workflows/tf_tests.yaml b/.github/workflows/tf_tests.yaml index 2cee6e58..098012dc 100644 --- a/.github/workflows/tf_tests.yaml +++ b/.github/workflows/tf_tests.yaml @@ -13,13 +13,14 @@ jobs: strategy: fail-fast: false matrix: - cli_uses: [tofu, terraform] + # cli_uses: [tofu, terraform] + cli_uses: [terraform] test: - - 10_fail_invalid_resource_type - - 11_fail_data_source_error + # - 10_fail_invalid_resource_type + # - 11_fail_data_source_error - 50_pass_one - - 51_pass_character_limit - - 52_pass_format_diff + # - 51_pass_character_limit + # - 52_pass_format_diff permissions: actions: read # Required for workflow query and artifact download. diff --git a/action.yml b/action.yml index 43855c2b..72fa606b 100644 --- a/action.yml +++ b/action.yml @@ -354,7 +354,17 @@ runs: retries: 3 script: await require(`${process.env.GITHUB_ACTION_PATH}/scripts/remove_reaction.js`)({ github, context }); - # On issue_comment, update commit status with job status before exiting. + # On pull_request, update check status with the job summary before exiting. + - name: Update check status + if: ${{ (success() || failure()) && github.event_name == 'pull_request' }} + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + env: + tf_summary: ${{ steps.pr_comment.outputs.summary }} + with: + retries: 3 + script: await require(`${process.env.GITHUB_ACTION_PATH}/scripts/update_check_status.js`)({ github, context }); + + # On issue_comment, update commit status with the job status before exiting. - name: Update commit status if: ${{ (success() || failure()) && github.event.issue.pull_request }} uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 diff --git a/scripts/update_check_status.js b/scripts/update_check_status.js new file mode 100644 index 00000000..c6b677a1 --- /dev/null +++ b/scripts/update_check_status.js @@ -0,0 +1,13 @@ +module.exports = async ({ github, context }) => { + // Update the check status with the job summary before exiting. + const update_check_status = await github.rest.checks.update({ + owner: context.repo.owner, + repo: context.repo.repo, + check_run_id: context.runId, + output: { + summary: "OUTPUT SUMMARY", + text: process.env.tf_summary, + title: "OUTPUT TITLE.", + }, + }); +}; From a84f4783fd868678642bf738b7da66597a0cf0fb Mon Sep 17 00:00:00 2001 From: Rishav Dhar <19497993+rdhar@users.noreply.github.com> Date: Wed, 15 May 2024 10:33:05 +0100 Subject: [PATCH 02/10] replace `statuses` with `checks` permission Signed-off-by: Rishav Dhar <19497993+rdhar@users.noreply.github.com> --- .github/workflows/tf_tests.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/tf_tests.yaml b/.github/workflows/tf_tests.yaml index 098012dc..1b766a5d 100644 --- a/.github/workflows/tf_tests.yaml +++ b/.github/workflows/tf_tests.yaml @@ -25,9 +25,8 @@ jobs: permissions: actions: read # Required for workflow query and artifact download. contents: read # Required for repository checkout. - issues: read # Required for getting PR branch from issue comment. pull-requests: write # Required for commenting on PR. - statuses: write # Required for setting commit status from issue comment. + checks: write # Required for adding summary to check status. steps: - name: Checkout repository From 33a2a289745bb22545a53bf8b2e582371230d828 Mon Sep 17 00:00:00 2001 From: Rishav Dhar <19497993+rdhar@users.noreply.github.com> Date: Wed, 15 May 2024 10:51:22 +0100 Subject: [PATCH 03/10] retry with `check_id` instead of `run_id` Signed-off-by: Rishav Dhar <19497993+rdhar@users.noreply.github.com> --- action.yml | 3 ++- scripts/comment_tf_output.js | 5 +++-- scripts/update_check_status.js | 2 +- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/action.yml b/action.yml index 72fa606b..d9b3207b 100644 --- a/action.yml +++ b/action.yml @@ -356,9 +356,10 @@ runs: # On pull_request, update check status with the job summary before exiting. - name: Update check status - if: ${{ (success() || failure()) && github.event_name == 'pull_request' }} + if: ${{ (success() || failure()) && steps.pr_comment.outcome == 'success' }} uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 env: + check_id: ${{ steps.pr_comment.outputs.check_id }} tf_summary: ${{ steps.pr_comment.outputs.summary }} with: retries: 3 diff --git a/scripts/comment_tf_output.js b/scripts/comment_tf_output.js index 89b3dc8c..0fe44951 100644 --- a/scripts/comment_tf_output.js +++ b/scripts/comment_tf_output.js @@ -25,13 +25,14 @@ ${process.env.tf_fmt} }); const matrix = JSON.parse(process.env.matrix); const job_name = `${context.job}${matrix ? ` (${Object.values(matrix).join(", ")})` : ""}`; - const job_url = workflow_run.jobs.find((job) => job.name === job_name).html_url; + const check_url = workflow_run.jobs.find((job) => job.name === job_name).html_url; + core.setOutput("check_id", workflow_run.jobs.find((job) => job.name === job_name).id); // Display the: TF command, TF output, and workflow authorip. const comment_output = `
${comment_summary}
-###### ${context.workflow} by @${context.actor} via [${context.eventName}](${job_url}) at ${context.payload.pull_request?.updated_at || context.payload.comment?.updated_at}. +###### ${context.workflow} by @${context.actor} via [${context.eventName}](${check_url}) at ${context.payload.pull_request?.updated_at || context.payload.comment?.updated_at}. \`\`\`hcl ${process.env.tf_output} diff --git a/scripts/update_check_status.js b/scripts/update_check_status.js index c6b677a1..391a1bec 100644 --- a/scripts/update_check_status.js +++ b/scripts/update_check_status.js @@ -3,7 +3,7 @@ module.exports = async ({ github, context }) => { const update_check_status = await github.rest.checks.update({ owner: context.repo.owner, repo: context.repo.repo, - check_run_id: context.runId, + check_run_id: process.env.check_id, output: { summary: "OUTPUT SUMMARY", text: process.env.tf_summary, From 5b7adb2c10616e6be3268e00b5c8f7b6f5a1d1b5 Mon Sep 17 00:00:00 2001 From: Rishav Dhar <19497993+rdhar@users.noreply.github.com> Date: Wed, 15 May 2024 11:06:38 +0100 Subject: [PATCH 04/10] merge script into "comment_tf_output" due to overlap of concerns Signed-off-by: Rishav Dhar <19497993+rdhar@users.noreply.github.com> --- action.yml | 11 ----------- scripts/comment_tf_output.js | 10 +++++++++- scripts/update_check_status.js | 13 ------------- 3 files changed, 9 insertions(+), 25 deletions(-) delete mode 100644 scripts/update_check_status.js diff --git a/action.yml b/action.yml index d9b3207b..d8e8685b 100644 --- a/action.yml +++ b/action.yml @@ -354,17 +354,6 @@ runs: retries: 3 script: await require(`${process.env.GITHUB_ACTION_PATH}/scripts/remove_reaction.js`)({ github, context }); - # On pull_request, update check status with the job summary before exiting. - - name: Update check status - if: ${{ (success() || failure()) && steps.pr_comment.outcome == 'success' }} - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 - env: - check_id: ${{ steps.pr_comment.outputs.check_id }} - tf_summary: ${{ steps.pr_comment.outputs.summary }} - with: - retries: 3 - script: await require(`${process.env.GITHUB_ACTION_PATH}/scripts/update_check_status.js`)({ github, context }); - # On issue_comment, update commit status with the job status before exiting. - name: Update commit status if: ${{ (success() || failure()) && github.event.issue.pull_request }} diff --git a/scripts/comment_tf_output.js b/scripts/comment_tf_output.js index 0fe44951..f479203e 100644 --- a/scripts/comment_tf_output.js +++ b/scripts/comment_tf_output.js @@ -26,7 +26,15 @@ ${process.env.tf_fmt} const matrix = JSON.parse(process.env.matrix); const job_name = `${context.job}${matrix ? ` (${Object.values(matrix).join(", ")})` : ""}`; const check_url = workflow_run.jobs.find((job) => job.name === job_name).html_url; - core.setOutput("check_id", workflow_run.jobs.find((job) => job.name === job_name).id); + const check_id = workflow_run.jobs.find((job) => job.name === job_name).id; + + // Update the check status with TF output summary. + const update_check_status = await github.rest.checks.update({ + check_run_id: check_id, + output: { title: comment_summary }, + owner: context.repo.owner, + repo: context.repo.repo, + }); // Display the: TF command, TF output, and workflow authorip. const comment_output = ` diff --git a/scripts/update_check_status.js b/scripts/update_check_status.js deleted file mode 100644 index 391a1bec..00000000 --- a/scripts/update_check_status.js +++ /dev/null @@ -1,13 +0,0 @@ -module.exports = async ({ github, context }) => { - // Update the check status with the job summary before exiting. - const update_check_status = await github.rest.checks.update({ - owner: context.repo.owner, - repo: context.repo.repo, - check_run_id: process.env.check_id, - output: { - summary: "OUTPUT SUMMARY", - text: process.env.tf_summary, - title: "OUTPUT TITLE.", - }, - }); -}; From ef96c7424f3d8adce25a8dac424fded1d036b39a Mon Sep 17 00:00:00 2001 From: Rishav Dhar <19497993+rdhar@users.noreply.github.com> Date: Wed, 15 May 2024 11:08:56 +0100 Subject: [PATCH 05/10] re-introduce placeholder summary as required Signed-off-by: Rishav Dhar <19497993+rdhar@users.noreply.github.com> --- scripts/comment_tf_output.js | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/scripts/comment_tf_output.js b/scripts/comment_tf_output.js index f479203e..99d9dc6c 100644 --- a/scripts/comment_tf_output.js +++ b/scripts/comment_tf_output.js @@ -31,7 +31,10 @@ ${process.env.tf_fmt} // Update the check status with TF output summary. const update_check_status = await github.rest.checks.update({ check_run_id: check_id, - output: { title: comment_summary }, + output: { + summary: comment_summary, + title: comment_summary, + }, owner: context.repo.owner, repo: context.repo.repo, }); From ce0b45dac06566186cfcb0a5aef4eec5990edd07 Mon Sep 17 00:00:00 2001 From: Rishav Dhar <19497993+rdhar@users.noreply.github.com> Date: Wed, 15 May 2024 11:13:47 +0100 Subject: [PATCH 06/10] test with reduced `checks: read` permission Signed-off-by: Rishav Dhar <19497993+rdhar@users.noreply.github.com> --- .github/workflows/tf_tests.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tf_tests.yaml b/.github/workflows/tf_tests.yaml index 1b766a5d..15510c04 100644 --- a/.github/workflows/tf_tests.yaml +++ b/.github/workflows/tf_tests.yaml @@ -26,7 +26,7 @@ jobs: actions: read # Required for workflow query and artifact download. contents: read # Required for repository checkout. pull-requests: write # Required for commenting on PR. - checks: write # Required for adding summary to check status. + checks: read # Required for adding summary to check status. steps: - name: Checkout repository From 2972d2bffe7f4212db81e1495ce553e5384b40d9 Mon Sep 17 00:00:00 2001 From: Rishav Dhar <19497993+rdhar@users.noreply.github.com> Date: Wed, 15 May 2024 11:23:12 +0100 Subject: [PATCH 07/10] add `checks: write` permission to all example workflows Signed-off-by: Rishav Dhar <19497993+rdhar@users.noreply.github.com> --- .github/examples/tf_via_pr_comments.yaml | 1 + .github/examples/tf_via_pr_comments_or_input.yaml | 1 + .github/examples/tf_via_pr_input.yaml | 1 + .github/examples/tf_via_pr_input_matrix.yaml | 1 + .github/workflows/tf_tests.yaml | 2 +- 5 files changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/examples/tf_via_pr_comments.yaml b/.github/examples/tf_via_pr_comments.yaml index 8b269752..156dd76a 100644 --- a/.github/examples/tf_via_pr_comments.yaml +++ b/.github/examples/tf_via_pr_comments.yaml @@ -14,6 +14,7 @@ jobs: permissions: actions: read # Required for workflow query and artifact download. + checks: write # Required for adding summary to check status. contents: read # Required for repository checkout. issues: read # Required for getting PR branch from issue comment. pull-requests: write # Required for commenting on PR. diff --git a/.github/examples/tf_via_pr_comments_or_input.yaml b/.github/examples/tf_via_pr_comments_or_input.yaml index 9ddeb89c..9fc3de6f 100644 --- a/.github/examples/tf_via_pr_comments_or_input.yaml +++ b/.github/examples/tf_via_pr_comments_or_input.yaml @@ -14,6 +14,7 @@ jobs: permissions: actions: read # Required for workflow query and artifact download. + checks: write # Required for adding summary to check status. contents: read # Required for repository checkout. issues: read # Required for getting PR branch from issue comment. pull-requests: write # Required for commenting on PR. diff --git a/.github/examples/tf_via_pr_input.yaml b/.github/examples/tf_via_pr_input.yaml index d575d823..8d7f32c8 100644 --- a/.github/examples/tf_via_pr_input.yaml +++ b/.github/examples/tf_via_pr_input.yaml @@ -12,6 +12,7 @@ jobs: permissions: actions: read # Required for workflow query and artifact download. + checks: write # Required for adding summary to check status. contents: read # Required for repository checkout. id-token: write # Required for assuming AWS role via OIDC provider. pull-requests: write # Required for commenting on PR. diff --git a/.github/examples/tf_via_pr_input_matrix.yaml b/.github/examples/tf_via_pr_input_matrix.yaml index b82633d0..83546257 100644 --- a/.github/examples/tf_via_pr_input_matrix.yaml +++ b/.github/examples/tf_via_pr_input_matrix.yaml @@ -17,6 +17,7 @@ jobs: permissions: actions: read # Required for workflow query and artifact download. + checks: write # Required for adding summary to check status. contents: read # Required for repository checkout. pull-requests: write # Required for commenting on PR. diff --git a/.github/workflows/tf_tests.yaml b/.github/workflows/tf_tests.yaml index 15510c04..3855dcbb 100644 --- a/.github/workflows/tf_tests.yaml +++ b/.github/workflows/tf_tests.yaml @@ -24,9 +24,9 @@ jobs: permissions: actions: read # Required for workflow query and artifact download. + checks: write # Required for adding summary to check status. contents: read # Required for repository checkout. pull-requests: write # Required for commenting on PR. - checks: read # Required for adding summary to check status. steps: - name: Checkout repository From 5859f875ef0ae20bae6a9ffc675fcf81e2da216b Mon Sep 17 00:00:00 2001 From: Rishav Dhar <19497993+rdhar@users.noreply.github.com> Date: Wed, 15 May 2024 11:23:36 +0100 Subject: [PATCH 08/10] display comment output as a job summary Signed-off-by: Rishav Dhar <19497993+rdhar@users.noreply.github.com> --- scripts/comment_tf_output.js | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/scripts/comment_tf_output.js b/scripts/comment_tf_output.js index 99d9dc6c..5e757a9a 100644 --- a/scripts/comment_tf_output.js +++ b/scripts/comment_tf_output.js @@ -63,6 +63,10 @@ ${comment_output} `; + // Display the comment output as a job summary. + core.summary.addRaw(comment_output); + core.summary.write(); + // Check if the bot has commented on the PR using the TFPLAN identifier. const { data: list_comments } = await github.rest.issues.listComments({ issue_number: context.issue.number, From 7b2587349a58a3922fde5cabc75631e8b33a923f Mon Sep 17 00:00:00 2001 From: Rishav Dhar <19497993+rdhar@users.noreply.github.com> Date: Wed, 15 May 2024 11:25:46 +0100 Subject: [PATCH 09/10] fix reference to whole comment_body instead of partial comment_output Signed-off-by: Rishav Dhar <19497993+rdhar@users.noreply.github.com> --- scripts/comment_tf_output.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/comment_tf_output.js b/scripts/comment_tf_output.js index 5e757a9a..9710a843 100644 --- a/scripts/comment_tf_output.js +++ b/scripts/comment_tf_output.js @@ -63,8 +63,8 @@ ${comment_output} `; - // Display the comment output as a job summary. - core.summary.addRaw(comment_output); + // Display the comment body as a job summary. + core.summary.addRaw(comment_body); core.summary.write(); // Check if the bot has commented on the PR using the TFPLAN identifier. From 41cea38e0f365a8046f888298ef62bcd34779e1a Mon Sep 17 00:00:00 2001 From: Rishav Dhar <19497993+rdhar@users.noreply.github.com> Date: Wed, 15 May 2024 11:28:01 +0100 Subject: [PATCH 10/10] revert tests ready for merge Signed-off-by: Rishav Dhar <19497993+rdhar@users.noreply.github.com> --- .github/workflows/tf_tests.yaml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/.github/workflows/tf_tests.yaml b/.github/workflows/tf_tests.yaml index 3855dcbb..646498a5 100644 --- a/.github/workflows/tf_tests.yaml +++ b/.github/workflows/tf_tests.yaml @@ -13,14 +13,13 @@ jobs: strategy: fail-fast: false matrix: - # cli_uses: [tofu, terraform] - cli_uses: [terraform] + cli_uses: [tofu, terraform] test: - # - 10_fail_invalid_resource_type - # - 11_fail_data_source_error + - 10_fail_invalid_resource_type + - 11_fail_data_source_error - 50_pass_one - # - 51_pass_character_limit - # - 52_pass_format_diff + - 51_pass_character_limit + - 52_pass_format_diff permissions: actions: read # Required for workflow query and artifact download.