From 0053a4a77974992831e5bbbb4b0bc4b0708a0568 Mon Sep 17 00:00:00 2001 From: David Morris Date: Fri, 20 Dec 2024 17:22:08 +0000 Subject: [PATCH 1/6] Adding team info to configure.py --- configure.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/configure.py b/configure.py index c41c471..ea90c44 100755 --- a/configure.py +++ b/configure.py @@ -112,6 +112,8 @@ def main(args): operator="starts_with" enforcement="evaluate" bypass_mode="always" +repo_collaborator="" +issue_assignee="" ### [Team](https://docs.github.com/en/rest/teams) @@ -123,6 +125,8 @@ def main(args): team_admin="${team_admin}" team_privacy="closed" team_permission="admin" +available_team_permissions="pull triage push maintain admin" +team_permission_prefix="pwr" ### [Issues](https://docs.github.com/en/rest/issues/issues) From 2cf62f97f53686f330f10dfb811cbfc5a812ba4a Mon Sep 17 00:00:00 2001 From: David Morris Date: Fri, 20 Dec 2024 17:23:42 +0000 Subject: [PATCH 2/6] update for add collaborator script --- add-collaborator-to-repo.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/add-collaborator-to-repo.sh b/add-collaborator-to-repo.sh index a95a340..47d363f 100755 --- a/add-collaborator-to-repo.sh +++ b/add-collaborator-to-repo.sh @@ -6,7 +6,7 @@ # limits: https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository -username=${1:-mona} +username=${repo_collaborator} permission=${2:-push} JSON_TEMPLATE='{"permission":"%s"}' From 98f8d9ef740e0d768b039b4350610f934740581f Mon Sep 17 00:00:00 2001 From: David Morris Date: Fri, 20 Dec 2024 17:47:07 +0000 Subject: [PATCH 3/6] Add script for delete admin --- add-repo-to-permissions-teams.sh | 39 +++++++++++ ...sers-to-teams-for-repository-permission.sh | 1 + build-testcase-permissions | 66 +++++++++++++++++++ create-teams-for-repository-permission.sh | 4 +- delete-admin-from-teams-for-permissions.sh | 21 ++++++ delete-teams-for-permissions.sh | 17 +++++ docs/setup.md | 23 ++++++- 7 files changed, 167 insertions(+), 4 deletions(-) create mode 100755 add-repo-to-permissions-teams.sh create mode 100755 build-testcase-permissions create mode 100755 delete-admin-from-teams-for-permissions.sh create mode 100755 delete-teams-for-permissions.sh diff --git a/add-repo-to-permissions-teams.sh b/add-repo-to-permissions-teams.sh new file mode 100755 index 0000000..1beea61 --- /dev/null +++ b/add-repo-to-permissions-teams.sh @@ -0,0 +1,39 @@ +. ./.gh-api-examples.conf + +# https://docs.github.com/en/rest/reference/teams#add-or-update-team-membership-for-a-user +# PUT /orgs/:org/teams/:team_slug/memberships/:username + +# https://docs.github.com/en/enterprise-cloud@latest/rest/teams/teams?apiVersion=2022-11-28#add-or-update-team-repository-permissions +# PUT /orgs/{org}/teams/{team_slug}/repos/{owner}/{repo} + +if [ -z "$1" ] + then + repo=$repo + else + repo=$1 +fi + +declare -A permission_to_user +permissions=("pull" "triage" "push" "maintain" "admin") + +prefix=pwr + +for team_permission in "${permissions[@]}" +do + team_name=${prefix}-team-${team_permission} + team_slug=${team_name} + team_id=$(curl --silent -H "Authorization: Bearer ${GITHUB_TOKEN}" ${GITHUB_API_BASE_URL}/orgs/${org}/teams/$team_slug | jq '.id') + + json_file=tmp/add-or-update-team-repository-permissions.json + jq -n \ + --arg permission "${team_permission}" \ + '{ + permission: $permission, + }' > ${json_file} + + curl ${curl_custom_flags} \ + -X PUT \ + -H "Accept: application/vnd.github.v3+json" \ + -H "Authorization: Bearer ${GITHUB_TOKEN}" \ + "${GITHUB_API_BASE_URL}/teams/${team_id}/repos/${org}/${repo}" --data @${json_file} +done diff --git a/add-users-to-teams-for-repository-permission.sh b/add-users-to-teams-for-repository-permission.sh index 61d481c..744003d 100755 --- a/add-users-to-teams-for-repository-permission.sh +++ b/add-users-to-teams-for-repository-permission.sh @@ -23,6 +23,7 @@ do team_slug=${team_name} team_id=$(curl ${curl_custom_flags} -H "Authorization: Bearer ${GITHUB_TOKEN}" ${GITHUB_API_BASE_URL}/orgs/${org}/teams/$team_slug | jq '.id') team_member="${permission_to_user[$team_permission]}" + echo "${team_member} ---> ${team_permission}" curl ${curl_custom_flags} \ -X PUT \ diff --git a/build-testcase-permissions b/build-testcase-permissions new file mode 100755 index 0000000..bdc1c08 --- /dev/null +++ b/build-testcase-permissions @@ -0,0 +1,66 @@ +normal=$(tput sgr0) +highlight=$(tput setaf 2) + +printf "$highlight" + +cat << EOF + + ________ ____ + /_ __/ /_ ___ / __ \____ _ _____ _____ + / / / __ \/ _ \ / /_/ / __ \ | /| / / _ \/ ___/ + / / / / / / __/ / ____/ /_/ / |/ |/ / __/ / +/_/ /_/ /_/\___/ /_/ \____/|__/|__/\___/_/ + +EOF + +printf "${normal}" + + printf "${highlight} - Creating repo: ${normal}" + ./create-repo-testrepo.sh | jq -r '.name' + printf "${highlight} - Creating webhook: ${normal}" + ./create-webhook.sh | jq -r '.id' + sleep 5 + # Start with a clean slate deleting all the teams for this test suite + ./delete-teams-for-permissions.sh + # Create the teams named based on permissions + ./create-teams-for-repository-permission.sh + + # Add users into teams + ./add-users-to-teams-for-repository-permission.sh + + ./add-repo-to-permissions-teams.sh + + # Add/invite an outside collaborator + ./add-collaborator-to-repo.sh + + printf "${highlight} - Creating docs/README.md: ${normal}" + ./create-commit-readme.sh | jq -r ".content.html_url" + printf "${highlight} - Creating CODEOWNERS: ${normal}" + ./create-commit-codeowners.sh| jq -r ".content.html_url" + printf "${highlight} - Creating requirements.txt: ${normal}" + ./create-commit-python-pip.sh| jq -r ".content.html_url" + sleep 2 + printf "${highlight} - Creating new branch: ${normal}" + ./create-branch-newbranch.sh | jq -r '.url' + printf "${highlight} - Creating a commit on the new branch: ${normal}" + ./create-commit-on-new-branch.sh | jq -r ".content.html_url" + printf "${highlight} - Creating an update commit to docs/README.md: ${normal}" + ./create-commit-update-readme.sh | jq -r ".content.html_url" + printf "${highlight} - Creating an issue: ${normal}" + ./create-repo-issue.sh | jq -r '.html_url' + printf "${highlight} - Creating a pull request: ${normal}" + ./create-pull-request.sh | jq -r '.html_url' + # set the branch protection rules for main + printf "${highlight} - Setting branch protection rules on default branch: ${normal}" + ./set-branch-protection.sh | jq -r '.url' + + printf "${highlight} - Creating a release: ${normal}" + ./create-release.sh | jq -r '.html_url' + printf "${highlight} - Adding a .gitattributes file to new branch: ${normal}" + ./create-commit-gitattributes.sh | jq -r ".content.html_url" + echo + + + # If you have the appropriate token set in `pr_approver_token` + # then you can provide an approving review: + # ./create-approving-review-for-a-pull-request.sh diff --git a/create-teams-for-repository-permission.sh b/create-teams-for-repository-permission.sh index b9b6d50..ad891de 100755 --- a/create-teams-for-repository-permission.sh +++ b/create-teams-for-repository-permission.sh @@ -6,7 +6,7 @@ # Permissions for teams are from: # https://docs.github.com/en/enterprise-cloud@latest/rest/teams/teams?apiVersion=2022-11-28#add-or-update-team-repository-permissions -for team_type in pull triage push maintain admin +for team_type in ${available_team_permissions} do prefix=pwr-team @@ -27,6 +27,6 @@ do curl ${curl_custom_flags} \ -H "Accept: application/vnd.github.v3+json" \ -H "Authorization: Bearer ${GITHUB_TOKEN}" \ - "${GITHUB_API_BASE_URL}/orgs/${org}/teams" --data @${json_file} + "${GITHUB_API_BASE_URL}/orgs/${org}/teams" --data @${json_file} > tmp/create-team-${team}.json done diff --git a/delete-admin-from-teams-for-permissions.sh b/delete-admin-from-teams-for-permissions.sh new file mode 100755 index 0000000..506bf6a --- /dev/null +++ b/delete-admin-from-teams-for-permissions.sh @@ -0,0 +1,21 @@ +. ./.gh-api-examples.conf + +# https://docs.github.com/en/rest/reference/teams#remove-team-membership-for-a-user +# DELETE /orgs/{org}/teams/{team_slug}/memberships/{username} + +team_member=${team_admin} +prefix=pwr + +for team_permission in ${available_team_permissions} +do + team_name=${prefix}-team-${team_permission} + team_slug=${team_name} + team_id=$(curl ${curl_custom_flags} -H "Authorization: Bearer ${GITHUB_TOKEN}" ${GITHUB_API_BASE_URL}/orgs/${org}/teams/$team_slug | jq '.id') + echo "${team_member} delete ----X> from ${team_name}" + + curl ${curl_custom_flags} \ + -X DELETE \ + -H "Authorization: Bearer ${GITHUB_TOKEN}" \ + "${GITHUB_API_BASE_URL}/orgs/${org}/teams/${team_slug}/memberships/${team_member}" + +done diff --git a/delete-teams-for-permissions.sh b/delete-teams-for-permissions.sh new file mode 100755 index 0000000..d344e82 --- /dev/null +++ b/delete-teams-for-permissions.sh @@ -0,0 +1,17 @@ +. ./.gh-api-examples.conf + + + + + +for permission in ${available_team_permissions} +do + team_name="${team_permission_prefix}-team-${permission}" + team_slug=${team_name} + echo deleting ${team_slug} >&2 + + curl ${curl_custom_flags} \ + -X DELETE \ + -H "Authorization: Bearer ${GITHUB_TOKEN}" \ + "${GITHUB_API_BASE_URL}/orgs/${org}/teams/${team_slug}" +done diff --git a/docs/setup.md b/docs/setup.md index dd2bb7a..b17286f 100644 --- a/docs/setup.md +++ b/docs/setup.md @@ -5,20 +5,39 @@ * A GitHub Enterprise Server or dotcom org with a Enterprise admin user name and password * A `jq` command on your client: +#### A note about Bash + +A few scripts use arrays in bash and for those you'll need to have bash 5.x. The bash delivered on Mac OS is 3.2 so `brew install bash` may be needed if you want to use scripts that contain `declare -A` then you can use `/opt/homebrew/bin/bash`. These scripts were tested with 5.2.37 on Mac: + +``` +bash --version +GNU bash, version 5.2.37(1)-release (aarch64-apple-darwin24.0.0) +Copyright (C) 2022 Free Software Foundation, Inc. +License GPLv3+: GNU GPL version 3 or later +``` + +#### jq + ``` brew install jq ``` + +#### Python * A Python >3.6 interpreter on your Mac. + +#### Ruby Gems + * The [JWT Rubygem](https://rubygems.org/gems/jwt) required for [GitHub App authentication](https://github.com/gm3dmo/the-power/blob/main/docs/setting-up-a-gh-app.md#using-a-github-app-with-the-power): ``` sudo gem install jwt ``` -* [Create your token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token). In GitHub Enterprise (give it all the scopes. Be careful and give the token an expiry date if running on GitHub.com. Strongly recommend a token with short expiry time. If creating a lot of tokens, then this tip for [selecting all checkboxes on](https://gist.github.com/gm3dmo/e085294a622c1c72eec0e8b48d72b092) may be useful. +#### Personal Access Token (PAT) +* [Create your token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token). In GitHub Enterprise (give it all the scopes. Be careful and give the token an expiry date if running on GitHub.com. Strongly recommend a token with short expiry time. If you find yourself creating a lot of tokens on a regular basis, then this tip for [selecting all checkboxes on](https://gist.github.com/gm3dmo/e085294a622c1c72eec0e8b48d72b092) may be useful. -### Setup +### Configure The Power with `configure.py` ### Client side setup - Download the [latest release](https://github.com/gm3dmo/the-power/releases/latest). From 9c73f69a4fb28be72ea96d9d578dcf226d84848f Mon Sep 17 00:00:00 2001 From: David Morris Date: Fri, 20 Dec 2024 17:54:18 +0000 Subject: [PATCH 4/6] Adding testcase --- build-testcase-permissions | 2 ++ 1 file changed, 2 insertions(+) diff --git a/build-testcase-permissions b/build-testcase-permissions index bdc1c08..00ba48f 100755 --- a/build-testcase-permissions +++ b/build-testcase-permissions @@ -29,6 +29,8 @@ printf "${normal}" ./add-users-to-teams-for-repository-permission.sh ./add-repo-to-permissions-teams.sh + + ./delete-admin-from-teams-for-permissions.sh # Add/invite an outside collaborator ./add-collaborator-to-repo.sh From 0d999ce8842fad341b4063ec6933ed056cf52959 Mon Sep 17 00:00:00 2001 From: David Morris Date: Fri, 20 Dec 2024 20:15:04 +0000 Subject: [PATCH 5/6] Adding a couple of tidiness updates --- build-testcase-permissions | 32 ++++++++++++++++++----- create-an-issue.sh | 10 +++---- create-teams-for-repository-permission.sh | 9 +++---- 3 files changed, 34 insertions(+), 17 deletions(-) diff --git a/build-testcase-permissions b/build-testcase-permissions index 00ba48f..1e390fd 100755 --- a/build-testcase-permissions +++ b/build-testcase-permissions @@ -20,20 +20,38 @@ printf "${normal}" printf "${highlight} - Creating webhook: ${normal}" ./create-webhook.sh | jq -r '.id' sleep 5 - # Start with a clean slate deleting all the teams for this test suite + + printf "${highlight} - Clean the slate and delete teams (if they exist): ${normal}" + echo + echo ./delete-teams-for-permissions.sh - # Create the teams named based on permissions + echo + + printf "${highlight} - Create the teams named based on permissions: ${normal}" + echo + echo ./create-teams-for-repository-permission.sh + echo - # Add users into teams + printf "${highlight} - Add users to teams: ${normal}" + echo + echo ./add-users-to-teams-for-repository-permission.sh + echo + printf "${highlight} - Add repo to teams: ${normal}" + echo + echo ./add-repo-to-permissions-teams.sh - + echo + printf "${highlight} - Delete team_admin user from created teams: ${normal}" + echo + echo ./delete-admin-from-teams-for-permissions.sh + echo - # Add/invite an outside collaborator - ./add-collaborator-to-repo.sh + printf "${highlight} - Add/Invite repo_collaborator user to repo: ${normal}" + ./add-collaborator-to-repo.sh | jq -r '.invitee.login' printf "${highlight} - Creating docs/README.md: ${normal}" ./create-commit-readme.sh | jq -r ".content.html_url" @@ -49,7 +67,7 @@ printf "${normal}" printf "${highlight} - Creating an update commit to docs/README.md: ${normal}" ./create-commit-update-readme.sh | jq -r ".content.html_url" printf "${highlight} - Creating an issue: ${normal}" - ./create-repo-issue.sh | jq -r '.html_url' + ./create-an-issue.sh | jq -r '.html_url' printf "${highlight} - Creating a pull request: ${normal}" ./create-pull-request.sh | jq -r '.html_url' # set the branch protection rules for main diff --git a/create-an-issue.sh b/create-an-issue.sh index 59ffa8a..ec7497b 100755 --- a/create-an-issue.sh +++ b/create-an-issue.sh @@ -3,6 +3,7 @@ # https://docs.github.com/en/enterprise-cloud@latest/rest/issues/issues?apiVersion=2022-11-28#create-an-issue # POST /repos/{owner}/{repo}/issues + if [ -z "$1" ] then repo=$repo @@ -21,15 +22,14 @@ lorem_append="


The @${org}/${team_slug} will be interested in this. $ timestamp=$(date +%s) json_file=tmp/create-an-issue.json -rm -f ${json_file} jq -n \ - --arg title "Security vulnerability in access control software allowing unauthorized access by dogs ($timestamp) " \ + --arg title "Security vulnerability in access control software allowing unauthorized access by dogs ($timestamp)" \ --arg body "${lorem_text}${lorem_append}" \ - --arg assignees "${default_committer}" \ + --arg assignees "${default_issue_assignee}" \ --arg milestone 1 \ - --arg labels "bug" \ - '{"title": $title, "body": $body, "assignees": [ $assignees ], "labels": [ $labels ] }' > ${json_file} + --argjson labels '["bug", "documentation"]' \ + '{"title": $title, "body": $body, "assignees": [ $assignees ], "labels": $labels }' > ${json_file} curl ${curl_custom_flags} \ -H "Accept: application/vnd.github.v3+json" \ diff --git a/create-teams-for-repository-permission.sh b/create-teams-for-repository-permission.sh index ad891de..bcd3707 100755 --- a/create-teams-for-repository-permission.sh +++ b/create-teams-for-repository-permission.sh @@ -6,11 +6,12 @@ # Permissions for teams are from: # https://docs.github.com/en/enterprise-cloud@latest/rest/teams/teams?apiVersion=2022-11-28#add-or-update-team-repository-permissions + for team_type in ${available_team_permissions} do - prefix=pwr-team - team_name="${prefix}-${team_type}" + prefix=${team_permission_prefix} + team_name="${prefix}-team-${team_type}" team=$team_name privacy="closed" #privacy="secret" @@ -18,12 +19,10 @@ do jq -n \ --arg name "${team}" \ - --arg description "${team} is a ${privacy} team. See: https://docs.github.com/en/enterprise-cloud@latest/rest/teams/teams?apiVersion=2022-11-28#add-or-update-team-repository-permissions" \ + --arg description "${prefix}: ${team} is a ${privacy} team. See: https://docs.github.com/en/enterprise-cloud@latest/rest/teams/teams?apiVersion=2022-11-28#add-or-update-team-repository-permissions" \ --arg privacy "$privacy" \ '{name: $name, description: $description, privacy: $privacy }' > ${json_file} - cat $json_file | jq -r - curl ${curl_custom_flags} \ -H "Accept: application/vnd.github.v3+json" \ -H "Authorization: Bearer ${GITHUB_TOKEN}" \ From 312cae0956d3e6f9ca005e55885123012302f0de Mon Sep 17 00:00:00 2001 From: David Morris Date: Fri, 20 Dec 2024 20:24:18 +0000 Subject: [PATCH 6/6] Adding default to real users --- configure.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/configure.py b/configure.py index ea90c44..8a10582 100755 --- a/configure.py +++ b/configure.py @@ -112,8 +112,8 @@ def main(args): operator="starts_with" enforcement="evaluate" bypass_mode="always" -repo_collaborator="" -issue_assignee="" +repo_collaborator="mona" +issue_assignee="hubot" ### [Team](https://docs.github.com/en/rest/teams)