feat: replaces 'check_only' with 'dry_run' option (complytime#195)

* feat: replace check_only with dry_run options in entrypoint base BREAKING CHANGE: The check_only flag is no longer available * feat: adds dry-run to action files and READMEs Signed-off-by: Jennifer Power <barnabei.jennifer@gmail.com> * feat: adds reported changes for dry-run mode Signed-off-by: Jennifer Power <barnabei.jennifer@gmail.com> * test: refines test_bot.py test cases Add more granular tests for dry run and reduces duplication Signed-off-by: Jennifer Power <barnabei.jennifer@gmail.com> * feat: adds a classes for reporting results to the console Abstracts reporting results to the console to different class and out of the entrypoint base class to allow it to extend more easily and be used in different places in the code base. Signed-off-by: Jennifer Power <barnabei.jennifer@gmail.com> * feat: updates reports to include CI specific console reporting GitHub Actions and GitLab CI has specific formatting features that can be used to enhance the output. Also the GitHub Actions output setting has been moved to this report to remove the need to parse logs in bash Signed-off-by: Jennifer Power <barnabei.jennifer@gmail.com> * test: adds unit tests for ResultsReport class Signed-off-by: Jennifer Power <barnabei.jennifer@gmail.com> * test: adds unit tests for GitHubActionsResultsReporter class Signed-off-by: Jennifer Power <barnabei.jennifer@gmail.com> * test: adds unit tests for GitLabCIResultsReporter class This also refines the function through the TDD process Signed-off-by: Jennifer Power <barnabei.jennifer@gmail.com> * docs: updates docs to remove check_only references Signed-off-by: Jennifer Power <barnabei.jennifer@gmail.com> * refactor: adds local commit to dry run For more comprehensiveness, adding local commit and not push to remote in dry run feature and added change type for more detailed change reports. Signed-off-by: Jennifer Power <barnabei.jennifer@gmail.com> * docs: adds example to autosync docs for failure on changes This can be used in the release notes to show users how to migrate from check_only Signed-off-by: Jennifer Power <barnabei.jennifer@gmail.com> * docs: refines doc strings for results reporting classes Signed-off-by: Jennifer Power <barnabei.jennifer@gmail.com> * docs: updates docstrings and README.md on dry run --------- Signed-off-by: Jennifer Power <barnabei.jennifer@gmail.com>
jpower432 · Apr 19, 2024 · 6e87853 · 6e87853
1 parent 6fa45bc
commit 6e87853
Show file tree

Hide file tree

Showing 24 changed files with 441 additions and 178 deletions.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -165,7 +165,7 @@ cat envfile
 
 GITHUB_OUTPUT=
 INPUT_SKIP_ITEMS=
-INPUT_CHECK_ONLY=true
+INPUT_DRY_RUN=true
 INPUT_SKIP_ASSEMBLE=false
 INPUT_SKIP_REGENERATE=false
 INPUT_REPOSITORY=.

diff --git a/actions/autosync/README.md b/actions/autosync/README.md
@@ -25,7 +25,7 @@ name: Example Workflow
 | --- | --- | --- | --- |
 | markdown_path | Path relative to the repository path where the Trestle markdown files are located. See action README.md for more information. | None | True |
 | oscal_model | OSCAL Model type to assemble. Values can be catalog, profile, compdef, or ssp. | None | True |
-| check_only | Runs tasks and exits with an error if there is a diff. Defaults to false | false | False |
+| dry_run | Runs tasks without pushing changes to the repository. | false | False |
 | github_token | GitHub token used to make authenticated API requests | None | False |
 | version | Version of the OSCAL model to set during assembly into JSON. | None | False |
 | skip_assemble | Skip assembly task. Defaults to false | false | False |
@@ -106,18 +106,28 @@ The purpose of this action is to sync JSON and Markdown data with `compliance-tr
         github_token: ${{ secret.GITHUB_TOKEN }}
 ```
 
-- When `check_only` is set, the trestle `assemble` and `regenerate` tasks are run and the repository is checked for changes. If changes exists, the action with exit with an error. This can be useful if you only want to check that the content is in sync without making any changes to the remote repository.
+- When `dry_run` is set, the trestle `assemble` and `regenerate` tasks are run and changes are not pushed to the remote repository. The files that would be changed are logged and the output `changes` is set to true.
+
+This can be helpful if you want to enforce that the content is in sync before it is merged into the repository with out making changes to the remote repository (e.g. helpful for changes from forks). If assembly and regeneratation are triggered by pushes to main, it can validate that the changes will be successful before merging to main to avoid unexpected errors.
 
 ```yaml
     steps:
       - uses: actions/checkout@v3
       - name: Run trestlebot
-        id: trestlebot
+        id: check
         uses: RedHatProductSecurity/trestle-bot/actions/autosync@main
         with:
           markdown_path: "markdown/profiles"
           oscal_model: "profile"
-          check_only: true
+          dry_run: true
+      # Optional - Set the action to failed if changes are detected.
+      - name: Fail for changes
+        if: ${{ steps.check.outputs.changes == 'true' }}
+        uses: actions/github-script@v7
+        with:
+          script: |
+              core.setFailed('Changes detected. Manual intervention required.')
+    
 ```
 
 > Note: Trestle `assemble` or `regenerate` tasks may be skipped if desired using `skip_assemble: true` or `skip_regenerate: true`, respectively. 
diff --git a/actions/autosync/action.yml b/actions/autosync/action.yml
@@ -9,8 +9,8 @@ inputs:
   oscal_model:
     description: OSCAL Model type to assemble. Values can be catalog, profile, compdef, or ssp.
     required: true
-  check_only: 
-    description: "Runs tasks and exits with an error if there is a diff. Defaults to false"
+  dry_run: 
+    description: "Runs tasks without pushing changes to the repository."
     required: false
     default: "false"
   github_token:

diff --git a/actions/autosync/auto-sync-entrypoint.sh b/actions/autosync/auto-sync-entrypoint.sh
@@ -34,8 +34,8 @@ if [[ ${INPUT_SKIP_REGENERATE} == true ]]; then
     command+=" --skip-regenerate"
 fi
 
-if [[ ${INPUT_CHECK_ONLY} == true ]]; then
-    command+=" --check-only"
+if [[ ${INPUT_DRY_RUN} == true ]]; then
+    command+=" --dry-run"
 fi
 
 if [[ ${INPUT_VERBOSE} == true ]]; then
@@ -52,4 +52,4 @@ if [[ -n ${INPUT_TARGET_BRANCH} ]]; then
   command+=" --with-token - <<<\"${GITHUB_TOKEN}\""
 fi
 
-execute_command "${command}"
+eval "${command}"
diff --git a/actions/common.sh b/actions/common.sh
@@ -15,24 +15,3 @@ function set_git_safe_directory() {
     fi
 }
 
-# Execute the command and set the output variables for GitHub Actions
-function execute_command() {
-    local command=$1
-    exec 3>&1
-    output=$(eval "$command" > >(tee /dev/fd/3) 2>&1)
-
-    commit=$(echo "$output" | grep "Commit Hash:" | sed 's/.*: //')
-
-    if [ -n "$commit" ]; then
-        echo "changes=true" >> "$GITHUB_OUTPUT"
-        echo "commit=$commit" >> "$GITHUB_OUTPUT"
-    else
-        echo "changes=false" >> "$GITHUB_OUTPUT"
-    fi
-
-    pr_number=$(echo "$output" | grep "Pull Request Number:" | sed 's/.*: //')
-
-    if [ -n "$pr_number" ]; then 
-    echo "pr_number=$pr_number" >> "$GITHUB_OUTPUT"
-    fi
-}
diff --git a/actions/create-cd/README.md b/actions/create-cd/README.md
@@ -32,6 +32,7 @@ name: Example Workflow
 | component_type | Type of the component to create. Values can be interconnection, software, hardware, service, policy, physical, process-procedure, plan, guidance, standard, or validation | service | False |
 | component_description | Description of the component to create | None | True |
 | filter_by_profile | Name of the profile in the workspace to filter controls by | None | False |
+| dry_run | Runs tasks without pushing changes to the repository. | false | False |
 | github_token | GitHub token used to make authenticated API requests | None | False |
 | commit_message | Commit message | Sync automatic updates | False |
 | pull_request_title | Custom pull request title | Automatic updates from trestlebot | False |

diff --git a/actions/create-cd/action.yml b/actions/create-cd/action.yml
@@ -25,6 +25,10 @@ inputs:
   filter_by_profile:
     description: Name of the profile in the workspace to filter controls by
     required: false
+  dry_run: 
+    description: "Runs tasks without pushing changes to the repository."
+    required: false
+    default: "false"
   github_token:
     description: "GitHub token used to make authenticated API requests"
     required: false

diff --git a/actions/create-cd/create-cd-entrypoint.sh b/actions/create-cd/create-cd-entrypoint.sh
@@ -32,6 +32,10 @@ if [[ ${INPUT_VERBOSE} == true ]]; then
     command+=" --verbose"
 fi
 
+if [[ ${INPUT_DRY_RUN} == true ]]; then
+    command+=" --dry-run"
+fi
+
 # Only set the token value when is a target branch so pull requests can be created
 if [[ -n ${INPUT_TARGET_BRANCH} ]]; then
   if [[ -z ${GITHUB_TOKEN} ]]; then
@@ -42,4 +46,4 @@ if [[ -n ${INPUT_TARGET_BRANCH} ]]; then
   command+=" --with-token - <<<\"${GITHUB_TOKEN}\""
 fi
 
-execute_command "${command}"
+eval "${command}"
diff --git a/actions/rules-transform/README.md b/actions/rules-transform/README.md
@@ -33,6 +33,7 @@ With custom rules directory:
 | Name | Description | Default | Required |
 | --- | --- | --- | --- |
 | rules_view_path | Path relative to the repository path where the Trestle rules view files are located. Defaults to `rules/`. | rules/ | False |
+| dry_run | Runs tasks without pushing changes to the repository. | false | False |
 | github_token | GitHub token used to make authenticated API requests | None | False |
 | skip_items | Comma-separated glob patterns list of content by Trestle name to skip during task execution. For example `compdef_x,compdef_y*,`. | None | False |
 | commit_message | Commit message | Sync automatic updates | False |

diff --git a/actions/rules-transform/action.yml b/actions/rules-transform/action.yml
@@ -7,6 +7,10 @@ inputs:
     description: Path relative to the repository path where the Trestle rules view files are located. Defaults to `rules/`.
     required: false
     default: "rules/"
+  dry_run: 
+    description: "Runs tasks without pushing changes to the repository."
+    required: false
+    default: "false"
   github_token:
     description: "GitHub token used to make authenticated API requests"
     required: false

diff --git a/actions/rules-transform/rules-transform-entrypoint.sh b/actions/rules-transform/rules-transform-entrypoint.sh
@@ -27,6 +27,11 @@ if [[ ${INPUT_VERBOSE} == true ]]; then
     command+=" --verbose"
 fi
 
+if [[ ${INPUT_DRY_RUN} == true ]]; then
+    command+=" --dry-run"
+fi
+
+
 # Only set the token value when is a target branch so pull requests can be created
 if [[ -n ${INPUT_TARGET_BRANCH} ]]; then
   if [[ -z ${GITHUB_TOKEN} ]]; then
@@ -37,4 +42,4 @@ if [[ -n ${INPUT_TARGET_BRANCH} ]]; then
   command+=" --with-token - <<<\"${GITHUB_TOKEN}\""
 fi
 
-execute_command "${command}"
+eval "${command}"
diff --git a/actions/sync-upstreams/README.md b/actions/sync-upstreams/README.md
@@ -23,6 +23,7 @@ name: Example Workflow
 | Name | Description | Default | Required |
 | --- | --- | --- | --- |
 | sources | A newline separated list of upstream sources to sync with a repo@branch format. For example, `https://github.com/myorg/myprofiles@main` | None | True |
+| dry_run | Runs tasks without pushing changes to the repository. | false | False |
 | github_token | GitHub token used to make authenticated API requests | None | False |
 | include_model_names | Comma-separated glob pattern list of model names (i.e. trestle directory name) to include in the sync. For example, `*framework-v2`. Defaults to include all model names. | None | False |
 | exclude_model_names | Comma-separated glob pattern of model names (i.e. trestle directory name) to exclude from the sync. For example, `*framework-v1`. Defaults to skip no model names. | None | False |

diff --git a/actions/sync-upstreams/action.yml b/actions/sync-upstreams/action.yml
@@ -6,6 +6,10 @@ inputs:
   sources: 
     description: "A newline separated list of upstream sources to sync with a repo@branch format. For example, `https://github.com/myorg/myprofiles@main`"
     required: true
+  dry_run: 
+    description: "Runs tasks without pushing changes to the repository."
+    required: false
+    default: "false"
   github_token:
     description: "GitHub token used to make authenticated API requests"
     required: false

diff --git a/actions/sync-upstreams/sync-upstreams-entrypoint.sh b/actions/sync-upstreams/sync-upstreams-entrypoint.sh
@@ -31,6 +31,10 @@ if [[ ${INPUT_VERBOSE} == true ]]; then
     command+=" --verbose"
 fi
 
+if [[ ${INPUT_DRY_RUN} == true ]]; then
+    command+=" --dry-run"
+fi
+
 if [[ ${INPUT_SKIP_VALIDATION} == true ]]; then
     command+=" --skip-validation"
 fi
@@ -45,4 +49,4 @@ if [[ -n ${INPUT_TARGET_BRANCH} ]]; then
   command+=" --with-token - <<<\"${GITHUB_TOKEN}\""
 fi
 
-execute_command "${command}"
+eval "${command}"