Skip to content

Commit

Permalink
Add Checks API to minder
Browse files Browse the repository at this point in the history
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@stacklok.com>
  • Loading branch information
puerco committed May 12, 2024
1 parent ab6ec59 commit 80cef5a
Show file tree
Hide file tree
Showing 3 changed files with 72 additions and 3 deletions.
44 changes: 41 additions & 3 deletions internal/engine/eval/trusty/trusty.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ import (
"os"
"strings"

"github.com/google/go-github/v61/github"
"github.com/rs/zerolog"

evalerrors "github.com/stacklok/minder/internal/engine/errors"
Expand Down Expand Up @@ -72,8 +73,37 @@ func NewTrustyEvaluator(ctx context.Context, ghcli provifv1.GitHub) (*Evaluator,
}, nil
}

func startGitHubCheck(ctx context.Context, client provifv1.GitHub, owner, repo, commitSHA string) (*github.CheckRun, error) {
check, err := client.StartCheck(ctx, owner, repo, &github.CreateCheckRunOptions{
Name: "Trusty dependency check",
HeadSHA: commitSHA,
Status: github.String("in_progress"),
})
if err != nil {
// If it missing permissions, ignore it
if err.Error() == "missing permissions: check" {
return nil, nil
}
return nil, err
}
return check, nil
}

func endCheck(check *github.CheckRun, err error) {
opts := *github.UpdateCheckRunOptions{

Check failure on line 93 in internal/engine/eval/trusty/trusty.go

View workflow job for this annotation

GitHub Actions / build / Verify build

opts declared and not used

Check failure on line 93 in internal/engine/eval/trusty/trusty.go

View workflow job for this annotation

GitHub Actions / build / Verify build

invalid operation: cannot indirect github.UpdateCheckRunOptions{…} (value of type github.UpdateCheckRunOptions)

Check failure on line 93 in internal/engine/eval/trusty/trusty.go

View workflow job for this annotation

GitHub Actions / lint / Go Lint

opts declared and not used

Check failure on line 93 in internal/engine/eval/trusty/trusty.go

View workflow job for this annotation

GitHub Actions / lint / Go Lint

invalid operation: cannot indirect github.UpdateCheckRunOptions{…} (value of type github.UpdateCheckRunOptions)) (typecheck)

Check failure on line 93 in internal/engine/eval/trusty/trusty.go

View workflow job for this annotation

GitHub Actions / lint / Go Lint

opts declared and not used

Check failure on line 93 in internal/engine/eval/trusty/trusty.go

View workflow job for this annotation

GitHub Actions / lint / Go Lint

invalid operation: cannot indirect github.UpdateCheckRunOptions{…} (value of type github.UpdateCheckRunOptions)

Check failure on line 93 in internal/engine/eval/trusty/trusty.go

View workflow job for this annotation

GitHub Actions / test / Coverage

opts declared and not used

Check failure on line 93 in internal/engine/eval/trusty/trusty.go

View workflow job for this annotation

GitHub Actions / test / Coverage

invalid operation: cannot indirect github.UpdateCheckRunOptions{…} (value of type github.UpdateCheckRunOptions)

Check failure on line 93 in internal/engine/eval/trusty/trusty.go

View workflow job for this annotation

GitHub Actions / test / Unit testing

opts declared and not used

Check failure on line 93 in internal/engine/eval/trusty/trusty.go

View workflow job for this annotation

GitHub Actions / test / Unit testing

invalid operation: cannot indirect github.UpdateCheckRunOptions{…} (value of type github.UpdateCheckRunOptions)

Check failure on line 93 in internal/engine/eval/trusty/trusty.go

View workflow job for this annotation

GitHub Actions / compose-migrate / docker

opts declared and not used

Check failure on line 93 in internal/engine/eval/trusty/trusty.go

View workflow job for this annotation

GitHub Actions / compose-migrate / docker

invalid operation: cannot indirect github.UpdateCheckRunOptions{…} (value of type github.UpdateCheckRunOptions)

Check failure on line 93 in internal/engine/eval/trusty/trusty.go

View workflow job for this annotation

GitHub Actions / image-build / Image build

opts declared and not used

Check failure on line 93 in internal/engine/eval/trusty/trusty.go

View workflow job for this annotation

GitHub Actions / image-build / Image build

invalid operation: cannot indirect github.UpdateCheckRunOptions{…} (value of type github.UpdateCheckRunOptions)
Name: "",
DetailsURL: new(string),
ExternalID: new(string),
Status: new(string),
Conclusion: new(string),
CompletedAt: &github.Timestamp{},
Output: &github.CheckRunOutput{},
Actions: []*github.CheckRunAction{},
}
}

// Eval implements the Evaluator interface.
func (e *Evaluator) Eval(ctx context.Context, pol map[string]any, res *engif.Result) error {
func (e *Evaluator) Eval(ctx context.Context, pol map[string]any, res *engif.Result) (err error) {
// Extract the dependency list from the PR
prDependencies, err := readPullRequestDependencies(res)
if err != nil {
Expand All @@ -88,6 +118,14 @@ func (e *Evaluator) Eval(ctx context.Context, pol map[string]any, res *engif.Res
Str("repo-owner", prDependencies.Pr.RepoOwner).
Str("repo-name", prDependencies.Pr.RepoName).Logger()

check, err := startGitHubCheck(ctx, e.cli, prDependencies.Pr.RepoOwner, prDependencies.Pr.RepoName, "1959de0c68da205e9da56741f20134faf902d341")
if err != nil {
logger.Debug().Msgf("CHECK ERROR: %s", err.Error())
}
defer func() {
endCheck(check, err)
}()

// Parse the profile data to get the policy configuration
ruleConfig, err := parseRuleConfig(pol)
if err != nil {
Expand All @@ -101,7 +139,7 @@ func (e *Evaluator) Eval(ctx context.Context, pol map[string]any, res *engif.Res

// Classify all dependencies, tracking all that are malicious or scored low
for _, dep := range prDependencies.Deps {
if err := classifyDependency(ctx, &logger, e.client, ruleConfig, prSummaryHandler, dep); err != nil {
if err = classifyDependency(ctx, &logger, e.client, ruleConfig, prSummaryHandler, dep); err != nil {
return fmt.Errorf("classifying dependency: %w", err)
}
}
Expand All @@ -111,7 +149,7 @@ func (e *Evaluator) Eval(ctx context.Context, pol map[string]any, res *engif.Res
return nil
}

if err := submitSummary(ctx, prSummaryHandler); err != nil {
if err = submitSummary(ctx, prSummaryHandler); err != nil {
return fmt.Errorf("submitting pull request summary: %w", err)
}

Expand Down
30 changes: 30 additions & 0 deletions internal/providers/github/common.go
Original file line number Diff line number Diff line change
Expand Up @@ -976,3 +976,33 @@ func NewFallbackTokenClient(appConfig config.ProviderConfig) *github.Client {
packageListingClient = github.NewClient(fallbackTokenTC)
return packageListingClient
}

// StartCheck creates a new security advisory
func (c *GitHub) StartCheck(ctx context.Context, owner, repo string, opts *github.CreateCheckRunOptions) (*github.CheckRun, error) {
if opts.StartedAt == nil {
opts.StartedAt = &github.Timestamp{Time: time.Now()}
}

run, resp, err := c.client.Checks.CreateCheckRun(ctx, owner, repo, *opts)
if err != nil {
// If error is 403 then it means we are missing permissions
if resp.StatusCode == 403 {
return nil, fmt.Errorf("missing permissions: check")
}
return nil, fmt.Errorf("starting check: %w", err)
}
return run, nil
}

// UpdateCheck updates an existing check
func (c *GitHub) UpdateCheck(ctx context.Context, owner, repo string, checkRunID int64, opts *github.UpdateCheckRunOptions) (*github.CheckRun, error) {
run, resp, err := c.client.Checks.UpdateCheckRun(ctx, owner, repo, checkRunID, *opts)
if err != nil {
// If error is 403 then it means we are missing permissions
if resp.StatusCode == 403 {
return nil, fmt.Errorf("missing permissions: check")
}
return nil, fmt.Errorf("updating check: %w", err)
}
return run, nil
}
1 change: 1 addition & 0 deletions pkg/providers/v1/providers.go
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,7 @@ type GitHub interface {
) ([]*github.IssueComment, error)
UpdateIssueComment(ctx context.Context, owner, repo string, number int64, comment string) error
AddAuthToPushOptions(ctx context.Context, options *git.PushOptions) error
StartCheck(context.Context, string, string, *github.CreateCheckRunOptions) (*github.CheckRun, error)
}

// ImageLister is the interface for listing images
Expand Down

0 comments on commit 80cef5a

Please sign in to comment.